How much data security is enough? A ten-point checklist for helping SMBs right-size their defenses.
November 8, 2017
Small companies often make the mistake of thinking they fly below the radar of cyber-criminals. Nothing could be further from the truth. As it turns out, 62% of attacks target small-to-medium-sized businesses (SMBs) and more than half of those suffering breaches go out of business in 6 months or less.
Yet discussions of beefing up security quickly lead owners and office managers to some intimidating questions:
- What do we need to do (and how much will it cost)?
- How much is enough (and how much will it cost)?
- Where can we get help (and how much will it cost)?
The first step is to baseline what is, and what isn’t, being done now. This simple 10-point checklist provides a good template:
#1. Passwords: Are key assets password-protected? Have users been trained on how to create secure log-ins?
#2. Endpoint security: What anti-virus and anti-malware protection is in place? Is it built-in, free, paid, or advanced? Does the system screen for spam, phishing attacks, Ransomware, and other threats?
#3. Wi-Fi / network /remote access: Does the company offer guest access? Is access to resources restricted based on need/usage? Are VPNs in place?
#4. Backup: Where, when and how often are users backing up data? How secure is the process?
#5. Firewalls: What level of firewall capability is in place? Is it stateful? Does it include IPS/IDS functionality?
#6. Updates: Are vendor patches being regularly—or better yet automatically—applied?
#7. Encryption: Are in- or outbound communications being encrypted? Where and how?
#8. Web filtering: Does the company maintain blacklists of bad Internet sites and actors? Whitelists of approved IP addresses? Is the company using filtering services to block known threats?
#9. Security assessments: Are defenses being evaluated regularly by IT or security professionals? How often?
#10. Training: Are users and administrators up to speed on the basics of all of the above as well as physical “common sense” things like not taping passwords to their PC monitors or carrying privileged data around on USB sticks?
Hopefully running through this basic checklist makes it clear that doing nothing should no longer be considered an option. From there, an assessment of the company’s needs and resources helps to determine whether “good,” “better,” or the “best possible” security available makes the most sense.
In nearly all cases, having trusted professionals overseeing defenses makes sense, particularly for companies too small to need full-time IT or security professionals on staff. While the predictable objection that this costs too much used to be true, newly emerging managed services make it quite affordable to obtain some lasting peace of mind.
Uplevel Systems partners with IT consultants and managed service providers (MSP) to tailor custom solutions architected to the unique needs and budget constraints of companies with fewer than 25 employees. Services include networking, Wi-Fi, VPNs, storage and security available on an affordable monthly subscription basis (and to some degree a la carte) with robust remote management enabling MSPs to proactively monitor and avoid outages with far fewer site calls.
Uplevel has outlined “good, better, and best” security for SMBs and is working with partners to help lead SMB clients through the enlightening, albeit frightening discussion of how to right-size their data security to align with real and perceived threats, user needs, and monthly or annual budgets.
Data is the lifeblood of virtually every modern business, big or small. The checklist above provides a good starting point for taking the first step; namely, to stop thinking of security and security expertise as “overhead,” or something that doesn’t apply to SMBs.
The bad news for most is that securing the network is as vital to business viability and continuity as insurance, brand reputation, and dedicated employees. The good news is: Right-sizing security no longer needs to be costly, time-consuming, or even scary.
Small Business IT Security: Six Steps to Getting Your Head Out of the Sand
March 27, 2017
We have all read about major security events such as the breaches that occurred at Sony, Target, and Yahoo (and Anthem Healthcare and U.S Office of Personnel Management too). Heck, the United States has even reported to have penetrated Iran’s nuclear enrichment facilities to cause the physical equipment within to spin out of control and self-destruct.
If you own a small business (SMB), you likely view these fated tales as interesting topics for dinner-party discussion, while assuming your own business is too small to target.
You are wrong.
And that isn’t your fault. There are a bunch of reasons why you carry around this perception.
First off, nobody runs a leading story about “Cost Crusher CPA and Associates,” the five-person accounting firm in Anytown, USA whose network has just been hacked. It’s a pretty traumatic event for the team at Cost Crusher since it’s the middle of tax season and nobody could get their work done for an entire day. Plus they had to notify all of their customers that the breach may have led to the loss of sensitive personal identification information. Customers may leave, reputation may flounder, but you don’t never hear about it because the company is too small to command headlines.
Second, you may have never actually seen one shred of evidence that your IT is under attack other than the occasional antivirus warnings that show up on employees’ laptops from time to time. You clean up the virus, and everything starts humming along again; no big deal.
But viruses and corrupt attachments are sort of like the 10% of the iceberg you see. Most small businesses never see the other 90%.
Antivirus software is not 100% effective at detecting malware, so you are removing the detected malware only. New and harder-to-detect malware is constantly being created, so there’s a good chance that new attack can sneak through unnoticed. And all the hacker needs is a day to steal passwords, customer or employee data, or other sensitive info. Also, many SMBs don’t keep their antivirus software current on all computers, and there’s no way to run on printers, barcode scanners, or Nest thermostats.
“But I have a firewall in place,” you may say, and that’s very likely true.
Often it’s built into your gateway and it has been dutifully enabled to block malware. This is definitely a good step, but it still doesn’t prevent certain issues. Consider, for example, what happens when you visit a legitimate website such as yahoo.com. Not only do you get content from the publisher’s server, you also get the ads that are served to that same web page from all over the world. This traffic is perfectly acceptable to the firewall, yet may well contain malware. After all, the malware that your antivirus detected had to come from somewhere.
Last but not least is the issue of rogue behavior. An employee decides the office needs more WI-FI coverage, so he goes to Best Buy, buys the latest Wi-Fi router and plugs it right in. Your full network may now be exposed to anyone who can reach your Wi-Fi: employees, guests, and even people in adjacent offices.
Is security enabled? (Yep!)
Are you sure? (Uh – no, not really.)
How secure is that anyway? Do you have a firewall in place now for Wi-Fi? (What do you mean by that?)
Is your guest traffic separated from your employee traffic throughout the entire network?
So maybe you agree that SMBs are a bit exposed, but it still doesn’t seem like a big deal. But consider…
- 20% of SMBs have been targeted
- The average cost per security event increased to $158 per lost record in 2016
- Ransomware attacks, which primarily target small businesses, were up 259% in 2016
That’s a pretty big deal, and likely to get bigger because being less vigilant about defenses makes smaller companies easier if less profitable to attack without being detected. Lacking the personnel and resources of large organizations, it’s tempting to do nothing and hope nothing bad happens. Eventually, that won’t work.
So what is a small business to do? Do what big companies do: Become proactive.
Make sure you’re taking these 6 vital precautions:
- Back up your vital systems regularly. Don’t just intend to do it; really, do it! Backing up data protects against all manners of attacks, failures and blunders.
- Keep system software up-to-date. Make sure your antivirus system is installed and current on all machines. Check that the latest patches, particularly the security patches, are in place on all your systems. Upgrade networked devices such as printers and routers from or connected to service providers.
- Train your team. Take a couple of hours and train your team in recognizing potential threats and knowing how to handle them. Teach them about passwords, transporting files on flash drives, and what to do if a device gets infected. If nothing else, this can be “contact me right away” so you can call in expert help. Have a plan.
- Encrypt your sensitive data. This makes it harder to access data and renders it less valuable to thieves. Since it can be difficult to determine what is sensitive data and what is not, take the step of encrypting all data if you’re not sure. Store sensitive data in encrypted drives.
- Use an alarm system in addition to your door locks. After you have “locked up” your IT systems, use the network or other security tools to monitor for unusual activity. Using your network resources to watch for unusual occurrences such as unauthorized devices being added to the network or seeing unusual changes in traffic patterns can make the difference in spotting a potential breach in progress. Just as your home uses locks and a monitored alarm system, your network should utilize methods to discourage entry as well as monitoring to detect unexpected activity.
- Ask an expert. If you aren’t sure if you are doing enough, or doing it all right, invite an IT consultant in to help you. You are the expert at running your business; these guys are experts are keeping it safe. At $158 per stolen record, the cost of a few hours in consulting time is a small price to pay.
Of all the steps described above, this last one may have the greatest impact. While the first five will dramatically reduce a business’s exposure, it can never be fully eliminated. Security experts can spot vulnerabilities inherent in equipment, configurations, usage, and more. Regular health-checks, or services that equip consultants to monitor networks remotely can be worth their weight in gold.
Small companies, whether they know it or not, are just as likely to be targeted—and devastated—by security exploits. Don’t wait to shore up defenses.