Small and mid-sized businesses can no longer look at cybersecurity as an afterthought. Criminals target them knowing they often under-invest in security. However, protecting your data doesn’t have to be complicated. Here are 5 steps you can take now to increase your business IT security.
Do you know where your business-critical data resides? How about who has access to it? The answers might surprise, or more likely, scare you.
Knowing what data is important allows you to develop a plan to compartmentalize it and restrict access as appropriate. This is especially true for content that has regulatory impacts such as Personally Identifiable Information (PII) and Controlled Unclassified Information (CUI).
Next, determine your risk level. Do you transact using credit cards? Then you may have data subject to PCI. Where are your employee files kept? Do they contain PII? Do you do work with the government, especially the DoD? Then you may hold CUI. This information will help you develop an understanding of your risk level.
Once you understand your most sensitive data and your risk level, consider who should have access to it. Develop a matrix to show the data, its repository and levels of access. This includes both internal, as well any external users.
You are under constant attack. Just because some attackers are unsophisticated, common thieves, don’t assume everyone it. Nation-state hackers have targeted small businesses in the past, especially if their data is attractive. Also, in some cases, like Petya, viruses have gone beyond the targets and effected larger groups of people than intended. You need to have a strategy that corresponds to your risk level.
A good cybersecurity strategy makes the following assumptions:
Layered Defense: Strong cybersecurity strategies defend the network at multiple points, including network access, individual devices, and users.
Assume a Breach Will Occur: No matter how well you protect your network, there will always be a chance that you will suffer a data breach. Strong monitoring solutions will identify anomalies and minimize any damage.
Formalize Policies: Regardless of your size, a formal cybersecurity policy provides direction to your team about the importance of cybersecurity and how to handle certain situations.
Cyber Incident Plan: What happens when a user clicks on that bad link? A Cyber Incident Plan will help you know how to respond.
The NIST Cybersecurity Framework is a great place to start to learn about how you can protect your business. The Framework provides a common organizing structure for multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively today.
The Framework offers a flexible way to address cybersecurity, including cybersecurity’s effect on physical, cyber, and people dimensions. It is applicable to organizations relying on technology, whether their cybersecurity focus is primarily on information technology (IT), industrial control systems (ICS), cyber-physical systems (CPS), or connected devices more generally, including the Internet of Things (IoT).
Adequate cybersecurity requires investment, but it doesn’t have to break the budget. The following should be considered minimum cyber hygiene:
Multi-factor Authentication: Most systems today have the ability to offer a second factor of authentication.
Device Management: Active management of mobile devices, laptops and workstations allows for you to know what devices are accessing your data.
Regular Maintenance: Keeping systems up to date with patching ensures that you are protected from known vulnerabilities
Anti-phishing and Safe Links: Advanced protection for email and documents will prevent attacks from ever reaching a user.
Strong Backups: Smartly and constantly backing up your content (including cloud services) gives you options in the event of a ransomware attack.
Encrypt Your Data: Encrypted data is more secure than data that isn’t. File and disk encryption will protect data stored on your computers and network.
This may sound like a lot, but it really isn’t. This approach can be deployed by your IT Service Provider with a combination of Microsoft Office 365 and traditional managed services. A good provider should insist on these basic protections.
The human factor is still the most significant risk factor in most equations. Security Awareness Training helps your employees know how to recognize and avoid being victimized by phishing emails and scam websites.
They learn how to handle security incidents when they occur. If your employees are informed about what to watch for, how to block attempts and where they can turn for help, this alone is worth the investment.
Training should take place several times a year. People need to be reminded often about cyber threats. Plus, there are always new threats coming along, so it’s essential to stay up to date.
In addition to the cost and productivity advantages of the cloud, services like Microsoft Office 365 offer a robust cyber capability. This integrates many of the security features directly into the service, which both lowers cost and makes operational sense.
Just like sales and finance, someone in your organization should be ultimately responsible for cybersecurity. Designating ownership of the program signals the importance and empowers that individual to push through smart policies. This person should work with your IT Service Provider as well as the entire organization to make sure smart cybersecurity practices are followed.
Bill Wootton is the Founder and President of C3 Integrated Solutions, a full-service IT provider based in Arlington, VA that specializes in securing our nation’s Defense Industrial Base through cloud-based solutions and industry leading partners. Bill is passionate about bringing cyber-awareness, and cyber-maturity to the nation’s Defense Industrial Base, working with clients to help them achieve CMMC and NIST 800-171 compliance by providing MSP, security and Office 365 integration services.