[BreachExchange] No budget to build an IT staff? No problem

Audrey McNeil audrey at riskbasedsecurity.com
Thu Nov 16 19:07:45 EST 2017


https://www.cnet.com/how-to/no-budget-to-build-an-it-staff-no-problem/

For malicious hackers, startups and small businesses equal big targets of
opportunity.

Half of the 28 million small businesses in the US suffered data breaches in
the last year. But many still remain unprepared. About one in three small
businesses still don't have basic cybersecurity protections in place, such
as firewalls, antivirus software, spam filters and data-encryption tools to
defend against attacks that can derail their operations.

While it's hard to measure the return on investment for cybersecurity
compared with spending money on sales or manufacturing, be aware that the
potential losses resulting from a cybersecurity breach can sink a company
by exposing trade secrets, valuable IP and information.

At the same time, you risk losing your customers' trust as well as souring
chances to win their future business. In addition, you may be found legally
liable if a security breach winds up compromising customer data.

And don't assume you can fly under the radar. Startups are incredibly
vulnerable to cyberattacks in their first 18 months.

Security on a shoestring

Many companies outsource the job to the many managed security service
providers (MSSPs) who specialize in cybersecurity. The downside is that
this sort of arrangement can prove costly, especially for a very small
operation. What's more, small business owners might be uneasy placing the
security of their business operations in the hands of an outsider.

Still, protection doesn't need to turn into a budget-busting proposition
and there are proactive steps you can take to mitigate threats in a
cost-effective fashion. Here are several low-cost steps to help construct
an effective cyberdefense while also managing everything in-house.

Prioritize what's important to you and pull together a list ranking the
importance of your assets in descending order. Choose the battles you want
to fight based on the risk to your business and the cost. Not all data is
created equal and this will help you smartly allocate resources as you
build a set of policies and controls around your most critical data.

Audit your computing infrastructure and make sure that important network
devices, including routers, switches, firewalls and servers, only perform
the specific functions they were acquired to perform. For example, if a
Windows server isn't serving a website, it likely doesn't need IIS up and
running. Also, you can use Nmap and other open source scanning tools to
check whether you've left any unexpected ports open.

Regularly scan for vulnerabilities. You can find a wide selection of free
or inexpensive open source software and other services. Vulnerability
scanners such as OpenVAS, network mapping tools (Nmap) -- and even an
Intrusion Detection System called Snort – are all available at no cost. One
thing to keep in mind: Despite the fact that these products are free,
you'll still need a certain level of expertise to implement and manage
these systems in an ongoing fashion.

Secure your email with a good spam filter since most attacks originate via
email.

Apply security policies: Deny USB file storage, set user screen timeouts,
limit user access and adhere to enhanced password policies.

Use the full range of security features and capabilities available in your
existing hardware and software. For instance, Windows Firewall is included
with every Windows server. While it should not be your only firewall in the
network, it can still provide another barrier in a layered defense. Best of
all, it doesn't cost any extra.

Are you patching servers consistently? Too many organizations are lax about
keeping up when software suppliers issue regular free updates to their
products.

Patching also applies to hardware devices. Keeping current when
manufacturers issue the newest firmware with fixes and other improvements
to hardware will help improve the security of your firewall, switches and
Wi-Fi access points.

Check your equipment configurations to minimize the attack surface on any
device. This is especially critical for any external-facing components.
Turn off any features that you don't need.

Take out cyberinsurance so there's coverage for business disruption
expenses, including PR and legal expertise to deal with any fallout from a
breach. This helps ensure proper legal protocols get followed and that
affected people can be properly informed about the situation.

And lastly, raise employee awareness about cybersecurity. This doesn't cost
a thing and it will pay back your time investment many times over. Enlist
employees as an extension of the existing security program. Everyone on
staff needs to shoulder responsibility for the security of the
organization. There's no excuse for bad cybersecurity etiquette, not with
intruders trying to break into your company more frequently than ever.

Read more: Never work without a net: Insuring your business

Training vs. technology

Some might argue that training is less important than investing in
technology. But if you work on the assumption that employees are always
bound to do the wrong thing, they will.

Make sure they are aware of the potential security threats facing the
organization and also know how to recognize phishing emails or social
engineering attempts. Put specific policies in place so employees will know
what constitutes appropriate use of business equipment. Also, make it easy
to report any irregular or suspicious behavior.

Whichever direction you choose, the goal is the same: Build out a
multilayer defense that is going to protect your organization as much as
possible and help mitigate the threats.

If it sounds too daunting to take on, think about the consequences of doing
nothing. The bad guys will be coming for you -- sooner or later. You'll
help both your reputation and bottom line by being prepared.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171116/e6cf5fa1/attachment.html>


More information about the BreachExchange mailing list