Last week marked the end of National Cyber Security Awareness Month (NCSAM), a month-long security awareness campaign sponsored by the Department of Homeland Security (DHS) in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center.
For Week 1, we discussed how users can use the Stop.Think.Connect.™ campaign to avoid falling victim to online scams. During NCSAM’s second week, we compiled a number of helpful tips we as information security professionals can reference when securing our IT products. We explored some recommendations for how we can secure critical infrastructure using the Internet of Things in Week 3. For Week 4, we gave aspiring cyber security professionals an inside look into their field of choice. And finally, last week, we looked at the threats associated with cybercrime and what we can do to defend against them.
The last topic we have yet to cover discusses cybersecurity for small- and medium-sized businesses (SMBs). As we all know, cybercriminals love to target those types of enterprises. This is largely due to the fact that many SMBs cannot afford to implement strong security protocols.
But the threats are even greater than that. Vendor management is a prominent feature in data breach prevention today, and many acknowledge the fact that small businesses can act as an intrusion point for larger companies that resell and or use their goods and services. This is perhaps best exemplified by the Target breach, where hackers compromised a third-party HVAC vendor, allowing them to infiltrate the retailer and compromise 70 million customers’ personal information.
SMB cyber security clearly has implications for the rest of us. With this in mind, here are a few cyber security tips for small and mid-sized businesses:
Tip #1: Educate your staff about cyber threats
Those who own and/or are responsible for the security of an SMB need to know a lot of things, as Jane Frankland, Managing Director (Specialism in Growing Penetration Testing & Cyber Security Companies) at Jane Frankland Agency, points out: “Firstly, you need to understand your assets, value and risk exposures. Secondly, you need to understand that cyber security falls into three areas – physical, technical and human. And thirdly, you need to know how you will be targeted in these key areas.”
Having this type of awareness is an important first step in securing a business but it’s not that simple. Most SMBs have additional staff and employees who are just as responsible for helping manage the enterprise’s day-to-day activities. If that is the case, we need to educate them and impress upon them the importance of security awareness.
And as we all know, awareness goes a long way, explains Rebecca Herold of Rebecca Herold & Associates, LLC: “Just consider this: one recent study found that 57 percent of privacy breaches are caused by insiders, most of whom simply made mistakes or did things not knowing that it would put information at risk. These could have been prevented with good education.”
Frequent security trainings that are both fun and engaging, not to mention ongoing reinforcement of security awareness principles, will help strengthen employees’ commitment to security, thereby enhancing businesses’ cyber security.
Tip #2: Protect the technologies upon which you rely
A big part of designing effective security policies, especially for SMBs, is knowing what we can and can’t control. “You might liken cyber security to buying a house. If you buy a home bigger than you’re able to maintain, the house will degrade with time and ultimately fail you,” said Adam Montville, Product Manager at Tripwire. “The same is true with your SMB security program. Tighten up the things you need to control, and in time, the control piece will become a bit easier for you.”
Montville recommends a number of critical actions SMBs should keep in mind when it comes to gaining control of their security. These range from application whitelisting to patching system software within 48 hours, from using standard, secure system configurations to reducing the number of users with admin privileges.
Additionally, it’s very important that SMBs frequently review their authentication methods. Towards this end, Herold recommends businesses ask themselves the following questions: “When was the last time I updated the way our legacy and older systems and applications authenticate user accounts? Do we still use just a password that isn’t required to be strong? Do we engineer new systems and applications using these same weak methods?”
With a little bit of self-reflection, SMBs can build the security programs they want and gain control over the technologies they need.
Tip #3: Fuse people and technology together
With a trained staff and some control over how they interact with their technologies, SMBs can begin developing concrete security frameworks for their businesses. This includes standardizing their security expectations. Frankland explains: “Developing policies, setting cyber security standards that are built into procurement contracts for suppliers, and providing regular training for staff (including contractors) are vital steps for SMBs to take when protecting their environments.
Needless to say, all security policies and procedures should be subject to frequent testing. By reviewing what assets are in place and how they work together, SMBs can get a better sense of the strengths of their security programs, as well as discover what still needs some improvement.
In the end, all SMBs should aspire to automate their security programs, a point with which Montville agrees: “The end game becomes automation, and to automate we need tools and services that cover the technologies upon which we rely.” This may ultimately involve outsourcing whatever solutions SMBs need to cover the things that matter most.
Cyber Security Protection is All of Our Responsibility
Throughout the course of last month, Tripwire has emphasized users’ shared responsibility for making the web safe. NSCAM may be over, but the campaign was just the first step. Web users are now confronted with the challenge of integrating NCSAM’s tips and recommendations into each and every one of their online sessions. This is no small task, and some missteps are to be expected. But as we have said all along, cybersecurity is a group activity. Together we will learn from our mistakes, and together we will make the web a safer place.
- Hacker Myths Debunked
- Safer Online Surfing: Security Tips for Non-Techies
- 3 Common Scams Your Non-Techie Friends Are Still Oblivious About
- A Guide to Securing Your IT Products
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Image courtesy of ShutterStock.com.