[BreachExchange] Scaling cybersecurity: Staying protected in the midst of business growth

Audrey McNeil audrey at riskbasedsecurity.com
Mon Aug 21 19:16:40 EDT 2017


http://www.csoonline.com/article/3216006/endpoint-protection/scaling-
cybersecurity-staying-protected-in-the-midst-of-business-growth.html

You can’t get far these days without running into another story about a
hack, a breach, or a business that wasn’t prepared for the ever-present
threat of a cyber-attack. It’s a misnomer to believe that you won’t be a
target because you are small or unknown and that only the big brand
companies need security.

Businesses that don’t protect themselves as they grow are often the ones
that typically have the hardest time recovering from an attack. While the
Targets and Home Depots of the world certainly don’t want their brand
tarnished, they have the financial strength and brand loyalty to muster
through. It is the midsize and smaller enterprise businesses in the midst
of quick growth that don’t have the reserves either financially or from a
staffing perspective to bounce back quickly if they're attacked.

Security is just like managing a football team (or soccer for the U.S.
crowd)

I tell people that setting up a security posture is a lot like managing a
football team. Not everything works together in the beginning and you have
to start with the defense as a foundation, let’s say, a firewall and
monitoring. You then build out from there, at each practice you are running
drills and concentrating on protecting the most sensitive and valuable
elements first.

Ask yourself this: what is the most important data that I need to protect?
Depending on the business it could be proprietary technology or for others
it might be customer data. You wouldn’t want to lose your star player so
you focus on securing your most sensitive and important assets first. Then
determine whether or not you have visibility into the traffic coming and
going from your business. Do you have your endpoints monitored? Do you have
a way to correlate data? Shilpi Dey at SecurityIntelligence broke endpoint
detection and response (EDR) down like this:

"EDR technologies look at everything from malicious applications to good
applications gone rogue using behavioral analytics, heuristics and threat
intelligence."

It’s actually not that hard to get data, the key is turning it into
insight. With the right analytical tools, you can halt basic attacks and
spot the early signs of more complex attacks, meaning that you can limit
the damage your firm takes. These methods will also protect you against
insider threats.

You’re not safe & this isn’t scaremongering

The real challenge with small- to mid-size businesses is that most people
don’t actually scale their security because they feel safe. Why do they
feel safe you ask? Because they haven’t been breached yet, plain and
simple. It used to be okay to only have the basics but now the “bad actors”
out there are able to get access to malware cheaply and efficiently. They
also have far more exploitable targets than they have had before.

My advice is to continually fortify your business and make it a priority
within your budget. As you grow, you have to also consider that the more
devices you have, the more chances there are that you will be breached.
Take a look at your current security posture — understand what you have now
and the gaps that are obvious and not so obvious.

Take the time to truly evaluate what the priorities and risks to your
business are. For example, what is your reputation worth? What is the
impact of lost data? What’s the impact of losing the machine (computer)
itself vs. the function that it performs? For example, if you are locked
out of the computer, can your business still run on pen and paper. I’ve
found that assigning a value to those items makes the risks far easier to
understand for everyone involved and the budgets and resource allocation
far easier to justify.

Your choice: internal or external help

Once you’ve evaluated your risks, you really have two options. You can
either hire or use internal staff to develop a plan or you can outsource to
a third party to help you. One option is not necessarily better than the
other and there are pros and cons of each. My advice is as follows:

Don’t believe someone that tells you that a product can do everything (if
they do, turn and run!)
Don’t compromise so much that you don’t get the benefit
Don’t believe that this can all be done immediately.
Understand the logistics of implementing (i.e. how will it impact your
day-to-day business in the short term)
Be clear on the impact to your employees (your people are your business and
anything that impacts them can impact your success, positively or
negatively)

If you do use a third party, like a Managed Services Provider, make sure to
ask them the right questions. I would start with the following three:

Can you walk me through your use cases and references?
How do you ensure there is as little disruption to users as possible?
Is the package being offered able to continue scaling as the business grows
and what are the likely costs to maintain robust security into the future?

Three levels of protection

When you scale, there are three levels to go through. There is minimal
protection, which would typically include firewalls, endpoint protection,
and education and policy training. The next level of protection would add
in patch management and web filtering. Finally, the third level of
protection would be the addition of enriched logging, data loss prevention
and anti-spam software, and consistent management.

If there’s one takeaway I want you to have, it’s that turning your
business’s potential cyber-risks into real world value can be eye-opening.
Also, remember that having a long-term strategy isn’t just a buzzword, it’s
critical for growth.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170821/702fdf96/attachment.html>


More information about the BreachExchange mailing list