You can’t get far these days without running into another story about a hack, a breach, or a business that wasn’t prepared for the ever-present threat of a cyber-attack. It’s a misnomer to believe that you won’t be a target because you are small or unknown and that only the big brand companies need security.
Businesses that don’t protect themselves as they grow are often the ones that typically have the hardest time recovering from an attack. While the Targets and Home Depots of the world certainly don’t want their brand tarnished, they have the financial strength and brand loyalty to muster through. It is the midsize and smaller enterprise businesses in the midst of quick growth that don’t have the reserves either financially or from a staffing perspective to bounce back quickly if they’re attacked.
Security is just like managing a football team (or soccer for the U.S. crowd)
I tell people that setting up a security posture is a lot like managing a football team. Not everything works together in the beginning and you have to start with the defense as a foundation, let’s say, a firewall and monitoring. You then build out from there, at each practice you are running drills and concentrating on protecting the most sensitive and valuable elements first.
Ask yourself this: what is the most important data that I need to protect? Depending on the business it could be proprietary technology or for others it might be customer data. You wouldn’t want to lose your star player so you focus on securing your most sensitive and important assets first. Then determine whether or not you have visibility into the traffic coming and going from your business. Do you have your endpoints monitored? Do you have a way to correlate data? Shilpi Dey at SecurityIntelligence broke endpoint detection and response (EDR) down like this:
EDR technologies look at everything from malicious applications to good applications gone rogue using behavioral analytics, heuristics and threat intelligence.
It’s actually not that hard to get data, the key is turning it into insight. With the right analytical tools, you can halt basic attacks and spot the early signs of more complex attacks, meaning that you can limit the damage your firm takes. These methods will also protect you against insider threats.
You’re not safe & this isn’t scaremongering
The real challenge with small- to mid-size businesses is that most people don’t actually scale their security because they feel safe. Why do they feel safe you ask? Because they haven’t been breached yet, plain and simple. It used to be okay to only have the basics but now the “bad actors” out there are able to get access to malware cheaply and efficiently. They also have far more exploitable targets than they have had before.
My advice is to continually fortify your business and make it a priority within your budget. As you grow, you have to also consider that the more devices you have, the more chances there are that you will be breached. Take a look at your current security posture — understand what you have now and the gaps that are obvious and not so obvious.
Take the time to truly evaluate what the priorities and risks to your business are. For example, what is your reputation worth? What is the impact of lost data? What’s the impact of losing the machine (computer) itself vs. the function that it performs? For example, if you are locked out of the computer, can your business still run on pen and paper. I’ve found that assigning a value to those items makes the risks far easier to understand for everyone involved and the budgets and resource allocation far easier to justify.
Your choice: internal or external help
Once you’ve evaluated your risks, you really have two options. You can either hire or use internal staff to develop a plan or you can outsource to a third party to help you. One option is not necessarily better than the other and there are pros and cons of each. My advice is as follows:
- Don’t believe someone that tells you that a product can do everything (if they do, turn and run!)
- Don’t compromise so much that you don’t get the benefit
- Don’t believe that this can all be done immediately.
- Understand the logistics of implementing (i.e. how will it impact your day-to-day business in the short term)
- Be clear on the impact to your employees (your people are your business and anything that impacts them can impact your success, positively or negatively)
If you do use a third party, like a Managed Services Provider, make sure to ask them the right questions. I would start with the following three:
- Can you walk me through your use cases and references?
- How do you ensure there is as little disruption to users as possible?
- Is the package being offered able to continue scaling as the business grows and what are the likely costs to maintain robust security into the future?
Three levels of protection
When you scale, there are three levels to go through. There is minimal protection, which would typically include firewalls, endpoint protection, and education and policy training. The next level of protection would add in patch management and web filtering. Finally, the third level of protection would be the addition of enriched logging, data loss prevention and anti-spam software, and consistent management.
If there’s one takeaway I want you to have, it’s that turning your business’s potential cyber-risks into real world value can be eye-opening. Also, remember that having a long-term strategy isn’t just a buzzword, it’s critical for growth.