Your Business Needs a Cybersecurity Plan
Experts detail why small businesses must not ignore growing cyber threat
Realtime view of applications and bandwidth use of a network.
Image courtesy of DanTech Services Inc.
Implementing a cybersecurity defense to protect networks, data, and systems often isn’t front-of-mind for small- to mid-sized companies given the multitude of demand for their attention. New businesses are focused on tasks ranging from driving greater sales to managing clients or from marketing to supervising staff, and small business owners continuously quest to stay ahead of the competition.
Yet just one cyber attack—whether delivered via a malicious email, the act of a disgruntled worker, or a targeted distributed denial of service network attack—can and will bring all those business efforts to a grinding halt and cripple operations in the blink of an eye.
It may sound dramatic, but it’s a scenario that happens more frequently than many business owners realize, experts say, and companies turning a blind eye to today’s increasing cyberattacks are exactly what cyber criminals are banking on.
“The digital age has connected the world and made many things easier [for scammers and hackers],” says Karl Renne, CEO at The Raven Group, a corporate counterintelligence firm. “Every company, even small businesses, are susceptible to crime and being breached or hacked. Many small businesses are being targeted by hackers and scammers as they are viewed as less sophisticated and lacking many security controls,” he adds.
Where the Threats Originate
The top security threat facing small- and mid-size companies is ransomware—which Dan Foote, founder of technology services provider DanTech Services in Anchorage, describes as reaching “epidemic proportions.”
Ransomware relies on social engineering and phishing—emails that lure an unsuspecting user into responding in some manner, whether by clicking an email link or responding to an email request to provide data, in order to gain access to desktops, systems, and data.
“Social engineering has always been a top threat, if not the top threat,” says Foote. “Spam, phishing, spear-phishing, and CEO fraud attacks are responsible for data breaches, ransomware, and spyware.”
Ransomware can let hackers take control of a user’s desktop and, in seconds, infiltrate a company’s systems to collect data and essentially hold a network hostage. It’s proved a valuable channel for cyber criminals as it relies on employees who are unaware of malicious emails and companies that haven’t implemented protection for networks, systems, and data.
Hackers using ransomware and malware pose the most significant risk, according to Renne, because the focus isn’t just trying to “crack” a company’s security and it’s easiest for a hacker to access a network using social engineering then brute force.
Cyber criminals also rely on social engineering, which has been around for centuries, because it’s adaptable to almost any situation, venue, and technology used for communication, says Renne.
“It preys upon our natural inclination to trust people,” he explains.
Foote says today’s cyber criminals are out to exploit open ports all day, every day.
“Cyber criminals want your information, your data. Whether it’s in bits and bytes by gathering little pieces at a time, or a major data dump that may be terabytes in size, it’s data that is of value. Email, especially unfiltered, unprotected email, is a primary vector,” he says, noting email addresses are relatively easy to collect and sending email is cheap and automated. “It’s a great way to put that ‘shiny bauble’ in front of a recipient, getting them to click that link or open that attachment.”
Ransomware is being delivered to a different company once every forty seconds, says LMJ Consulting, an Alaska provider of integrated IT solutions, managed services, and business computer support.
“Because of its profitability, ransomware will likely remain the top threat for the foreseeable future. Business cannot afford to ignore ransomware because it’s been shown to cripple businesses in a number of ways, effectively making it a threat to your business as a whole,” says LMJ Security Analyst Jake Kelley.
Ransomware, unfortunately, isn’t the lone threat companies must defend against. They are also often targeted by what experts term as “internal” threats—an angry worker or a disgruntled customer or business partner.
“The biggest internal threats to a company are the employees and vendors,” says Renne, explaining that employees or vendors, given access to systems or networks, can do as much damage as a malicious ransomware link sent via an email.
To illustrate his point, Renne shares a client scenario where a medium-sized oil and gas company fired an IT administrator. The day the worker was fired he set a plan in motion to reset all the company’s servers to their factory settings, effectively putting a halt to all of the company’s operations.
“They had a good incident response plan and could quickly identify what the problem was and who had caused it,” says Renne, “but the company had not implemented a data backup plan so its operations were shut down for thirty days.”
“The motivations of insiders [employees and vendors] to cause data breaches and other losses are many. We must remember that at the end of a data breach, scam, sabotage, or other criminal activities there are people. These people are causing the breaches and other criminal activities, so the human factor must be considered and defended against,” says Renne.
First Steps: Strategy, Resource Commitment, Training
The first step in developing a cyber threat defense is a corporate commitment to network security and data protection. That includes a strategy incorporating policies regarding network and systems access, training staff to avoid potential malware and ransomware, hiring experts, and allocating budget and resources.
Renne says companies can start with implementing basic network security tools such as firewalls and a network security service. The initial security foundation can then be expanded to include a service for detecting potential breaches.
“It is like having an alarm at your home or business to let you know if someone breaks in. It will not stop them but it tells you it is time to respond,” Renne says.
A good next step is a backup data service.
“With the proliferation of ransomware, far too many small businesses have been held hostage. Backup data storage is not difficult to find today and relatively inexpensive,” he advises.
Once the first security layers are in place, companies should consider endpoint protection software that utilizes real-time threat intelligence and has automated detection and response, he adds. Renne also recommends companies collect and analyze what he calls “defensive intelligence.”
“This is a service that goes beyond that of traditional threat intelligence, which focuses purely on the cyber threats to networks, and looks at specific threats to a company and should include cyber, human, and reputational threats. Collecting and analyzing this information allows companies to look ahead and prevent problems before they occur while considering cyber and human factors,” explains Renne.
When it comes to protection against inside threats, a technical cyber security program must also focus on people and counterintelligence.
“Remembering that no security system is perfect, it is also something that should be evaluated regularly and modified as threats and technology change and as companies grow,” Renne says.
LJM’s Kelley notes there is no “magic bullet” for security and defense against cyber threats.
“It requires old-fashioned professional assistance and a lot of effort. The closest thing to a magic bullet that is lacking in most situations, in my opinion, would be security monitoring,” he says, advising companies commit to a dedicated security staff to monitor systems.
He also recommends developing a security operations center (SOC) to serve as the “heart and soul of your network.”
“You need to have oversight to ensure they are performing their job properly and that any serious incidents are observed, reported, and responded to in a short time frame. In all situations discussed, a SOC would be able to detect and assist in incident response,” he says.
Many small companies often can’t budget in a SOC and can only afford security help for a small number of hours per month. Yet even those few hours can prove a valuable investment, Kelley says, because a security expert can recommend standards, configure technology securely, maintain adequate patch levels, implement firewalls, monitor event logs, and develop policies and procedures in accordance with regulatory requirements.
The outside help can also train staff to be aware of cyber threats, notes Foote, citing that 16 percent of untrained users will fall victim to an email scam but just 1.2 percent are tricked after proper training.
“Even though that 14 percent is still too high, it certainly cuts the odds considerably,” he says, adding “training is not only important, it should be constant and a priority as our IT environments and the threats we face change every day.”
Renne describes employee training as “very crucial” to the success of any security system or strategy.
“Employees are the point where people meet technology and interface externally to the company, so ensuring you provide training on cybersecurity and social engineering is essential,” he says, adding that it’s just as important to provide employees with training on company policies relating to sensitive and confidential information.
“Many times, employers assume everyone knows what is confidential and that even after they leave the company they cannot disclose this information. Unfortunately, many employers find out their assumption is incorrect. As [was] said repeatedly when I was in the Marine Corps, you fight the way you train. Training is critical to the success of any endeavor and security systems are no exception,” he says.
Another critical security aspect is ensuring business continuity. In the case of the oil and gas company’s security incident, if the company had established backup data services much of the loss could have been prevented.
“Likewise, had they obtained a defensive intelligence service they would have likely seen the blog and social media posts by the system administrator discussing his plan,” he adds.
Fighting Cyberattacks Requires Adaptability
Overall, Foote says, a company’s approach to implementing cybersecurity is all about adapting to the environment—very much like how Alaska residents adapt to their environment.
“Living in Alaska where we have an abundance of outdoor activities involving work or play, we learn to adapt to our surroundings—to pay attention for a wandering moose or hungry bear, to stay out of harm’s way as best we can while enjoying the bounty of our land,” Foote says. The same holds true when defending against cyber threats because awareness, knowledge, and training all play a key role in protecting the company.
“It’s also not always about what happens at the computer, but what can happen at the receptionist desk or on the phone. While it’s important for users to know how to spot a phishing email or a bad web link, it’s just as important to prevent data from walking out the door by someone posing as a service provider wanting access to the server room,” says Foote.
The biggest mistake companies can make is believing that their systems, network, and data aren’t valuable and worth a security protection investment.
“It’s a common refrain heard in the IT world from business owners or managers that goes, ‘We’re too small. Hackers won’t bother us because we have nothing of value.’ These ideas are a setup for failure. If you have an internet connection, it’s being scanned, information is being collected. Data is being sold, sometimes at very inexpensive prices,” he says.
“By implementing and maintaining a secure network, with protected data and knowledgeable users, business owners can concentrate on their business while minimizing the anxiety of the unknown,” he adds.