[BreachExchange] How SMEs can overcome security threats

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jul 12 20:23:14 EDT 2016


http://thenationonlineng.net/smes-can-overcome-security-threats/

The statistics for cybercrime, online fraud and data theft make disturbing
reading. The Federation of Small Businesses (FSB) lamented the huge cost
per year its members suffer. Around a third of FSB members fall victims to
online crimes such as malware infections, hacking attacks or full-on data
breaches.

For the small- to medium-sized-business (SMB) owner especially, the impact
of such attacks go beyond the immediate financial loss and disruption to
the daily working schedule – there’s the loss of reputation and customer
trust to factor in, too. Despite this, it is SMBs that have the most
difficulty finding affordable and doable security measures. This can lead
to substandard protection or – worse still – no security at all.

An online platform, alphr.com, offers 10 simple ways to make SMEs more
secure.



Know your data



Not all data is equal. The starting point for any business must be
understanding what data is business-critical or sensitive. You must
identify how it is used and where it is stored. The most basic of audits
can be accomplished just by considering what might happen if a breach were
to occur and data, such as financial data, or employee or customer records,
was compromised.

Once you understand the likely effect on your business – and there can be
multiple “what if” scenarios, depending on the nature of the incident –
you’ll have a blueprint for your business-impact levels.

High-risk data needs to be appropriately secured, and you can devote more
of your resources to ensuring it is. Just note that your job doesn’t stop
there – you can’t ignore data that you’ve classified as less risky; rather,
you must prioritise your security efforts accordingly.



Password management



Passwords are at the core of every security policy yet ensuring that
they’re secured and enforced isn’t easy. Consumers have services such as
LastPass to help generate and manage their passwords, but should a business
use password managers?

LastPass and other such services have enterprise versions available at a
low cost per user. These offer all the basic secure-password-generation
options you’d expect, with a variety of business-orientated extras: for
example, you can set company-wide minimum password standards to meet your
policy requirements, or apply customised policies to restrict access to
specific devices, groups or locations.

Then there’s Active Directory (AD)/Lightweight Directory Access Protocol
(LDAP) integration. This can import existing AD profiles, automate
reporting tools to highlight weaknesses in the password security chain, and
offers real-time syncing across devices to help with the rise of the Bring
Your Own Device (BYOD) culture. It can be protected by a master password,
which can be reset or revoked by the administrator.



Education



Everyone in your business must understand company security policy and know
why it’s important. Education doesn’t need to be expensive: it can be
integrated easily into the staff-induction process, and you could consider
six-monthly refreshers to bring existing employees up to speed with any
changes – including threats of which they should be aware.

Only an hour is needed every now and then to sit with an employee to
explain how security applies to their particular role and to answer any
questions. Note that education and communication are just as important as
tools against cybercrime as the computer technology you use to defend your
data.

However, in order to be effective, it has to be implemented from the bottom
up and the top down – that is, everyone from the CEO to the summer temp
needs to be on board if a security policy is to work. That doesn’t mean the
same training should be given to all; the best training is tailored to the
specific role of the employee and the threats they may encounter.



Encrypt or not?



Of all the tips presented here, encryption is probably the most
controversial. But it’s also the most valuable in terms of data protection.
It’s controversial because encryption has always been seen as being the
realm of the nerd and thus beyond the ken of ordinary business owners; plus
there’s the small matter of convenience to consider.

Both arguments are becoming weaker as encryption technologies become easier
to deploy and work with. If a laptop/storage device is lost or stolen and
the data on it is encrypted, then it’s far less likely to pose a security
risk to your business. However, every business needs to weigh up the
protection/convenience ratio before jumping in.

The same goes for data in transit. Despite the recent Heartbleed hacking
scare, it’s far safer to make sure all online transactions are carried out
using Secure Sockets Layer (SSL) than over an insecure connection. The
best-practice advice is to investigate what encryption options are
available to suit your data, devices and business usage.

But the bottom line is that, from SSL and encrypted USB containers at one
end of the scale to on-the-fly encryption at the other, encrypted data is
more secure than data that isn’t. Do you want to risk the consequences of
ignoring that?



Get prepared



An integral part of any small-business IT security strategy is a formal
document that goes into proper detail – and is then kept updated, rather
than stuffed in a drawer and forgotten about. It may sound tedious, but you
must plan not only how to protect your data and resources, but also what to
do in the event that things go wrong.

Although many smaller businesses assume such an IT security policy is
something that only large enterprises require, they’re wrong – every
business, including the smallest SMB, can benefit from implementing a
security policy. The trick is to understand that it is more than just a
formal document to be filed away gathering dust; it should be seen as a
dynamic device to help you understand what data security means to the
business. You can then build a structured response to suit your needs.
Think of it as a commitment to protect all the data you create and use, and
an absolutely integral part of your business processes.

The best IT security policy will detail not only how to protect your data
but also how to react when things go awry. Setting out an incident-response
strategy when you have a calm head is far better than trying to put things
right in the heat of the moment.



Update, patch

If you want your business to be secure, you need to stay up to date.
Specifically, you must update all the software you use day-to-day in your
business: the operating systems of all the devices, from smartphones to
servers, plus the software that runs on the security systems that protect
them all.

It’s a no-brainer that keeping your antivirus software up to date will
ensure it offers the best possible protection, yet for many small
businesses this is low on the to-do list. Security software, generally,
automatically checks for and installs updates. While the same might be said
of operating system updates, auto-updates are usually switched off due to
the resource drain and disruption they can cause.

Larger companies have patching policies and automated patch-management
systems, but these are beyond the financial and implementational reach of
most SMBs. Useful alternatives include deploying scanners to run regular
system checks for unpatched or vulnerable software, and then scheduling
those updates during your business’s off-peak times. Doing nothing isn’t an
option, especially if a patch has already been made available. Think about
it: if the patch is out, then would-be attackers will be aware of the
problem and will be finding ways to exploit it. Patching is relatively
low-cost, especially at the smaller end of the business scale, but
investing your time in it will bring invaluable rewards when it comes to
security.



Disarm BYOD bomb



Locking down your data on the move has always been important, especially
since laptops were introduced. However, never has it been such a security
imperative as it is now, courtesy of the BYOD explosion.

The BYOD bomb is far more likely to detonate within smaller businesses,
where the cost savings of allowing staff to use their own smartphones,
tablets and laptops seem to far outweigh any security risk. The truth of
the matter is that mobile data needs to be secured with the same rigour as
that on your own network. The mixture of personal and business data on
mobile devices, together with a lack of corporate security controls outside
of the workplace (when connected to the home network, for example) is a
recipe for disaster.

Stopping BYOD isn’t an option for the majority of companies, but this
doesn’t mean you can’t reduce the security risk. Security solutions might
include dividing a device into secure work and play parts, or implementing
policy-based controls that require users to have locked-down devices.
Encrypted work data and remote-wipe facilities help, too.

Although mobile device-management solutions are beyond the budget of most
SMBs, a combination of educating users of the risks, on-device security
software and properly implemented network controls can offer reasonable
all-round protection at a relatively low cost.



Use cloud



While the idea of encrypting everything may be controversial, the idea of
embracing the cloud for professional work purposes is seen by some as
positively scandalous. However, the cloud can be a genuinely secure choice
for most small businesses.

In particular, it makes sense if your company doesn’t have the time or
knowledge to be on top of all the security issues, and the updates and
implementations it needs, because a good cloud service provider (CSP) does
have time.

Don’t be scared of the cloud for data storage or application-serving usage,
since a reputable CSP will be more proactive than you at maintaining
software patches and implementing security – in order to survive, CSPs have
to take security seriously. What’s more, they can do so at less cost to
your bottom line than you can.

The anytime/anywhere nature of cloud access even provides a good
disaster-recovery route for smaller businesses. Of course, the cloud isn’t
100 per cent secure, and you need to think about where your data is located
and who has access to it. Here, though, encryption is your friend, as are
single sign-on tools for cloud usage, which enterprise password managers
can often provide.



Get physical



Good data security isn’t all about bits and bytes – it’s also about the
bits and bobs, from the front-desk PC to the phone in your pocket. You need
to secure your hardware and secure access to your premises. Every SMB’s
security policy should embrace the physical, or it could be counting the
cost when someone walks in and steals a laptop – and by so doing
potentially steals access to the network and data, too.

Simple things can reduce the risk of data loss – such as keeping doors and
windows locked whenever the office is closed, fitting alarms, using
Kensington locks on desktops and laptops, and requiring users to have lock
screens activated whenever they’re away from their desks, plus being
careful about who you let into your premises.

Shred documents to prevent paper trails that could be useful to
cybercriminals, and keep your paper files in locked cabinets. Finally,
seeking advice from a local crime-prevention officer is never a bad idea,
either.



Act now



The most important piece of security advice for any business is to take
responsibility for your data, and to do it now.

Even when you have a security policy written up and implemented, the staff
educated, the data encrypted and the devices under control, you can’t
afford to rest on your laurels and assume you’re now secure. IT security is
a dynamic, ever-changing landscape, and securing your data is your
responsibility.

The bad guys won’t be sitting back – they’ll be keeping on top of the
latest vulnerabilities and weaknesses, so it’s up to you to keep up with
them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160712/486f404d/attachment.html>


More information about the BreachExchange mailing list