11 Security Measures Every Small and Mid-Sized Business Should Implement in 2020
Cybersecurity isn’t a new topic for businesses in the 21st century. For a small or mid-sized business, it has, however, been historically challenging to justify the IT budget dollars to create and implement an effective security stance. The following are 11 key areas that every business should plan to implement in 2020 if they have not already done so. This list is by no means comprehensive. But it should apply no matter what your business is. Click here to learn how a Silver Industries IT consultant can assist you with a customised plan of action to meet these goals.
1. Defining and Enforcing Security Policies
Everything has a beginning. For security stances, it starts with establishing a clear set of security policies. The creation of a specific policy, for instance, password security, serves several purposes.
The first purpose is to clearly define the expectation within the user community regarding what is acceptable. This understanding is essential not only to achieve the end goal but to help determine enforcement protocol.
The establishment of the policy also provides a baseline for an organisation’s HR team as they onboard new staff. And helping define company response to violations of the established procedure.
An established policy defines for your IT support staff/IT consultant what tools or processes they need to implement to meet the policy expectations.
There may also be follow up discussions that tie to budget for technology or staff as they contemplate the “how-to” for matching processes in support of the business policy.
Work With Your IT Consultant To Include An Audit Policy
Any policy created should contain an audit component. If your organisation is undergoing Cyber Essentials or an ISO certification, the value of internally reviewing the policy and process as well as an examination of the evidence of implementation, and more importantly the results, will help pass the external audit.
As crucial as creation and enforcement are, educating the users on the policy is even more critical. User education for the policies will often help users better understand the intent of the system.
Appreciating the reason is far better than just being told to “do it this way.” This education effort should include annual security awareness training by your IT staff/ IT consultant.
2. Security Awareness Training
Security Awareness Training is a broad subject. For our purpose, we are focusing on Cybersecurity policies and processes.
However, the physical security of staff, premises, and technology equipment also have an impact on the organisation’s overall security stance. And should be part of the organisation’s policies and training.
Most organisations will experience a security event. It may be a single user event or affect the entire organisation in some manner. What these events typically have in common is that they start with a user doing something that they should not have done.
They may click on a file from what they believe to be a trusted source or may take action based on a request made via email that appears to be internal. There is no foolproof way to prevent this. But the risk level can be mitigated through training or working with a qualified IT consultant.
Cultivate The Correct Mindset Within Your Team With The Help Of An IT Consultant
Awareness training is a critical part of any organisation’s cybersecurity stance. It is as vital as any piece of technology. The focus of the training should be to help the user establish a mindset versus giving them some flow chart or process to follow.
Cybersecurity is about building good habits and behaviours. You cannot turn your staff into security engineers. However, you can teach them good habits.
Training should include several areas and discuss in-depth the methods used to exploit an attack vector. The training should touch on technical aspects, such as the reasoning behind complex password requirements.
However, the primary effort should be to educate users on the attempts made daily to gain unauthorised access to an organisation’s data or capital.
Security events often have a significant impact on an organisation’s business. While some incident details need to remain confidential, the means and methods used should be shared as soon as possible with the user base if applicable.
Understanding the event and how it happened, from a data exposure on the Dark Web via sloppy password security to a full hack, is vital to preventing future events.
3. Password and Security Management
Our focus on Security Management will be limited to its application to organisational assets, including staff. Security management in and of itself should never be an end goal. IT security should always be categorised as an approach to supporting the business and its assets.
In real terms, this applies directly to the organisation’s staff, who are responsible for their conduct. Defining policies will help your team with tasks like password security and management.
It is often the smallest things that get overlooked and weaken an organisation’s overall security stance. Password security, in terms of creation, storage/access, and management, is typically one of the most exploited vectors found after a security incident.
Common Issues IT Staff And IT Consultants See Regularly
Issues like a lack of systems requiring change on a short periodic basis, removal of allowable repeat passwords, and password complexity levels contribute to this as much as the user who writes their password down on a post-it and places it under their keyboard. Like all things security-focused, the organisation should walk the line between security and usability.
As discussed earlier, this is addressed initially by implementing a policy. After establishing the policy, solutions can be applied to meet the defined plan.
The response from IT staff or IT consultant may trigger the adoption of new tools to help the users manage passwords that are now too complex to remember, such as a web-based password keeper. Most organisations have this addressed in some measure.
But it may be more haphazard than focused as a “best practice” implementation instead of done in a manner to meet a defined set of goals.
This is not to say that “a best practice” application should be discarded. It should, however, be evaluated against what the business’ stated goals are, versus what the support staff feels is sufficient.
4. User Privilege Levels
The user community as a whole is a great deal more computer savvy than they were ten years ago. This comfort level has led to the users installing software on their computers to help them complete routine recurring tasks or a specific project or item.
If your organisation allows users to have administrative access to their computers, you may have already experienced a situation where the users do not want to relinquish that access.
Why is it a good idea to limit or provide the least required level of access to the user community as a whole? Exploiting a signed-in user’s access may allow file installation silently.
Malware or spyware may be installed without their knowledge, eventually leading to a security incident. Worse than an incident, though, is an undetected leak of information from a computer to someone who will use that data to harm the organisation or its customers.
The Best Practice Approach
Controlling the software installed on computers will typically prevent these events. Taking the least required access approach as a policy is generally considered best practice. But what should also be considered is the ability of the support staff to help the end-user get what they need.
Again, security should never be a goal. It should enable the business to operate as securely as possible.
The creation of a policy setting user privilege levels should be accompanied by a policy and a process to quickly adopt a means to either elevate privileges quickly when deemed necessary or to support administrative changes to the devices equally as quickly.
5. BYOD Security Challenges
In an age where users are bringing their own smart devices to work, there is an increased need to consider allowing these devices access to the network. What drives this need varies, from the nature of the user community to the cost of endpoints provided to users.
Allowing access to your network from an endpoint that you do not control is always dangerous. Address the challenge by first determining what access is needed. Then decide if granting it is within an acceptable risk level.
Like any technology decision, the organisation’s leaders should begin by evaluating the adoption of a policy to meet a demonstrated business need. The critical difference, in this case, is that the driver is often the user community instead of the organisation.
Consider including the user community in these discussions to better understand their needs. Make no mistake; however, this should be a business need, not a desire.
Meeting A Business Need
If found to be necessary, IT staff or IT consultants can then begin to craft a solution to allow the access needed in as secure a manner as possible.
Setting a minimum level of security, endpoint protection, encryption, and patch levels on the device should be adopted, both for internal and external (non-organisation owned) assets.
This process is a common approach, as is creating an environment where the asset has access. But the scope of that access is strictly limited, not just by user access, but by security device protections as well.
6. Two Factor Authentication for Users
With a continued emphasis on securing your environment from your users, the next logical step is to ensure that your users actually are your user. And not someone else accessing proprietary data with a set of credentials purchased on the Dark Web.
Two-factor authentication provides an extra layer of security by asking the user to input a unique or changing piece of information to confirm identity at that particular moment.
The data can be a code from an algorithm-based token system, a confirmed response from a separate trusted device on query, biometric data unique to the user, or a QR based system forcing a scan.
Each type of two-factor (or more, commonly called multi-factor) method has its pros and cons. Like any new piece of technology, it requires evaluation to ensure it meets the minimum level of security needed by the business based on policy. Or as required by contractual language driven by a client contract or engagement.
It should also be evaluated for overall suitability to the user community based on deployed and standard equipment, ease of system deployment and ongoing support by staff or IT consultants. And a careful review of its intended use across multiple systems.
While interoperability improves frequently, there are always limitations on how a system or application may work with a multi-factor system.
The Early Application
Two-factor began as a method to control access to remote networks and assets, with deployment in highly secure network environments. It has become more mainstream. Both cost and ease of use improvements have enabled even small and medium businesses to adopt this as an additional layer of security.
Mobile/SMS based two factor systems have become extremely popular as they utilise a device that the user almost always has with them. Token-based systems are also still in widespread use today though many businesses and government agencies have moved to an application based soft token versus the old physical token.
7. Dark Web Monitoring
Network and system access, much like your social security numbers, banking information, and personal data, are commodities sold and traded on the Dark Web.
The data is often stolen by thieves who do not have the means to exploit the information immediately. It is collected and sold to people who have the ability to use this information in a variety of ways.
Service providers, such as Silver Industries, offer Dark Web monitoring for the express purpose of determining if a customer’s data is available for sale.
Similar to the monitoring provided by ID theft prevention organisations, this service not only identifies points of exposure but will evaluate the possible level of a data breach.
It can also determine when the breach may have occurred, if it is ongoing, and focus an investigation on the method being used to gather this information.
The Most Common Point Of Compromise
Most compromises start with an account or identity takeover, similar to individual identity theft events. Unless a person pays exceptionally close attention to their credit score, they may never know their identity is compromised until it is too late.
Dark Web Monitoring is similar to other well-established methods of threat intelligence gathering. It starts with monitoring common market places and forums known to sell this data.
The data mining and parsing can be somewhat labour-intensive and is typically a service that most organisations outsource to an established, well-respected provider.
They are uniquely positioned to provide this service at what is generally a fractional cost and effort as compared to insourcing this type of service.
8. Disk Encryption
Cybersecurity conversations invariably focus on network access. It often evokes pictures of hackers hunched over a computer remotely accessing data. What many overlook is that even the best defences assume something. That something is often a lack of physical access. What if physical access is possible?
Encrypting a hard drive is a very simple and low-cost method of adding a layer of security for your business. While there are various methods to do this, and today most major operating systems come with the ability to enable encryption, there are some things that you should know.
You can encrypt the entire drive, including the Operating system. You can also choose to encrypt only user files. But only data at rest is protected by disk encryption. That is to say, a booted up computer that is accessible will have its disk decrypted when the user signs in.
Disk decryption will not prevent that remote access hack, nor will it prevent a breach of data in motion. Email and instant messaging are also still vulnerable. It is not a foolproof method of securing your data in all use cases.
Why Your IT Consultant Recommends Encryption
If your computers sit in an office, and you utilise a cleaning crew, that is a potential attack vector. A cloned or copied drive, even a stolen drive moved to a new computer, will be useless if encrypted with a high strength system.
Lose a laptop, either to a thief, or left in a cab on the way to the airport? Any data on that device remains inaccessible. More importantly, that device cannot breach your environment if stolen or found.
The better question is, why not encrypt it? The answer is simple. There is no good reason not to. It is important to note that not all disk encryption is invulnerable. It is only as good as the method used to encrypt, and the security around the key used to decrypt the drive.
If the encryption software is impervious, extra caution should be taken to secure the key. Should that key be lost, the disk is now inaccessible forever. Any data on it is effectively gone.
9. Endpoint Security
With continued focus on user devices, endpoint security should be at the forefront of any attempt to increase the security stance of an organisation.
The user device moniker often refers to an individual’s personal device. Servers are typically considered infrastructure components. But for this discussion, they should be considered as endpoints as well.
Endpoint security can apply to everything from traditional anti-virus software to a fully monitored security agent installed on a server, computer, tablet, or phone.
It can also describe an overall approach to securing what is typically the most vulnerable part of the organisation’s environment. For this discussion, we will focus on software and configurations that are typically deployed on a device to prevent issues and secure the endpoint.
Anti-virus software is a must-have in today’s world of technology. The ideal software should support a number of key features, including detection and eradication, quarantine of suspicious files, and a method of notifying the user and support team of an issue.
Malware and Spyware detection software is also vital. The ideal anti-virus software will provide some level of this detection and prevention. But it is not uncommon to run both anti-virus software and Malware/Spyware detection applications.
Firewall Software For An Added Layer Of Security
Another essential component of endpoint security is the use of local firewall software. While often very basic in nature, and sometimes a challenge when troubleshooting typical support issues, it is a useful extra layer of security on a device.
While not typically configured on a server, if the asset is mobile and may not always (or ever) reside behind an organisation owned firewall/IPS/IDS system, it should be evaluated for use.
Overall performance monitoring of the asset is also a consideration. This is not a prevention step but more of a means to warn of potential issues. It may vary considerably across devices and users. A profile of the asset as a baseline can be useful to determine if unauthorised activity is occurring.
As with most security systems, multi-layer is the best approach. In an ideal deployment, IT professionals would have multiple means of detection that cannot be defeated by a single effort.
There is always a balance between what is considered usable and user friendly and what is most secure. The performance of the endpoint is always a consideration when adopting any type of endpoint security software.
10. Patch Management and Software Updates
The value of patching/upgrading/updating deployed software and operating systems in an organisation’s environment is a critical step.
While often looked upon with disdain and suspicion, it should be a vital part of any security discussion. It will apply differently depending on how an organisation utilises its technology.
A small organisation may have minimal surrounding infrastructure, and its focus will be on computing devices. Other organisations may have a different mix of solutions, and it will require a different approach as it takes into account single systems that may have a wide-ranging impact if availability becomes an issue.
Is Every Patch Safe And Functional?
With that in mind, the discussion around software patching typically centres on evaluation of risk taken versus risk mitigated. It is rare for an organisation of several thousand endpoints and infrastructure systems to apply patches without some level of testing.
It is necessary to ensure that they are not introducing issues that will inhibit or bring down servers and computers. This process may be more of a challenge in the small and medium business environment. But should still be considered critical and necessary.
An often-overlooked component to patch management is the receipt of security vulnerabilities. Many vendors will immediately notify their subscribed user base of a newly release exploit across various platforms.
Manufacturers will do this as well. Security-focused sites and service providers also provide this information. Having this information come to your IT staff or IT consultant’s attention will help improve the evaluation of the vulnerability. And, more importantly, help you decide if you must immediately execute the patch.
Not all patches have a security exploit component. Often overlooked is the need to be in both a supported state by the manufacturer, as well as capable of deploying a patch or update that requires some previous non-security related updates. Carefully review all updates, upgrades, and patches with this in mind.
11. Data Backup
There are only two types of organisations in the world. Those that have had a lost data event, and those that will have a lost data event.
For the sake of this discussion, we will focus on data restoration after an event with an impact on critical data availability. These types of events can occur due to security incidents, infrastructure equipment failures, or user errors.
Having a data backup solution in place is as vital to the success of your business as anything you do that is technology-based. That may sound dramatic.
But if you contemplate for a moment a lost email server archive, or information like customer billing, payroll, accounting, personnel records, inventory, or customer purchase records, how would it impact your business?
How many hours would be lost in productivity attempting to recreate this information? How would you conduct business without that history at your fingertips?
The better question is if you are already keeping this data, haven’t you decided that it is essential? Since it is critical, why aren’t you backing it up?
The Value of Data Backups
As crucial as conducting frequent scheduled backups of business data is, conducting restoration tests of the data is even more so. The point, after all, is to be able to recover this information.
Backing it up is only the beginning of the effort to return to regular business operations. Historically, most organisations backups are rather like spare tire changes on the side of the road. They are not practiced until they are needed.
Data loss is a very real risk in today’s world and often comes with no warning at all.
Bonus: Email and Web Security
Email remains one of the most exploited attack vectors utilised by scammers, phishers, and hackers. Horror stories abound of organisations making changes to an employee’s payroll direct deposit information based on an email request, or server files becoming encrypted and unusable unless you pay a ransom to get the decryption key.
Email and internet security is the front and back door of any business. They need to remain open to allow business to occur, but like a high-end jewellery store, they should have an armed guard at the front, and the back should be dead-bolted.
Email is a trusted form of communication. Email spoofing happens tens of thousands of times an hour, around the world.
Similar to the lost data impact, there will eventually be an effort to get a staff member to send out data or perform a function that seems ordinary.
But it will result in a data breach. While no email security system is 100% effective, it is an excellent first step in making sure that these attempts never even get to an inbox.
Why Your IT Staff Or IT Consultant Is Essential To Your Your Company’s Internet Security
Internet monitoring and web security is yet another layer in your defensive posture. It is also a two-way street. Keeping your staff and potential customers from going to undesirable places on the internet pay dividends.
It helps to ensure that they don’t contract malware and begin leaking data out when a malicious attempt is made on their connections.
Site reputation filters, known bad actor address blocks, and filters placed on unneeded ports will go a long way to enhancing the internet security stance of an organisation.
As important as it is to block traffic coming in, being a good Web citizen will help the internet as a whole.
Summary
Cybersecurity needs for small and medium businesses continue to increase. Unlike a neighbourhood undergoing gentrification, crime is not declining on the internet.
The recommendations made are all critical to improving an organisation’s security stance, and some are extremely easy to accomplish.
The ability to protect your users, your data, and your customers can be increased exponentially with some fundamental steps and for a reasonable investment.
Finding An It Consultant Who Will Meet Your Security Needs
All of this information can appear overwhelming for many business owners. However, this is intended only to initiate some essential conversations among your leadership.
The next step is to contact the team at Silver Industries. Our team of IT consultants is here to help you get the right questions asked and answered. Our customised services provide the IT management that you need to return your focus to what you do best, running your business.