[BreachExchange] How to Handle IT Security When You Can’t Hire Someone

Audrey McNeil audrey at riskbasedsecurity.com
Thu Sep 15 20:24:06 EDT 2016


http://www.smallbusinessbonfire.com/it-security/

While cyber attacks on large enterprises dominate the headlines on a daily
basis, no business is too small to evade a cyber attack. According to a
recent Ponemon Study, 55 percent of small and midsize businesses (SMBs)
have experienced a cyber attack in the past 12 months. In the aftermath of
these incidents, these companies spent an average of $879,582 because of
damage or theft of IT assets and an additional $955,429 due to the
disruption to normal operations.

Employees at small businesses often wear many hats, but few have the
security know-how to successfully protect their organization from
attackers. It’s time to take those first steps toward protecting your
business. Here is a plan small businesses can implement to better protect
their data, customers and employees.

Understand Common Motivations and Tactics

The first step towards better security is understanding what exactly you’re
protecting against. To do that, you must first understand the basic
motivations and tactics of attackers. Attackers can typically be separated
into two groups those that want to shut your business down and those that
want your money.

Some attackers are interested in your valuable intellectual property (IP),
financial data, and customer information. These attackers will use phishing
e-mails to get in and then advanced malware to stay in. Once they’re able
to access sensitive data, they sell it on the dark web to other criminals
or your competitors. What would happen if your product schematics or
customer database were sold to your competitors?

The other type of attacker is motivated to steal as much money from you as
possible. The most common way these attackers do their dirty work is
through Ransomware. This malware renders your business inoperable for days
or weeks while you try to recover (or pay).

Employ Best Security Practices

Now that you know what you’re protecting against, it’s time to take steps
toward better security. There are several tools and best practices that are
widely available, easy to deploy and affordable for most small businesses
that will provide adequate protection against security threats.

Perform off-site backups and regularly practice recovering from the backup.
Install an antivirus solution then schedule signature updates.
Utilize multi-factor authentication for employee access to systems and
applications.
Ensure your mail service provides spam and phishing defenses.
Install an automated malware protection tool to safeguard against
ransomware attacks.

Have an Incident Response Plan in Place

Those in the security industry love to say “It’s no longer if you’ll be
breached, but when.” It’s important to take a step back and think about how
prepared your organization would be if it were attacked. If an attacker was
able to get through all the layers of security you have in place, what
would you do? And how would you even know? Having these conversations in
advance and having a clear plan in place will help to quiet the chaos
should an attack occur, making it easier to get your business back up and
running smoothly sooner rather than later.

A good first step is to have discussions with partners and advisors in
order to put the right plan in place. Ask your managed service provider
(MSP) or trusted IT advisor what their role would be following an attack.
Talk with your lawyers about the laws you would be subject to in the event
of a breach. Disclosure laws vary by state and by industry, so make sure
you’re aware of what your legal responsibilities – both to your customers
and your partners – would be in such a situation. Talk to your agent about
cybersecurity insurance, which covers losses and costs due to cyberattacks.
Finally, think about your communications strategy. How will you proactively
communicate with your customers so they don’t leave once the malware is
gone?

Educate Your Employees with Security Awareness Training

Employee education goes a long way and cultivating a culture where everyone
is a stakeholder in protecting the business. Teach employees about the
common motivations and tactics of attackers and empower them to make
decisions around security. Get your people talking to one another about
phishing emails they get. Form that “human shield” to protect your business.

A lack of resources is never an excuse for lax security. It’s challenging
enough to run a successful business so don’t make it that much harder by
keeping the door to your safe wide open to cybercriminals. Take these first
steps to better protect your business and stand up against the attackers
that want to destroy your hard work.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160915/6d873117/attachment.html>


More information about the BreachExchange mailing list