Saturday, October 24, 2020

Cybersecurity resources for your modestly-sized business (Cybersecurity Awareness Month, Day 24)

This year, 2020, the 24th day of Cybersecurity Awareness Month is a Saturday. For many smaller businesses, like retailers and restauranteurs, Saturdays can be very busy workdays. For others, like accountants and lawyers, Saturday may be a quiet day, or a day to catch up on things. 

In my case, speaking as a one-person business, I'm using today to catch up on the business of posting one cybersecurity article every day of this month (something I pledged to do for reasons that I hope to explain by the end of the month, if I have any words left). 

My strategy today is this: provide helpful cybersecurity advice for smaller firms by drawing on work that's been published before and/or by other people. That way I may still get out of my study in time for the curry that's being delivered for dinner tonight, while providing some genuinely helpful security resources for the smaller business.

A great place to start if your modestly-sized business wants to learn how to be safer and more secure online is CyberSecure My Business, a national program coordinated and funded through the National Cyber Security Alliance. Another good starting place might be to review the basic steps that I have mapped out below.

(Note that I am using the term "smaller businesses" because there seems to be no general consensus on what constitutes a small business. I tend to think anywhere from 1 to 100 employees is "small" but you can still meet the US Small Business Administration definition of small business if you have up to 1,500 employees and under $38.5 million in average annual receipts. To my mind that encompasses a lot of companies that I think of as medium in size, hence the widespread use of the more flexible term Small to Medium Business (SMB). In the UK, the preferred term is Small to Medium Enterprise and your firm is an SME if it meets two out of three criteria: it has a turnover of less than £25m, it has fewer than 250 employees, or has gross assets of less than £12.5m.)

A cybersecurity roadmap for the smaller business

The task of securing your business against cybercriminals can seem daunting, particularly if your business is of modest size, the kind of place that does not have a crack team of cybersecurity experts on staff. But small size and a strained budget does not mean that you should avoid addressing the challenges of cybersecurity and the very real risk to your business that the rising tide of cybercrime presents. Fortunately, the problem becomes more manageable if you break it down into a series of steps. 

The following six-step program or roadmap can get you started. It is helpfully constructed so that the steps are alphabetically named, A through F:

  • Assess your assets, risks, resources
  • Build your policy
  • Choose your controls
  • Deploy the controls
  • Educate employees, execs, vendors
  • Further assess, audit, test

Bear in mind that defending your organization against cybercriminals is not a project, it is a process, one that should be ongoing. Too often we see organizations suffer a data breach these days because the security measures they put in place a few years ago have not been updated, leaving newer aspects of their digital activities undefended. This means it is not a case of doing A through F and you're done. You will need to keep going:

Graphic illustrating that defending your organization against cybercriminals is not a project, it is a process that gets repeated

A: Assess assets, risks, resources

The first step in this process is to take stock. What kinds of information does your organization handle? How valuable is it? What threats exist? What resources do you have to counter those threats?

Catalog assets: digital, physical

If you don’t know what you’ve got, you can’t protect it. List out the data that makes your organization tick and the systems that process it. (I assume you already have an inventory system for tracking all company computers, routers, access points, tablets, printers, scanners, computer-controlled machines, IoT devices, etc.)

Be sure to include the systems receiving data and outputting data as well as those that process and store it. For example, if your company depends on a central database of clients and their orders it is possible to focus on that as your main digital asset, and feel fairly secure because it resides on a well-protected server in a locked room or in a private cloud. But connections in and out of that database may come from a wide range of devices that are beyond your physical control (and bear in mind that some of the most valuable data may exist in highlights, summaries, and attachments emailed between executives. You need to catalog those connections.

Calculate risk

You need to answer this question: What are the main threats to your data and systems? Try stating these in terms of actors, actions, assets, attributes, and motives. For example, criminals (actors) might gain remote access (action) to your server (asset) to encrypt the files on it (attribute) to extort money from you in return for the key to unlock those files (motive). 

But don't just think of money-seeking attacks; for example, people who don't like your construction company's use of imported timber (actors) might attack (action) your website (asset) to prevent you taking orders (attribute) to make a point (motive).

This type of breakdown is used in the annual Verizon Data Breach Investigation Report (DBIR) which provides a solid background to internal discussions about risks because it is based on recent, real world attacks. You can download the 2020 DBIR here. The action categories are: Malware, Hacking, Social engineering, Misuse, Physical, Error, and Environmental. The motives are Financial, Espionage, Activism, and Other. These are handy schemas to use when performing your review of the risks faced by your organization.

List resources

After cataloging all the digital assets that you need to protect, and reviewing the threats ranged against them, you can feel overwhelmed, so it is time to take heart and list out the resources you have the potential to tap as you swing into action. This can include current employees with cybersecurity skills, to consultants recommended by friends, partners, and trusted vendors. You may be able to get help from trade associations, local business groups, even the federal government. 

Build your policy

The only sustainable approach to cybersecurity begins with, and depends on, good policy (that is the consensus opinion of information security professionals, myself included). Ideally, policy begins with top-level buy-in and flows naturally from there. Your organization needs a high-level commitment to protecting the privacy and security of all data handled by the organization. For example:

We declare that it is the official policy of Acme Enterprises that information, in all its forms, written, spoken, recorded electronically or printed, will be protected from accidental or intentional unauthorized modification, or destruction throughout its life cycle. 

From this flow policies on specifics. For example:

Customer information access policy: Access to customer information stored on the company network shall be restricted to those employees who need the information to perform their assigned duties.

You implement this policy through controls, which we discuss in a moment. First, I want to stress that for many companies, information security policy is not optional, no matter how small the business. I'm not just talking about legal requirements to have policy, which exist in areas such as health and financial data. 

I'm talking about the need to have such policies in place in order to close deals. These days it is not unusual for a company that you want as a client to want you to have security policies. For many years now, some companies have required potential suppliers to comply with requirements like this:

Vendor must have a written policy, approved by its management, that addresses information security, states its management commitment to security, and defines the approach to managing information security.

In other words: you don't get to be one of their approved vendors if you don't have written and defined information security policies. (That is actual language presented as part of contract negotiations between a small software company and a large, well-known retailer.)

Choose the controls to enforce your policies

Information system security professionals use the term "controls" for those mechanisms by which policies are enforced. For example, if policy states that only authorized employees can access certain data, a suitable control might be:

  • Limit access to specific data to specified individuals by requiring employees to identify and authenticate themselves to the system.
That's a high level description of the control. You will need to get more specific as you move toward selection of actual controls, for example:
  • Require identification and authentication of all employees via unique credentials (e.g. user name and password).
  • Forbid the sharing of user credentials.
  • Log all access to data by unique identifier.
  • Periodically review logs and investigate anomalies.

Spelling out the controls will help you identify any new products you may need, bearing in mind that there may be suitable security features available in products you already use. For example, if policy states that sensitive data shall not be emailed outside the organization in clear text, the control to apply, encrypting of documents, may be accomplished through the document password protection features in products like Microsoft Office and Adobe Acrobat. (Note: I'm not saying that is strong enough for very sensitive data, but it does make intercepted documents a lot harder to read than ones that are not encrypted.)

Deploy and test controls

Putting controls in place is the deployment phase but this also includes part of the next phase, education. For example, when you roll out a control like unique user IDs and passwords you will need to educate users about why this is happening and how it works (in this example, that process should include explaining what constitutes a strong password—see Day 19 for tips on that). You will also need to test as you deploy, to make sure that the controls are working.

A phased approach to roll out often works better because you can identify problems and find solutions while scale is still limited. Rolling out to more experienced users first is a good way to get initial feedback and improve messaging to be used with the wider population (bearing in mind that some things which experienced users already know may nevertheless need to be explained to the general user population).

When testing a control, you need to make sure that it works technically, but also that it "works" with your work, that is, does not impose too great a burden on employees or processes.

Educate employees, execs, vendors, partners

Security education is too often the neglected step in cybersecurity. In my opinion, for your cybersecurity efforts to be as successful as they can be, everyone needs to know and understand:

  • What the organization's cybersecurity policies are.
  • How to comply with them through proper use of controls.
  • Why compliance is important.
  • The consequences of failure to comply.

Your goal should be a "security aware workforce" that is self-policing. In other words, employees are empowered to say "No" to practices that are risky and report them to management (even if the persons engaged in unsafe cyber-practices are management).

In terms of consequences, there is no need to sound overly-draconian but calmly point out that a breach of security could be very bad news for the organization and even threaten its continued operation, including employment.

Two areas of education you don't want to skimp on are executives (who may feel they are above being educated about security) and partners, vendors, even clients. In fact, any data-sharing relationship should be encompassed in policies, controls, and security awareness education.

Further assess, audit, test…

Step F on the road map is by no means the end of the line, in fact, it is a reminder that this process continues. Once polices and controls are in place and education is under way, it is time to re-assess security, by testing and auditing. You can do some of this in-house but you may also want to engage an outside entity to get an objective perspective on your efforts so far.

Best practice is to have a plan to assess security on a periodic basis and adjust defenses accordingly. Even when there is no audit scheduled, you will want to stay up-to-date on emerging threats and adjust your controls accordingly. For example, just a few years ago it was unusual to see RDP attacks on small business servers but today they are happening a lot. (See this article to learn what an RDP attack is.) This means you may need to pay more attention to the security of your remotely accessed servers than you have been accustomed to doing. How would you know this is a trend? One way is to subscribe to good security websites, like Dark Reading, Info SecurityGCHQ, Krebs on Security, and We Live Security

You should also be alert to changes in your systems and connections to your data. For example, there are security implications whenever you establish new vendor relationships, create new partnerships, and design new digital marketing initiatives. The departure of an employee is another event that requires security attention, making sure that access to data and systems is terminated appropriately.

Cybersecurity checklist

Yes, there is a lot to think about when tackling cybersecurity for your organization. Here are some high points you don't want to miss: 

  • Do you know what data you are handling?
  • Do your employees understand their duty to protect the data?
  • Have you given them the tools to work with?
  • Can you tie all data access to specific people, times and devices?
  • Have you off-loaded security to someone else?
    • Managed service provider
    • Privacy cloud provider
    • Public cloud provider
  • Be sure you understand the contract
    • You can’t off-load your liability
    • Ask how security is handled, what assurances are given

Cybersecurity resources and a sweet diagram

If you are still wondering if cybersecurity is a big deal for smaller businesses, or if you are convinced it is, but you need to persuade someone else, try using this diagram that I came up with some years ago while I was working at ESET: 

(This diagram illustrates the "SMB sweet spot" as seen from a cybercriminal perspective. While many smaller firms have lower levels of cybersecurity protection, they may well handle enough money and digital assets to be worth attacking. For example, a small construction firm may think of itself as too small to attack because each year it only shows a small profit, yet during the year it may handle large amounts of money from different sources to fund projects.)

For further learning and assistance here are some more resources, some in the form of PDF files:

Creating a Small Business Cybersecurity Program

There's a very helpful book that I've been recommending lately called Creating a Small Business Cybersecurity Program. It was published earlier this year, authored by Alan Watkins and edited by Bill Bonney. These gentlemen are two security experts that I had the pleasure of working with in San Diego, and this book is a great cybersecurity resource if you are a small organization (say 25 to 500 people). Indeed, any organization looking to take a structured approach to meeting the security and privacy challenges created by the digital information systems—on which business, consumers, and governments now rely—will find this book a solid place from which to start, and from which to build. 

The current trend lines for both cybercrime and technology dependence point sharply upwards. Every entity in every sector—business, non-profit, education, government—needs a cybersecurity program if it hopes to manage and survive the many risks that these trends create. The approach that Alan takes to creating that cybersecurity program is based on his decades of experience in the field. The book is practical, the concepts and strategies are clearly articulated. Alan is thorough without being overwhelming. Based on sound theories developed through decades of work in the field, this book is a generous source of knowledge, advice, ideas, resources, examples, and links to many more.

In my experience, protecting your digital assets is not about buying the latest and greatest security products. It’s about properly deploying the right products for the cybersecurity program that’s right for your organization. While Alan does point to suitable products, his focus is on making sure you have the right plan, the necessary policies, and the appropriate controls to guide the purchasing decisions you make.

A long time ago I wrote one of the first books about the security of computers used by small businesses, so I am keenly aware that the task of distilling cybersecurity advice into a readable work of a manageable scale is far from easy—and much harder than it was back then. So my hat is off to Alan, and his skillful editor Bill Bonney, for creating a much needed book that was hard to write but easy to use.

And as someone who has given talks and presentations on cybersecurity to hundreds of small organizations, the question I’ve been asked the most, a question I frankly dread, is: “where do I even start?” Now I have a ready answer: read Creating a Small Business Cybersecurity Program by Alan Watkins.


No comments: