When I reflect on the past 35 years of working with technology, and for a good portion of that time working on securing that technology, I see it as an ever-evolving game of cat and mouse. When some of the first attacks hit way back in the day, there was widespread panic until the first antivirus programs effectively contained most of these viruses. For years, it went back and forth with bad actors creating new variants and vendors creating new definitions; but for the most part, if you had security software on your PC and kept it up to date, you were relatively safe. These periods are short-lived, however. After the initial viruses, there came macro-viruses designed for Word, Excel, and Visual Basic files, then viruses that started to use email to propagate, then network shares, then SQL servers, and buffer overflows. Today, we are seeing the rise of ransomware as the major form of attack – and the adding-in of extortion (where they threaten to release your data to the internet at large) to garner even more revenue for these bad actors.
Each time these waves have occurred, the IT security community has risen to the challenge and provided solutions to these problems that have again provided a relative level of safety. The key to gaining this safety is the point of this blog. What are the steps that a small business needs to take today to be safe in an ever-evolving unsafe Internet?
People & Process
When I read most articles around security today, they are focused on the technology and, while those are critically important, they usually leave this part until last. Improving the education of your people about IT security and the processes around technology is the best way to help prevent a loss to your company. Many of today’s most damaging attacks have been started by someone in an organization opening an email that contains malware that starts the compromise of their internal systems. As part of your training budget, you should include – at least annually – some IT security training for end users.
The second of these is process. We have dealt with many small businesses that have had a business email compromise where a user was sent an email asking for money via payroll changes, vendor bank changes, home closing payments, and wire transfers from executives that was fraudulent. In all these cases, a simple phone call to the person initiating the unusual request would have been all it takes to thwart the attack. Your company should have documented policies around anything involving money that requires a second form of verification.
If you have a Managed IT Service Provider like Spera Partners and/or a Managed Cybersecurity Provider, then most likely you already have security systems in place. If you do not, I cannot encourage you strongly enough to find one or both. It is very difficult for a small business with limited resources to keep up with the pace of IT security today. If you do decide to undertake this, here are the 6 major components of a good security infrastructure.
1. Endpoint Security
This used to be called Antivirus software but today goes by Endpoint Security. It is often the first line of defense against attacks directed at a user’s PC or a server. All devices with an operating system (such as Windows) on them and that are connected to your network should have this software. Today’s best vendors also offer protection from malware that attempts to propagate across the network and/or try to encrypt your data. This software requires a subscription to keep it current and should be automatically updating. Ideally, it will have a central dashboard (today, most likely cloud based) that will enable you to see at a glance if everything is protected and current and if anything needs attention.
2. Network Security Appliance
Often just called a firewall, this is a device that sits between your network and the Internet that protects your network from various forms of attack. These devices can scan email and web traffic destined for your network, looking for active threats and blocking them before they even get to the internal network. This also requires a monthly subscription.
3. Email Protection
As mentioned previously, email is the most common attack method today. Therefore, protecting email is critically important. If you are a using a cloud vendor such as Microsoft or Google for your email, they are handling some of the threats and spam that are attempting to come into your organization. You should also consider a secondary security vendor for increased protection. Microsoft offers a secondary level of protection called Advanced Threat Protection and other security vendors offer routing email to them first before going to your hosted email provider.
4. Two-factor Authentication (2FA)
This is becoming a critical requirement for email and access to critical systems. With the advent of cloud-based application, email password security is no longer enough to protect these systems. Two-factor authentication offers a way to ensure the person logging in has the password but also possesses a device that provides a second login method. This can be a smart phone app or a text message. All critical systems should have this login method.
5. System Recovery & Backup
Almost every company has some form of system recovery & backup already. Some still use tapes, or network attached storage devices (NAS), or external drives. While these were sufficient for years, they are no longer good enough in today’s security environment. Bad actors have figured out that if all of your data is encrypted, you will just revert to your backups and not pay them their ransomware. So, they get on the network and, in addition to encrypting your server and PC data, they also encrypt the backups. To protect against this, you need an air-gapped backup. This can be a cloud-based system that has a unique username and 2FA login; alternatively, your backups could be housed offsite using another method. The key is that this system needs to be automated and for some period of historical copies to be kept.
6. Cyber Insurance
Most businesses already have business insurance. It is usually just a call to your current insurance provider to add Cyber Insurance to your policy. Review the application with them to make sure that you have everything in place that the application recommends and that you are comfortable with the limits. If there is an incident, this is your last line of defense to help pay for the cost of downtime and recovery.
You can see that there are a number of things that an organization needs to stay on top of in order to maintain a secure IT environment. The level of reliance your organization has on technology should dictate the resources you devote to these systems. An IT Managed Service provider like Spera Partners is one of the best ways to do this as they already have all the tools and systems in place to help you get to this level of security. If you need an even higher level of protection, an IT Security Managed Service provider can do real-time monitoring with an automatic incident response to further alleviate potential risk and downtime.
Brian Hess, President
For more information on Cybersecurity from Spera Partners President, Brian Hess, tune in to this Podcast from Braun-Bostich & Associates.