Table of Contents
In today’s ever-changing technology world, you constantly hear about cybersecurity and data breaches. It leads to many small and medium business owners to wonder what they can even do. You might be sitting there asking yourself, “If the Russians are out here hacking away, what chance do I have of protecting myself?” This is no easy task because cybersecurity is multifaceted and ever-evolving. Mix in an ENORMOUS shortage of security professionals and it just feels like, “Why try?”
I want to break it down into four sections of what we talk about for reducing risk to your business. It’s impossible to eliminate risk. Some of these principles can be applied outside of cybersecurity, but we are going to focus on how you can minimize the security risks to your organization.
The 4 areas we focus on when talking to any client are:
- Avoid – What could you do or change to avoid risk?
- Reduce – What services and policies can you put in place to reduce your cyber risk? (Backup, Security Policies, Security Software, etc.)
- Transfer – Cyber Insurance to transfer all the risk that you can’t avoid or reduce.
- Accept – Any risk that hasn’t been dealt with either need to be addressed or accepted.
We find far too many people are accepting too much risk. It’s easy to minimize it, you just need to make sure you spend the time and effort to find out what you can Avoid, Reduce, Transfer and Accept.
The first line in the sand is to find out what risks you can avoid. Most of the ‘Avoid’ section is based on policies and end-user behavior. For example, don’t keep credit card numbers in any way, shape, or form. Get a payment portal for your end-users to use, you should never have written credit card numbers. Ever.
Since I am a list kind of guy, let’s get to it!
- What are your company’s policies on items such as:
- Bring Your Own Device (BYOD). Have you written strong policies that make sure anyone who connects to your company network has proper security in place?
- What data do you save, and how do you save it (i.e. credit card data or PII)? Is it encrypted?
- Who has access to what data? Are there policies in place to restrict people to the smallest set of data they need to work easily?
- How do employees work remotely? What security is in place?
- How do you ensure employees that leave the company are locked out of all the systems? You would be AMAZED at what we find here. We recently took over a customer from a competitor, and a password that was set up for us two years before doing some tasks was still working!
- How about wire transfers? Bad guys love to target wire transfers, so make sure you have a policy in place on how they can be done. And if you don’t ever do them, let the bank know to NOT let anyone wire money from your account.
- Don’t use public Wi-Fi
- Don’t do banking on insecure devices
- What’s your hiring process look like? Do you have ways to avoid risk, such as calling references and doing background checks?
The list can go on and on. What is important is to take some time, sit down, and think about your business, your process, and what you do on a day to day basis. Is there something you can change or stop doing to avoid risk? What employee behaviors do you tolerate that are introducing risk? Walk around your office and look for passwords written down, look under keyboards, and on monitors. You will be amazed at how much risk is staring you in the face!
Your challenge for today is to make a list of items that introduce risk that you can stop doing. Then look at what policies and procedures you can create to avoid risk and implement them. Change is hard, but risk sucks more.
Life is fraught with risk, and we typically work to reduce that risk as much as possible. When you started your business or made that recent job change, did you do it on a whim, or did you put an enormous amount of thought and work into it? You looked at the risks and how to minimize that risk. People work to reduce operational and cash risk, but then just wander out into the internet skipping along without a care in the world! Maybe you bought a Mac and said, ‘I don’t need antivirus software, Macs are unhackable’ (they aren’t)! Or, you went and purchased all this cloud software without ever thinking about the security side of things. So, how do you reduce your cybersecurity risk?
I hate to say this, but employees are your most significant risk. It’s not that they want to harm your company, they trust everyone and everything by nature. Did you know that 93% of hacks these days start with email! EMAIL! One of the best things you can do is invest in training for your employees. You should do regular cybersecurity training and Phishing Attack Simulation. These don’t have to be complicated, but it does need to be regular. We offer free weekly tech tip emails that are packed full of great tech and security tips as well as Phishing simulation training if you need that. Sign up here if you are so inclined.
Layers of Security
Just having one Anti-Virus isn’t real security. I can hack around one or two, maybe 3 or 4, but as you layer on security, it gets harder and harder to hack and stay in your network. So, the bad guys give up and move on to easier targets because there are so many. You should have at a minimum:
Get rid of the junk you bought at Amazon or Best Buy. Find a firewall that has built-in security features like Intrusion Prevention and Anti-Malware.
Many commercial routers can include this, but we suggest going with a 3rd party as well. The product we use has an agent we install on all computers, so the content filtering follows the user’s home or on the road. Make sure you are blocking anything that creates risk. Dirty pictures could be a ‘hostile work environment’ lawsuit, and Malware / Botnets / Hacking sites are self-explanatory about why they are bad.
Don’t just settle for the cheapest A/V you can find. You need to look for Next-Gen features like Machine Learning and Behavior-based scanning. Ransomware has gotten good at getting around many traditional anti-virus vendors, but behavior-based scanners will shut them down quickly.
How are you protecting your server? If you have critical data, we recommend Security Event and Information Monitoring (SEIM). This coupled with new advanced threat hunting services, makes it hard for hackers to stay in your systems. The current data says that it takes, on average, over 190 days for someone to detect a breach. With proper monitoring in place, you can cut that down to days or minutes. Network security also encompasses VLAN (virtual networks) to segment data within your network. Basically, we tell Voice to be in one virtual network and general network traffic to be in another. You can then segment R&D, servers, IoT devices, etc. and control access between networks easily. It helps to minimize the risk if someone does get into your network.
Dark Web Monitoring
If you have passwords for sale on the internet, it’s equivalent to handing the keys to the front door to a total stranger. “Please don’t steal my stuff.” By monitoring the Dark web for stolen credentials, you can stay one step ahead and change your passwords before they are used to access your data.
2FA, as they call it for short, is when you have to get an additional code sent via email, text, or an app to log into your applications. We recommend you turn this on anywhere and everywhere that it is supported—Amazon, E-Bay, banking, your email, etc. You can also find many 3rd party companies that will sell 2FA services for apps that might not natively support it.
Policy and Procedures
This is one of the boring sections unless you love policy. You probably have a policy for who gets keys to your building but never stopped to think about who has access to your many computer systems and passwords. How many of you have a password taped to your monitor right now? Maybe under the keyboard, because you are ‘sneaky.’ Have you ever given a password to a co-worker or perhaps a vendor because it was easier than creating them one? That is how Target got hacked – someone stole credentials to a 3rd party HVAC company and used those to gain access to the Target network. You should create a policy for:
How long, how to store them, when to change them, and not to share them. Make sure you use the new research that says changing them often is worse, go for long and change it less frequently. We recommend people use four unrelated words for their password. Put yourself in someplace you can pull up in your head (your living room, for example) and then pick four random objects. Bam, new password. Here are other helpful password rules you should know.
Most people will make sure financials are secured, but then don’t put any thought into the rest of their data. What about HIPAA? Do you need to restrict PII data? Do you run a manufacturing plant and hold other companies’ secrets or IP? That data should be restricted to the smallest group that needs it to complete their job functions.
Acceptable Internet Use
Can you do whatever you want on your company network and computers? Most places don’t have restrictions in place but should. We run dark web searches all the time and find people using company email addresses for non-work-related sites. Some are for the kid’s school, and some hacked passwords we find are for hookup and less reputable sites. You do not want your company associated with those, plus it’s a more significant risk exposure if employees are using work email for personal accounts. Tell them they can’t. Create a policy that says what they can do with company assets and what they can’t do. Make sure you include language that limits what sites they can go to (work-related) because the last thing you probably want is getting a virus from a porn site.
Make sure you have a policy on how people can access cloud apps or remotely access your company network. Can they use home computers? Do those home computers need to have A/V on them? What type? Can they use a public computer? (NO, THEY CAN’T!) There are a ton of questions to think through on how you want to allow remote access and keep your data secure.
The list for policies and ways to reduce risk can go on and on. You must sit down and think through your business, and we recommend that you get a trusted IT professional involved as well. Don’t go ask your buddy that’s “good with computers,” you need to have the services of a REAL IT company. Someone that has experts on staff and spends lots of time working to protect other people’s data. Ask them about their security policies, do they do 2-factor, how do they train their staff and what layers of security do they have? Just make sure you are not sticking your head in the sand and saying, “It won’t happen to me! I’m too small for anyone to want to hack!”
If you run or manage a business, chances are you regularly think about risk management. You might not think of that exact wording, but you are thinking of ways to protect yourself, your business, and your customers, etc. Nobody wants to be a news story about how they had a data breach and lost customer data. Did you know that in 2018 the average cost PER lost customer record was $150, and in the healthcare industry, it was over $400? That’s the cost to recover systems, public relations, lost business, and all the other repercussions of a data breach. How many customer records do you have, and what would your costs be? They add up pretty quickly.
People don’t think twice about purchasing car insurance, home insurance, business errors, and omissions insurance, yet many companies today don’t carry Cyber Liability insurance. With today’s evolving threat landscape, this is a must-have for pretty much any business. If you collect any kind of personal data, and just about everyone does these days (names, emails, addresses, phone numbers), then you need to pay attention to your legal requirements to protect that data. Data breach laws now encompass much more than just medical information. Do you know what your state’s laws are around privacy and data breaches? You need to look it up and make sure you’re in compliance because otherwise, you are accepting a huge amount of risk.
A good cyber insurance policy will allow you to transfer risk to the insurance agency. It doesn’t mean you can abdicate responsibility for data protection, because you still have to do everything reasonable to reduce and avoid cyber risk. The policy itself will have guidelines around it to make sure you aren’t just dumping risk on the insurance company because they are experts at reducing and avoiding risk. That’s why it’s so critical to do all you can to mitigate and prevent risk yourself.
I’m not an insurance agent, and you should call your local agent to talk about cyber risk as soon as you can. If your ‘guy’ isn’t sure or isn’t an expert, I would shop around. Cyber Insurance is still relatively new, and not all agents are experts. The last thing you want to do is that you think you are covered, but find out you’re not. Make sure they have coverage for ransomware or extortion payments, the PR services you will need after a breach, and business interruption coverage. If you have a breach, will they cover the regulatory fines that might accompany it? Make sure you follow all the guidelines within the policy. I even recommend you work with your IT provider when shopping for insurance to make sure you follow the policy, and they might have some good recommendations as well. The last thing you want to do is file a claim amid a breach to have the insurance company reject your claim because you didn’t implement some part of the policy (i.e., a password policy or disk encryption).
This part is easy; if you don’t Avoid, Reduce or Transfer your risk, you must accept it. It should be your goal to accept as little risk as possible by having good security practices, policies, and insurance in place. If you do a good job on the first three sections, then you should have minimal risk to accept. Just remember, if you do a bad job with Avoid, Reduce, and Transfer, then you might get put out of business. Customers are starting to look at how their data is used and protected, and soon will demand to know they are protected to a reasonable extent. Don’t stick your head in the sand and ignore cybersecurity risk; it will come back to bite you.