Top Six Ways to Improve Your Cybersecurity
It seems like we’re hearing about cyber-attacks every day. Over 70 million of Target’s customers’ accounts were compromised from their data breach. Home Depot admitted to having over 56 million payment card accounts put at risk after their cyber-attack. Sensitive information on 21.5 million people was stolen from the federal government’s background-check database and it’s believed that Equifax’s data breach could have put over 143 million consumers’ sensitive information records at risk. Human sacrifice, dogs and cats living together, mass hysteria (Bill Murray, Ghostbusters, 1984). It’s a bit much.
Cyber-Attacks are Costly to SMBs
It can’t just be ignored, however, because for small and mid-sized businesses especially, cyber-attacks can be very costly. How costly? According to the National Cyber Security Alliance 60% of small and mid-sized business that get hacked fail within 6 months (Galvin, 2018). That’s 6 out of every 10 small businesses, and with 1 in 5 small businesses falling victim to a cyber-attack each year (Bright House Networks Business Solutions, 2019) that’s a lot of blood, sweat, and tears’ equity lost each year. What’s more alarming is that according to Keeper Security’s 2019 SMB Cyber-threat Study, 60% of small businesses report that they don’t have any cyber attack plans in place (Lurey, 2019).
Is 88% Good Enough for Your Business?
That means that the majority of small businesses are choosing to accept at 12% failure rate per year (on top of all the other risks they already face). How comfortable would you feel about a plane ride or surgery with an 88% chance of survival?
It’s serious and put into proper perspective, frankly terrifying. The problem can seem daunting and unconquerable which is perhaps why many small business owners choose to ignore it. But with a structured approach this is something that small businesses can get control of without having to throw tons of money at it (although if this is your preferred approach please see our contact information below – operators are standing by).
Cybersecurity 101 – The Biggest Bang for Your Buck
With apparently so much to cover, it can be difficult to know where to start and while each business is unique, ultimately the vast majority will be able to satisfy a good portion of their cyber-security woes with the following 6 steps. Additionally, many of these can be implemented without additional expense by leveraging systems and resources that are already in place.
1. Adopt a Cybersecurity Framework
There are many (NIST, ISO, SOC2, etc.) but for small businesses especially, I prefer the CIS20 (which also happens to be a requirement if you do business in California).
As the name implies, the CIS20 (Center for Internet Security, 2019) is a set of 20 best practice controls. Each of these has multiple sub-controls requirements which depend on the size and scope of your organization. More boutique companies without highly sensitive data (such as those in healthcare or finance) have less requirements/suggestions than a larger company would.
What’s great about the CIS20 is that their core controls and subcontrols are easy to understand. Their structure also provides a great implementation roadmap with the first 6 being considered a must for every organization (what they refer to as “Cyber Hygiene”). As previously stated, each control also references the size of the company (called an “Implementation Group”) so each business knows what is most appropriate for them. Properly utilized, the CIS20 can help an organization get a structured handle on their current cyber-security situation and easily plan the next 2 or 3 years’ goals as well.
2. Perform a Risk Assessment
Once you’ve decided on a cyber-security framework, your organization can conduct a thorough risk assessment to identify all the current risks (cyber-security related and otherwise) to the business. This will include a full inventory of all assets such as hardware (CIS Control #1) and software (CIS Control #2) used by the business.
This should also include an analysis of each risk’s impact to the mission, objectives, and obligations to the business and the likelihood that each risk will occur. Once completed, the organization can identify the most critical issues and appropriately allocate resources to resolve them.
It should also be noted that for most organizations (especially those in healthcare and finance) an annual risk assessment is a regulatory requirement. So not only will completing it get everyone at your organization on the same page and allow you to appropriate resources intelligently, it will also help your organization maintain regulatory compliance.
3. Cybersecurity Policies and Procedures
A company’s policies and procedures allow the directors to communicate their vision and gets everyone in the company moving in the same direction. They also provide clear directions on how things should be done, and what steps to take.
Your policies should include incident response procedures (CIS Control #19), a business continuity and disaster recovery plan, and general workforce and security policies. Not only will this provide direction to your technical teams for how things should be done (CIS Control #5) it can also be used for your security awareness and training (CIS Control #17). They can also give clear goals and requirements for each position which increases the effectiveness and training of your staff for their actual job duties. Finally, policies and procedures are a regulatory requirement for practically every organization. They’re very important.
4. Cybersecurity Best Practices Configuration
No doubt your organization is already utilizing multiple pieces of equipment and, if you’re like most other organizations, they may not be configured based on cybersecurity best practices. In fact, there is a good chance that there are at least a few devices still utilizing their factory default credentials.
You’ve already made the investment in the equipment you have so put it to work in securing your business. First ensure that no device is using default usernames or passwords and that administrative accounts are being used only when absolutely necessary, also remove those accounts that are not needed (CIS Controls #4 & 16). Then harden each device by removing unneeded services and ports, configuring firewalls, enabling audit logging, and blocking non-required connections (CIS Controls #6, 9, 11, 12, 15, & 16). This is an area that requires a very small spend (if any) and provides tremendous payouts.
5. Backup Your Data
Hopefully you already are, but if not, be sure to set up both onsite and offsite backups. From step 2 above, you should have an inventory of all your critical data (CIS Controls #10 & 13). Be sure that you are backing up your critical data at the very least. You should also evaluate the need to keep backups of critical systems so should they fail, you can quickly bring them back online.
Proper backups will keep your business running from standard hardware failures, natural disasters, and equipment theft. They’ll also protect you from ransomware keeping your business from having to pay out costly ransoms. Just like many of the other recommendations too, backups are typically a regulatory requirement, so they help keep you compliant.
6. Remote Monitoring and Management Solutions
With reasonable cost, Remote Monitoring and Management (RMM) solutions can provide a host of benefits and satisfy multiple control requirements. Ultimately, they provide a centralized view of all your technical assets while allowing for centralized management. They can typically ensure that all systems are properly patched, properly inventoried, have appropriate security configurations, and considerably more. Some even provide enhanced security and auditing capabilities.
Properly implemented they can help satisfy practically every one of the CIS20 controls, and whether implemented in-house or with a third-party, they should be part of your security considerations.
Security is a Culture, Not a Destination
It’s scary out there, but not unconquerable. With proper attention and a structured approach, you can better protect your business. Additionally, with proper planning and implementation, your security program can not only provide greater insight into your business practices but help you to discover ways to improve your operations and maximize your productivity.
James Bowers II
James is a security and compliance architect with Input Output, LLC who focused on cybersecurity, regulatory compliance, and risk management solutions for businesses of all sizes. He has over 15 industry recognized IT and security certifications and collaborates with the Department of Homeland Security’s AIS and CISCP cybersecurity programs. He is also a member of the FBI Infragard cybersecurity collaborative program.
Input Output, LLC
Bright House Networks Business Solutions. (2019). Why every small business should care about cyberattacks, in 5 charts. Retrieved Oct 2019, from Vox.com: https://www.vox.com/sponsored/11196054/why-every-small-business-should-care-about-cyber-attacks-in-5-charts#targetText=One%20in%20five%20small%20businesses,annoying%20to%20the%20deeply%20destructive.
Center for Internet Security. (2019). CIS Center for Internet Security. Retrieved Oct 2019, from cissecurity.org: https://www.cisecurity.org/
Galvin, J. (2018, May 7). 60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here’s How to Protect Yourself. Retrieved Oct 2019, from Inc.com: https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html
Lurey, C. (2019, July 24). Cyber Mindset Exposed: Keeper Unveils its 2019 SMB Cyberthreat Study. Retrieved Oct 2019, from KeeperSecurity.com: https://keepersecurity.com/blog/2019/07/24/cyber-mindset-exposed-keeper-unveils-its-2019-smb-cyberthreat-study/
Verizon. (2019, May 19). 2019 Data Breach Investigations Report. Retrieved from Verizon.com: https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf