A while back I was contacted by Karsten Strauss, a journalist with Forbes.com, He was looking for information for an article he was working on. The topic was how can small businesses protect themselves from a cyber attack and data breach. He was hoping to get some insight on what a new business should do - first thing - to protect its data, its transactions, and customers' info from cyber threats.
I was happy to help and provide my thoughts as a security professional and PCI QSA that deals almost exclusively with small to mid-size companies. So I took the time and provided Karsten with answers to his questions. I don't know what came of the article he was working on. I assume my responses were used as part of his research, and only influenced the article, as I never heard from him again.
The questions he asked are relevant to all business owners, not just start-ups and small businesses, so I thought I would take the opportunity and share them here. The questions and responses were communicated via email.
Karsten: What are the easiest first steps an entrepreneur can take to assure security for a small business? i.e. A business that wants to protect its own IP, customer data and sales transaction.
Garrett: I would suggest reviewing your IT environment and business operations/processes. Having a strong understanding of the services and applications required for a business to operate, will provide better control and security over the assets of the organization. This will reduce the attack surface.
Also taking inventory of your sensitive information and how it is handled will provide direction on how to protect it and ensure it is properly handled. Its surprising how many companies don't have a clear picture of the type of information they store, where it is stored, and who has access to it.
Last I would suggest implementing the right technologies and understand how to properly use them to protect your network. Implementing a proper network firewall and reviewing its policies and configure network segmentation.
Karsten: What are some of the mistakes small businesses make, in terms of security?
Garrett: First, I would say the biggest mistake is not making security a priority in the organization. Also, having the attitude that you aren't a target, or thinking why would someone attack me. Good security needs to come from the top and is just as much a business/operations function as it is IT's.
With small businesses, I also see a lot of inadequate network equipment. You have many small shops using simple routers either provided by their ISP or purchased off the shelf at Best Buy. These types of devices are fine for home use, but usually don't provide the feature set needed to properly monitor and protect a business.
Karsten: Often, businesses with an online presence, or those looking to protect their own systems, will let third parties handle their security duties. Can we really trust cloud services and shopping platforms and security companies? Are they really doing enough or are they simply doing just a bit more than most businesses can do on their own?
Garrett: Leveraging the expertise of a competent service provider can be a great way to extend the skill set of your organization beyond your employees. But engaging with a service provider doesn't off load the responsibility of security from the business. I think there are some good services out there and really can enhance the security of your operations beyond was could be provided in house. But the business needs to understand exactly what is being offered and how it meets the security requirements of the business.
The business needs to conduct its due diligence before engaging, as well as have a process in place to monitor the practices of the services provide, and ensure the maintain the level of security promised.
Karsten: What are the top security products out there for small businesses that want to have a strong online presence?
Garrett: With the rise of awareness to the existing security threat there have been a flood of new products on the market. Some are good and do provide added protection. Anyone concerned about protecting their online presence should implement a solid web application firewall.
I'm a strong believer in the basics. The majority of security needed can be provided by the standard security products and solutions that have been around for a while: firewall, AV, IDS/IPS, etc. When properly implemented and maintained you can get most of the way there.
I think there is a trend to constantly add in the latest and greatest blinking box to the network to increase security, when really what is needed is a better utilization of the solutions we already have.
With that, I am intrigued by the trend of consolidating security solutions and services back into a single device. UTM devices consolidate many solutions into a single device, offering firewall, IDS/IPs, web filtering, malware protection and even vulnerability scanning. These devices can lower costs while providing additional security services and simplifying implementation and management.
Karsten: How are hackers becoming more savvy and what will the next generation of cyber-threats look like?
Garrett: To be honest, most data breaches are still carried out using techniques that have been around for years. The simplest way in will always be the most successful. That is still through the human interface. Once in, sure the malware deployed is becoming more advanced and better at disguising itself but the method of entry is often through a vendor, consultant or employee. Until we do a better job with security awareness education and training, no amount of technical controls can compensate. I think for the most part people are trusting of others. I don't think this is a bad thing or flaw in human nature. We just need to be aware of it and find more effective ways to educate and inform those that have access to sensitive information and systems.
If any journalist or reporters are needing information or insight into the information security and compliance industry, we would be happy to speak with you. Please use our contact form to submit any requests.