You’ve undoubtedly noticed the large proliferation of cyberattacks against organizations over the past few years. While the high-profile attacks of governments or large corporate enterprises make the headlines, small and medium businesses are the most vulnerable. Fact: 50% of them go out of business within six months of an attack. As a matter of survival, it’s paramount for small and medium-sized business (SMB’s) to have a security posture on par with that of large businesses. If you have the kind of business that uses or needs your own hardware or hardware equivalents (cloud or server services) via subscriptions, most of you (but not all) have the expected firewalls, website/email filtering, and some type of anti-virus. While this may have been viewed as sufficient protection in the past, cyberattacks have become more and more sophisticated. It’s imperative SMB’s re-evaluate their security needs as these common-place measures may not be sufficient any longer.
One increasingly popular trend is partnering with third-party companies that specialize in security. In today’s marketplace, you can now outsource your security needs affordably by leveraging your partner’s knowledge and existing secure infrastructure. Regardless of what your company decides to do, the first step in establishing an understanding of your existing security posture is to perform an in-depth security audit.
Security Audit: What it is and why you need it.
You should start your security audit by mapping your company’s network. What is your network? Your network includes any devices that you use during normal business operations. Software applications and server usage are also included. This applies to both inside and outside of the network. The audit should clearly define what is provided by an offsite server or cloud service, and what is on premise. It should also define the justifications for why these network elements exist. A good audit will also include analysis of the guest network and entry points for outside users. This could include a wireless guest network or a front-end application (e.g. a web portal) which customers or employees access remotely.
In many instances, an efficient redesign of the network is the lowest hanging fruit. For example, simply migrating certain applications or services to the cloud can immediately increase security. Properly segregating your wireless guest network from the rest of your infrastructure is another example of how you can prevent an attack.
Your organization’s security policies, procedures, and plans will also require review. A surprisingly large number of organizations have no established security policy whatsoever. If you do have one, it may be outdated and ineffective against today’s persistent advanced threats. This security review includes the organization’s business continuity, disaster recovery, and data back-up plans. It should also include employee access, email, and internet browsing policies. If a security response plan doesn’t already exist, your organization should update and document responses to security risks, such as ransomware or malware, and what the escalation process is in the event of a security breach.
Once the network has been holistically reviewed, your team can properly evaluate where potential and existing vulnerabilities lie. Your organization should perform regular comprehensive vulnerability and penetration tests to establish a baseline for your company’s existing security posture. These tests will not only include software, equipment, and network topology analysis but, more importantly, employee testing. Negligent employees tricked from simple phishing campaigns or social engineering are, by far, the largest entry point for cyberattacks within SMB’s. Fact: 97% of all ransomware is delivered via email and phishing attacks and are constantly evolving and becoming harder to detect. User education is your last line of defense in protecting your organization against malicious cyberattacks.
YAll updates and changes resulting from the audit should be implemented using industry best practices and standards and in keeping with your company’s security goals in mind. After changes are implemented, iterative audits should be performed to ensure that organizational security is keeping pace to meet the advanced threats of today and tomorrow head on.
I understand that a lot of this can sound overwhelming to some entrepreneurs. If you find yourself in that position you may choose to find a partner to help you. As always, make sure you find a partner that you feel comfortable with to help you navigate the process of cyber security for your company.