Cybersecurity is a business issue, not an IT issue. Organizations need to promote a cybersecurity culture that is leadership and supported by technology, governance and staff awareness.
Who will come after me?
Intuitively, headline-grabbing cyberattacks such as the latest Blackbaud hacking and Twitter hack can make senior executives and c-suite executives feel safe and immune to cyber threats. If there are bigger and better targets out there, why will hackers ever pay attention to their organization?
But just like criminals in the physical world, there are different laws of cybercrime. There are criminals who pursue diamond histories, and there are criminals who snatch handbags. Of course, they are not the same individuals. Cybercriminals targeting high-profile high-value victims are unlikely to turn to the average small to medium-sized business.
But that does not mean that small and medium-sized enterprises have nothing to fear. On the contrary. The upper limits of the cybercrime world may not consider you a potential victim, but all other cybercriminals do. It̵7;s like a convenience store that feels safe because the crew from Ocean’s 11 will never keep them up. Just because it’s true does not mean you can ignore all the other hoods out there.
In cybercrime, the most common threats – those facing small and medium-sized businesses every day – are victim agnostics and completely targeted. If cyberattacks are automated and they can hit small and medium-sized businesses, cybercriminals will still kill.
There are 30 million SMEs in the United States. In the UK, the figure is 5.9 million, which corresponds to over 99 percent of companies. So cybercriminals may not really target you, but all SMEs and SMEs are in their sweet spot for victims, and they beat as many of them as they can. Whoever they are.
The biggest threat to SMEs is malware. Malware is software designed to perform certain actions in favor of cybercriminals, or hotaktörer. Malware can filter out data, capture keystrokes to steal login or credit card information, or it can be ransomware. Ransomware encrypts your data and requires a payment, usually in Bitcoin, to decrypt it.
The choice of tools to spread malware is email. Ground e-mail may have a malicious attachment, or it may contain a link to a fraudulent copy-cat website that is designed as a genuine website. Either infects the victim.
An organization must view its cybersecurity holistically. It consists of three pillars. Each must be as robust as the other two, and they must combine to underpin a business-wide security-oriented culture. And the usual thread that goes through everything is people.
First pillar: Technology
The technology includes hardware and software measures and systems that you use to improve your defenses and to close security gaps. But technology also includes generic IT issues, such as the topology of your network design. Is your network segregated or completely flat? Could malware compete through it indefinitely or would segmentation contain it? Basic solid network technology is the first element of your technology pillar. The sensible placement of properly configured routers, switches and firewalls provides a basis for cybersecurity extensions to sit on.
All operating system and application software must be within the manufacturer’s support periods. They all need to be patched updated, including firmware on devices such as routers and firewalls.
Using email encryption and hard disk encryption for portable and mobile devices is serious and depending on your geographical location, local legislation may be required, such as the European Data Protection Regulation (GDPR). Control of USB devices should be implemented to suit your needs.
Of course, you will have at least one firewall. Modern devices support security supplements, e.g. gateway security suites. These are designed to catch viruses and malware threats at the entrance of your network. However endpoint Security suites, which contain antivirus and anti-malware packages, try to catch threats on the computers in your network. Neither of them replaces the other, but if you can only have one, distribute the endpoint cover.
Email filtering and anti-spam measures will dramatically reduce the risk of e-mail threats coming through, but they are never 100 percent effective. It can be very difficult to detect and capture a well-written email, especially if it does not have an attachment. The days when emails were poorly written and peppered with poor grammar are not entirely behind us, but they are certainly on their way out. Modern examples are stylish and very convincing.
Intrusion Detection Systems (IDS) use technologies that automatically collect and collect system logs from servers and network devices and analyze them for suspicious behavior or anomalies. This can be set to occur periodically or, if the system is sufficiently sophisticated, in near real time. An IDS can also look at important system files within servers, where any changes would be indicators of compromise.
How do you know if all these steps work optimally? By using penetration tests and vulnerability scans. A penetration test tries to examine your defenses outside your organization. They can contain up to thousands of individual tests, each designed to search for a specific potential vulnerability. A vulnerability scan is similar, but it runs on your network, inside the firewall. It scans all devices connected to your network and looks for vulnerabilities such as outdated or unsurpassed software and operating systems.
Penetration tests and vulnerability scans should be run at a scheduled frequency, and the results used to provide a range of corrective work should be considered. When a threat actor – or one of their automated scanners – detects a vulnerability and they apply an exploit, you have a compromise on your hands. Find them and fix them before the threatening actors do.
And do not forget backups. Back up to a variety of media and include an off-site backup in your regime. Backup to local network-mounted storage devices enables faster recovery than from off-site backups, but off-site or off-premise backups provide the most robust recovery solutions. So do both. Fire or flood can make your premises inaccessible. Without off-site backup, you become inoperable and unable to shop.
Constantly updated, image-based backups of servers allow you to quickly restore a server because the operating system is also backed up, not just data. Some backup software can convert a backup image to a virtual machine, so that the backup can be spun on other hardware – or as another server instance in the cloud – restore access to your downed server in minutes and not hours.
Server replication maintains a current cloned server that can provide an almost instantaneous transition if the management server dies. With a cloud-based infrastructure, this is easy to do.
Whatever type of backup you use, test it. Exercise scenarios for disaster recovery.
When IT equipment reaches its lifespan, ensure that secure data destruction is performed on the devices to prevent information and data loss through monitoring.
Second pillar: IT governance
IT control is the overall set of controls that you establish and execute to control the use of all your IT assets. They take the form of policies and routines that ensure that your workforce knows about and follows best business practices for IT and security. In addition, specific policies and routines Data Protection become commonplace – if not mandatory.
Your procedures should document and detail the steps required to maintain, correct, and monitor all elements of the technology section. How do you ensure that all security updates have been applied? What is the backup test schedule and when was it last tested? What is your process for opening a gate on the firewall? Is there a documented business case for the port that is open and has it been reviewed? Where are these registers kept?
All activities surrounding the components of the technology pillar should be anchored in procedures, and these procedures must generate an audit trail or register.
The most common form of authentication is still the password. Do you have a password policy with guidelines for creating secure passwords? Does it ask staff not to use family members’ names, birthdays and other personal information that may be obtained through research or social technology? Is complexity needed where possible or is two-factor authentication mandatory where available?
A fair use policy lists what is and what is not acceptable use of your IT and telecommunications capabilities. You can not give people the excuse “No one said I could not.” Document what is allowed and what is not.
You may require guidance to comply with a law, regulation or standard such as the GDPR, ISO 27001, Privacy Shield or the California Consumer Privacy Act.
You should have a data breach procedure and an IT incident procedure, and both should be repeated.
Remember that if it is not written down, it is not a procedure. Saying “Everyone knows what to do” is not a procedure, it is tribal knowledge. This means that there is neither management nor control over that business, and there will certainly be no audit trail.
And obviously procedures are completely ineffective if they are not followed.
Third pillar: Personnel awareness
Your staff is the most important element in the security of your systems and the security of your data. Cyber-friction is the name of the pushback you can get against change and any extra steps required to ensure good safety practice. Changes, policies and procedures must be rolled out in an informed and inclusive manner, so that you receive staff purchases and support. You need them to realize – and welcome the fact – that security steps exist to protect them as much as the organization.
Is it reasonable to expect your staff to know how to identify fraudulent emails and other forms of attack without proper training? Obviously not. They require cybersecurity awareness training, and it should be completed at least once a year. The better they can detect threats, the better they can protect the organization. Many ransomware attacks shut down companies. Your staff has an interest in ensuring that your organization is not exposed to cybercrime.
A security-oriented culture is one where your workforce has the power to question everything suspicious, just to be safe. And to be able to do it without criticism. Every false alarm or “I thought I would check, in case”, is an indication that they understand the threats and that they do not take shortcuts or blindly hope for the best.
Workplace values such as these must be integrated into the organization from the top down. Being too petrified to do your job does not serve anyone well. But willing due diligence, a sense of commitment and the comfort of sensible management are indicators of real staff procurement.
It’s people, all the way down
It starts at the top. Senior management must understand that everyone is a goal. They must appreciate the demand for and budget for the technical defenses. Cyber security underpins the company’s continuity and ability to maintain trade.
Failure is not an option. The cyber budget becomes cheaper than the devastation caused by a single successful ransomware attack. Remember that there is a reputation for damage as well as financial damage.
Defensive technology must be installed, configured, maintained and corrected. By people, ruled by control.
Staff must use sensible behavior and robust passwords. Governance will provide guidance and controls, but someone must write policies and procedures.
An authorized workforce that works in a safety-oriented way is possible, but it does not happen without a management plan to make it happen.
There really are people all the way down.