Components of a Small Business Security Program

Security expert Bruce Schneier was once quoted as saying that a sufficiently “motivated, funded, and skilled” hacker will eventually find a way to break in.  If that is true, what should we do to protect our businesses?

Security is More than a Firewall and Anti-Virus

It is easy to fall into the trap of believing that up-to-date security products like firewalls and anti-virus software are enough to keep you safe.  These products are important, but they are definitely not enough to protect you on the internet in 2018 and beyond.

Security WarningAttackers who have motivation, money, and skills are also creative and persistent.  They might try the easy way in at first, but they are prepared to work harder to find a way inside your network if necessary.  For example, the attackers who breached Target in 2013 did not directly breach one of the company’s systems; instead, they got in through an HVAC contractor.  In another example, a payroll processing firm was breached, potentially affecting hundreds of thousands of employees from thousands of small businesses.

The key to protecting yourself is to have a holistic security program that includes controls based around people, process, and technology.  Your people need to be informed and know what to do.  Your processes need to be designed with security and resilience in mind.  And your technology needs to be up-to-date and implemented effectively.

What Does a Holistic Security Program Look Like?

The National Institute for Standards and Technology (NIST) has published guidelines for small business security programs.  In their documents, NIST recommends that a security program consist of five components:  Identify, Protect, Detect, Respond, and Recover.

  • NIST security cycleIdentify: know what systems, data, people, and partners are a part of your network.
  • Protect: put controls in place that help protect your systems and data from attacks.
  • Detect: have a way of finding out quickly if your systems are under attack or have been compromised.
  • Respond: have a plan for how you will respond to an attack when it happens, and test the plan so you are ready to implement it in a crisis.
  • Recover: have a way of getting your systems and data back online after an attack so you can resume normal business operations.

The Need for Balance

If you put too much emphasis on a single component then you will be ill-prepared for when that component fails.  In one example, a small software company called Code Spaces was put out of business by a cyber attack.  The company bragged that it had excellent backups, but it apparently did not have an effective plan for recovering after it lost its data in the attack.  The result was that the company had to shut down completely.

A balanced approach that includes effective controls in each of the five components can be a more effective approach to security. Pinnacle can help you create a balanced, holistic security program tailored to your business and your risks.  Let us know how we can help!

In 2019, we will take a deeper look at each of these five components.