Components of a Small Business Security Program

Security expert Bruce Schneier was once quoted as saying that a sufficiently “motivated, funded, and skilled” hacker will eventually find a way to break in.  If that is true, what should we do to protect our businesses?

Security is More than a Firewall and Anti-Virus

It is easy to fall into the trap of believing that up-to-date security products like firewalls and anti-virus software are enough to keep you safe.  These products are important, but they are definitely not enough to protect you on the internet in 2018 and beyond.

Security WarningAttackers who have motivation, money, and skills are also creative and persistent.  They might try the easy way in at first, but they are prepared to work harder to find a way inside your network if necessary.  For example, the attackers who breached Target in 2013 did not directly breach one of the company’s systems; instead, they got in through an HVAC contractor.  In another example, a payroll processing firm was breached, potentially affecting hundreds of thousands of employees from thousands of small businesses.

The key to protecting yourself is to have a holistic security program that includes controls based around people, process, and technology.  Your people need to be informed and know what to do.  Your processes need to be designed with security and resilience in mind.  And your technology needs to be up-to-date and implemented effectively.

What Does a Holistic Security Program Look Like?

The National Institute for Standards and Technology (NIST) has published guidelines for small business security programs.  In their documents, NIST recommends that a security program consist of five components:  Identify, Protect, Detect, Respond, and Recover.

  • NIST security cycleIdentify: know what systems, data, people, and partners are a part of your network.
  • Protect: put controls in place that help protect your systems and data from attacks.
  • Detect: have a way of finding out quickly if your systems are under attack or have been compromised.
  • Respond: have a plan for how you will respond to an attack when it happens, and test the plan so you are ready to implement it in a crisis.
  • Recover: have a way of getting your systems and data back online after an attack so you can resume normal business operations.

The Need for Balance

If you put too much emphasis on a single component then you will be ill-prepared for when that component fails.  In one example, a small software company called Code Spaces was put out of business by a cyber attack.  The company bragged that it had excellent backups, but it apparently did not have an effective plan for recovering after it lost its data in the attack.  The result was that the company had to shut down completely.

A balanced approach that includes effective controls in each of the five components can be a more effective approach to security. Pinnacle can help you create a balanced, holistic security program tailored to your business and your risks.  Let us know how we can help!

In 2019, we will take a deeper look at each of these five components.

 

 

 

Cyber Risks Can Affect Small Businesses, Too

The online world has become a much more dangerous place over the past decade. We see new stories about cyber attacks and cyber breaches in the news every week. There was a time where it seemed like cyber attacks were primarily targeted at governments with classified data or large businesses with plenty of resources to steal.

RiskUnfortunately for small business owners, that is no longer the case. Over time, cyber threats have begun to directly affect even the smallest of businesses. To make things worse, the impact of a successful cyber attack on a small business can be devastating. According to the Better Business Bureau’s report on cybersecurity in small businesses, the average cost of a cyber attack on a small business is $80,000. That is a small amount of money for a large corporation like Target or Yahoo!, but it is huge for a small business.

Studies have shown that more than 60% of small businesses that are victims of a cyber attack go out of business within six months. That is a shocking number; it brings home the impact of security risks to business leaders as well as to employees. None of us wants to see our companies go out of business.

What can you do to protect your business from cyber attack?

There are a variety of steps you can take to help improve your security, including training and skill development for your people, changes to key processes that can reduce risk, and implementing technology that will help prevent certain types of attack. But where should you start?

The first step is to take cyber seriously. Make sure that your business leaders and your board of directors understand your risks and are taking practical steps to address them. Awareness also extends to employees, in part because many attacks are targeted against members of your staff. Make sure everyone on your team understands their role in protecting the company and their jobs.

Another important step is to plan for how you will recover from a cyber attack. Many of the small businesses that fail after a cyber attack do so because of secondary costs. PlanAlthough the direct costs of an attack can be painful, your biggest risk is most likely that it will take too long and cost too much money to recover your systems and data so you can return to business at all. The longer it takes you to resume supporting your members, delivering your services, or selling your products, the greater the likelihood that your company will fail.

How difficult is this?

Spoiler alert! They don’t have to be difficult or costly. Find a partner that can help you. Ask them to work with your board and other leaders to ensure a common understanding of your cyber risks. Provide training and attack simulations to your team. Develop and test a plan for recovering if some of your key data is lost or stolen.

All of this can be done in a matter of weeks, not months or years. When you are finished with these steps, you will have taken an important step forward and can prioritize any additional steps you need to take to further reduce your security risks.