Small- to medium-sized businesses (SMBs) face myriad challenges when it comes to information security. Yet, a couple of prevailing ones seem to drive all the others. First, many SMBs believe that their data is not as desirable or valuable as that of big businesses. And, second, they convince themselves that investing in adequate protection is a luxury rather than a necessity. However, the simple fact is that these companies are often targeted by malicious players because of their weak security and direct access to larger companies.
The widely publicized data breach experienced by retailer Target is common knowledge across industries, but just as troubling is that the data theft was initiated through one of its small business partners. In the interconnected business world we live in, companies and their employees collaborate and share data on a daily basis. For SMBs that have not invested in developing processes and implementing technologies to develop foundational information security protection, exposures include:
The threat of immediate and direct business impact - This challenge can manifest itself in the form of stolen data and immobilized operations. Organizations large and small often underestimate the value of their data. If the information stored includes detailed personnel records that include name, address and social security number it provides the basic information for a data thief to create false identities. Once a false identity is created, getting new credit cards is an easy process. So, the real value of information held by SMBs can be much broader than its face value.
The true cost of stopping business operations is not always contemplated by SMBs - Malicious software like ransomware is designed to “lock up” data through cryptographic methods used by the attackers essentially making it unusable until a payment is made to “unlock” it. Statistically, organizations have a less than 50 percent chance of regaining access to their data even after making a payment. As such, many take the chance, hoping that they will receive the digital keys to release data. When this type of attack occurs, the only hope of restoring critical business data is reliant upon using properly logged and stored backup data. While SMBs are getting better at implementing various forms of data recovery plans, even small gaps in execution can lead to days of downtime. The cost of lost production and delayed shipping will vary from one industry to another, but they are simple calculations that yield real answers.
A much broader risk for SMB, the liability of impacting business operations of large customers that they support - The cost of this one is more difficult to quantify but is often bounded by contractual obligations. For instance, as part of their contracts, automotive suppliers agree to pay thousands of dollars per minute of downtime in plant production they cause with automotive manufacturers like GM, Ford and Chrysler. The reason for downtime is non-specific so a malicious file transmitted from the supplier as part of record update that ultimately disables a manufacturing facility would fall under the downtime clause. Other industries have comparable protections built into the vendor relationships. In healthcare, a similar arrangement is the structured Business Associate.
Begin With a Plan
While it may seem over simplistic, the most critical component to having an effective approach to protecting organizational data is to develop a plan. Some organizations will have no idea where to start, so Mindfire Technologies offers a wide variety of no-cost content to help SMBs get started.
We help organizations assess their cyber capabilities and develop a plan to address identified gaps. At a minimum, our security experts helps SMBs understand the questions to ask and offers guidance on where to begin. We also supply content-rich information to help build a foundational information security program.
For those who conduct a self-assessment, it’s important not to get discouraged as most will find the number of things they are not doing to be a bit overwhelming. If the organization has never or does not plan to conduct a self-assessment, there are best practice areas that every SMB should include as part of its plan for building an information security program.
Firewall – The most fundamental and proactive element for SMBs is to implement an enterprise grade firewall. The cost of these devices has become more competitive and most organizations would be pleasantly surprised at how affordable they have become. Industry leaders have evolved but there are still many options from which to choose. If an SMB has specific compliance requirements, it is important to validate that the selected firewall manufacturer is approved for use. There are many options available with these types of firewalls and organizations should consider high impact modules like intrusion prevention and web content filtering. Both provide great value for the relative increase in dollars spent.
Endpoint Security (Antivirus) – Individual computers (laptops/desktops) and servers used to run applications as well as store organizational data should be protected with endpoint security technology. These solutions, often referred to as antivirus, are designed to protect against malicious software (like ransomware). There are more than 12 million versions of malware created every month. Next-generation anti-virus has been around for a while now to try to address these rapidly changing threats and still is a value as a fundamental security control. However, these solutions, like so many others, should be layered with other basic solutions. For this endpoint security piece, SMBs should do research and conduct evaluations to determine which of these products will best fit their specific needs.
Vulnerability Scanning – Every IT device (PCs, servers, switches, printers, etc.) on the organization’s network has software that is used to provide the desired functionality. As we all know well, all software has inherent security flaws or vulnerabilities at one time or another. As such, it’s important to periodically scan these devices to identify software vulnerabilities that need to be patched.
Security Policies – Employees need to understand the desired behaviour as it relates to critical data and how to protect it. Security policies provide written guidelines on what is expected of each employee and establish thresholds for acceptable behaviour.
Awareness Training – To help with understanding the intent of security policies and increase awareness for common phone and email exploits, awareness training is a low-cost yet high impact investment. This activity is a must for any security program.
Centralized Log Review/Alerting – Given that all the equipment comprising an IT infrastructure generates some sort of activity log noting various interactions, keeping track of these is vital. After all, log files can be collected and evaluated to identify activities/behaviour that would indicate a potential security problem. Unfortunately, most security logs are not retained (on local devices) long enough to support investigations. Implementing a centralized repository with email alerts for specific conditions is a low-cost, high-impact initiative.
Standard desktop and server configurations – Simplicity improves efficiency. This tried-and-true rule also applies to managing security on IT devices. Developing standardized software, application and security settings dramatically reduce the likelihood of simple oversight or device setting changes leading to a gap in security. Another evolving trend that SMBs should investigate is the use of thin-client technology -- a tablet or laptop device that is loaded with software and user-specific settings upon login. The main benefit of these solutions is that they can be configured to store all user data in the cloud or at a centrally located server. This approach eliminates the potential for data loss if the device is misplaced or stolen.
Centralized User/Device Management – It’s very hard to secure people and devices for which there are no accurate records. Keeping an accurate and centralized record of IT assets and user profiles is a foundational element for reducing risk across the organization. Implementing a feedback loop with human resources will ensure that user access privileges are removed when they leave the organization -- a simple approach to eliminate a high-risk threat vector.
Security Testing – One of the most important elements of a healthy information security program is conducting ongoing evaluation of security practices. Areas of evaluation can include email campaigns (phishing), network testing, web application testing, and phone calls to employees (social engineering). Testing conducted on an annual basis -- but perhaps at more frequent intervals, if possible -- will provide feedback and improve knowledge on gaps in the information security program. This insight helps stakeholders adjust resource allocations and planning for future years.
Leveraging these basic elements of best practice will provide SMBs with a solid plan for information security. The plan should be revisited at least on on an annual basis to adjust resource requirements, such as time, people and technology, as well as to update the budget accordingly.
No big surprise that information security budgeting for SMBs provides its own set of unique challenges. For organizations that never historically have allocated money for these initiatives, every dollar spent represents a 100 percent increase. Again, it is critical for organizations to take a real hard look at the true costs associated with an information security incident.
The budgeting process varies dramatically from one SMB to another. At a smaller size, it’s often more difficult to predict average spending for the year. Planning asset purchases can also lead to savings as it is customary for computer manufacturers to offer end-of-quarter discounts and reserve additional discounts for purchases of 25 units or more. It’s also worth checking with retail stores as they will occasionally provide better pricing than distributors.
Without established budgets, many SMBs develop incremental purchasing habits for IT (and hopefully) information security assets. This purchasing life cycle leads to more time configuring for deployment for small IT departments.
SMBs often have only a couple people in these departments wearing multiple hats. With limited resources, it becomes nearly impossible to have expertise in all facets of the department. For example, one individual may be responsible for VMware administration, networking, patching and security, making it even more important to have defined configuration standards to ensure uniformity in deployment and simplify management on a recurring basis.
Some organizations may elect to outsource their IT needs almost entirely. While outsourcing to a larger IT company may solve some of these issues, their services are often packaged as a one-size-fits-all approach for customers. This option may include SLAs and IT-asset configurations that aren’t necessarily best suited for the SMBs unique requirements.
Security Product Categories for SMBs
Next-Gen firewalls with integrated networking components
One product segment that has a significant impact on the overall security posture is next-gen firewalls. These multipurpose tools help SMBs protect the network perimeter while filtering inbound or outbound traffic. They can also be configured to make decisions based on OSI Layer 3 or OSI Layer 7 patterns. While most modern firewalls fit into this next-gen category, there a few that are particularly suited for the SMB market space.
FortiGate firewalls come in all form factors and sizes to meet nearly any business need. From desktop models to rack-mountable appliances to virtual appliances, these devices can be configured to meet a variety of use cases. The diversity of FortiGate firewalls helps them fit just about every budget while delivering enterprise-level protections for the SMB. These solutions support URL and DNS filtering to help restrict users from wasting time or visiting malicious sites. Utilizing the application control functionality, administrators can allow users to visit cloud storage sites, such as Dropbox and download files while restricting their ability to upload files.
Fortinet doesn’t just stop at the firewall. Fortinet makes a variety of other solutions that snap right into their “security fabric” to provide additional insight and control over the network. With other network solutions like the FortiSwitch and FortiAP, Fortinet has taken steps to allow businesses of any size to manage the wired and wireless segments of network. With the FortiGate GUI, these networked technologies can all be managed a single interface, essentially making these devices an extension of the firewall.
With an aggressive pricing strategy, Fortinet solutions lend themselves to businesses of all sizes – from small businesses to large telecom providers – making this an excellent option for the SMB segment. The integrated product strategy, aggressive pricing, and simple deployment has positioned FortiNet as a major player in this space for the foreseeable future.
With the evolving threat landscape, endpoint protection plays a vital role in protecting the SMB enterprise. Today’s endpoint solutions go much further than the traditional antivirus solutions of days past. Most focus on blocking file less attacks and add additional protections or functionality to keep endpoints secure.
Sophos INTERCEPT X The unmatched endpoint protection in Intercept X is driven by the combination of deep learning, anti-exploit capabilities, anti-ransomware technology, and other modern endpoint protection techniques, all paired with our industry-leading foundational endpoint security technology.
The artificial intelligence built into Intercept X is a deep learning neural network, an advanced form of machine learning that detects both known and unknown malware without relying on signatures.
Deep learning makes Intercept X smarter, more scalable, and higher-performing than endpoint security solutions that use traditional machine learning or signature-based detection alone.
Synchronized Security is one of the best feature that SMBs can be most benefited. Synchronized Security simplifies and unifies defenses with real-time intelligence sharing between your endpoints and firewall. This means you get better protection against advanced threats and spend less time and recourse responding to incidents.
Log management is an area that often is overlooked. Digging through logs can be tedious and challenging, but also can have a profound impact on early threat detection. By having a strong centralized log management solution in place, analysts can quickly review data and understand trends that highlight anomalous behaviour.
AlienVault has been a recognized name in the security information and event management (SIEM) space for over a decade. It provides security teams with a solid security platform that is powered by their Open Threat Exchange (OTX). AlienVault’s Unified Security Management (USM) platform is a top choice for MSSPs and mid-sized business alike. It is a very powerful tool with a lot of integrations that can help any SMB with its log management needs.
In addition to centralized log management and SIEM functionality, the USM platform also can perform other critical compliance/security tasks, such as vulnerability scanning, file integrity monitoring and threat hunting. For organizations that need assistance on the compliance front, the AlienVault USM covers the gaps. The AlienVault team can provide guidance on setting the solution up and has documentation mapping their solution to most of the common compliance requirements.
While AlienVault’s USM is a paid service, they also offer a free version of the software – The AlienVault OSSIM. This open-source SIEM is a great foundation for SMBs that are just moving into the space. While it has most of the functionality of the USM, it does take more work to get up and running. Once configured, this tool provides a low-cost alternative to address near-term needs as work is done to continually mature the security program.
Security teams at SMBs face endless resource challenges. This leads to other barriers like obtaining budgetary support hiring the right people or executing sound security awareness training programs.
Cyber Security experts from Mindfire Technologies can provide free consulting for an effective, holistic security and resiliency plan that prioritizes risk mitigation and communicates needs in a way that executives can support. Setting up the process and helping to install the discipline necessary to successfully launch a security program is vital.
Along with planning and execution, deploying the right technologies and services to bolster the overarching plan are just as critical. It’s crucial to account for elements like total cost of ownership, integration with the current infrastructure, scalability needs, service-level-agreement expectations and more. The various technologies highlighted are a sound start for organizations that want cost-effective, simple-to-deploy solutions.
Building an effective program takes time, resources and commitment. Mindfire Technologies ensure that the investment made to establish your organization’s holistic risk management and security plan will pay strong dividends.