We hear a lot about IT security aka “cybersecurity” these days. Most of us probably think that’s primarily a concern for government entities and big businesses. (Like national retailers with a robust e-commerce presence, for example.)
However, IT security is equally important for small-to-medium-sized businesses – arguably more important. A large corporation can more often than not go through a data breach and the repercussions that follow without skipping a beat. Even if the result is a temporary shut down in operations, they can often absorb those costs and/or loss of revenue. For smaller businesses, a security breach in any form can disrupt business operations. This disruption can ultimately cost the business-owner days to weeks of lost revenue.
So where should you start?
We’re glad you asked.
There are many considerations to account for when creating and implementing a security strategy. Every business has different needs depending on their industry, their client-base, their operations and their business and client data. The first question to answer is: What needs protection?
What Assets are You Protecting?
Before installing the latest and greatest security technology, it’s important to consider what you need to protect.
- Proprietary information: Every business has proprietary information that they need to protect and keep out of the hands of their competition (or public). This can be anything from your business model to trade secrets to your monthly revenue.
- Customer Payment and Personal Information: You have more information about your customers than you may think. Customer data comes in the form of payment information, email/physical addresses, past purchases or services that may be on file. Important customer information includes any data you may collect from your customers or clients.
- Patient Information: Any dental or medical office holds particularly sensitive information on their patients, including medical history and/or records.
Where Are Your Assets?
Identifying the location of all the business assets you want to protect is another important step in the process. It determines whether you need on-site security solutions (like cameras or key cards), cloud-based security (like malware and anti-virus software) or both. Most businesses are protecting data in four key places:
- On-site Offices and Physical Locations: Whether you have an office or a brick and mortar, these physical spaces need protection.
- On-site Equipment: Equipment such as servers and workstations.
- Remote Devices: Laptops, cell phones, tablets or any other piece of equipment your employees use outside of the main business operation.
- The Cloud: Any cloud services, such as email (like Office 365), storage services (like Dropbox), or other Software as a Service (SaaS) products you use GSuite, Slack, Asana, etc. (The list goes on and on.)
What Are Common IT Security Threats?
When it comes to security there are three categories of potential threats: internal threats, external threats and uncontrollable natural forces (aka “Acts of God.”). Now – don’t immediately assume your employees are selling access or data to hackers. While that scenario would fall under both categories, that’s a rare occurrence and protecting your business in other ways can still prevent that from happening.
A company probably more often overlooks internal threats than external threats because they aren’t as obvious. An internal security threat often boils down to human error or inefficient processes.
- Malicious employees: A malicious employee certainly is a possibility, however, this is a somewhat unlikely internal threat. On occasion, an employee or former employee may intentionally sabotage your security efforts.
- Network or Device Misconfiguration: A device (and its security tools) is only successful with the correct configuration. It’s important to properly install all firewalls, computers, etc.
- User Error: Users themselves make errors constantly, and these errors could compromise your security efforts. In this case, it’s important to streamline your business tools and processes with user-friendly solutions. The more complicated your process, the more likely you are to experience user error.
External threats more commonly come to mind when someone considers cybersecurity. These are malicious attempts by outside forces to take advantage of any vulnerabilities in your system. An external threat is attempting to steal anything from data to money to personal property.
- Hackers: Traditionally, “hacker” used to refer to any skilled programmer who utilizes their technical knowledge to solve problems. In the landscape of cybersecurity, a security hacker is typically someone trying to find weaknesses in security systems in order to break into the system for malicious purposes. Yes, they exist, they are active, and they are always ahead of the curve.
- Malware/Ransomware: Malware is any software designed to damage a computer, server or network. Ransomware is a type of malware that threatens to publish data, incriminating information or block the user’s access to their data if they do not pay a ransom. These programs are often (but not always) downloaded by a user under false pretense.
- Malicious Emails: Malicious emails (aka “phishing”) are emails that look like they are from a legitimate company asking for sensitive information.
- Cloud Vulnerabilities: The greater dependence on using “Cloud-based” technology services opens up a whole new world of security threats for businesses. Due to the nature of these services, hackers can gain access to a greater number of business’ data.
- Internet Connection: The Internet connection at your business or home still is a vulnerable point. Bad guys are still trying to gain access to your computers the old fashioned way – by attacking you directly over the Internet. This direct approach is still a threat, though considerably less of a threat now than years ago.
Acts of God
Sometimes, unforeseen natural occurrences do happen that we cannot control. While we can’t predict the future, we can have a plan in place to prepare for such occurrences.
- Natural disasters: Hurricanes, tornadoes, fires and flooding more or less happen without warning and can really derail your business. Having a disaster recovery plan already in place is paramount in dealing with a situation like this.
- Pandemic: The recent shutdowns caused by COVID-19 only prove that anything is possible. While this was completely unforeseen, the most successful business owners are those that embrace bringing as many elements of their businesses online as possible. While there is no way to prepare for situations like this, it is important to utilize tools and services that can help you, whatever the situation may be.
Action Items: What Do I Do?
A good security strategy encompasses two major areas: prevention and recovery.
Security Event Prevention
We like to think of prevention as the best medicine for a security breach. You can stop a digital breach in its tracks with a few simple tools.
- Firewalls: A firewall acts as a barrier between your trusted system (like a computer or a network) and an untrusted system, like the Internet. This is your first line of defense.
- Antivirus Software: Antivirus software detects and removes viruses from your system. Since new viruses are constantly being created, it’s important to use antivirus software that is up-to-date and consistently updated. “Free” antivirus is never free and you get what you pay for.
- Penetration Testing: Also called “pen testing,” a penetration test is an approved, simulated attack on your system in order to evaluate the security measures in place.
- Vulnerability Scanning: A vulnerability scan is similar to penetration testing, however, a vulnerability scan checks for known vulnerabilities and is typically automated.
Recovery from a Security Event
Despite all of our best efforts, security events do happen. How you handle a security event often depends on what measures you put in place to prevent them.
- Digital Breach: A digital breach is when your security measures have been broken through by a hacker, malware or another malicious attempt to steal your data.
- Physical Break-In: A physical break-in is always a threat. In the event of a physical break-in, first and foremost call the police. Afterward, your IT department or the IT services company you use will have an action plan on what to do in the event of a physical break-in.
How does all this impact the business and what is the cost?
Whether you’re the victim of a digital security breach or a physical break-in, it’s important to already have a plan in place. This will immediately minimize the impact on your business. A report from late 2019 from the IBM and Ponemon Institute found that the average breach costs about $8 million in the US. While that’s a big number, here’s something a little more digestible for smaller businesses: it averages out to about $242 per record.
Some of those costs can be mitigated by simply having a plan in place.
- Disaster recovery: Having a disaster recovery plan already in place helps speed up the process of getting your business back on track. This includes regaining access to your infrastructure, assessing impact, and getting your data back.
- Business Continuity: How well you cope with a breach determines how much revenue you may lose as a result. Having a business continuity plan already in place will help your business get back online ASAP and minimize those losses.
If you need help with your IT Security plan, The Oxman Group can help you build a customized plan to suit your business. Contact us for details and a complimentary consultation!