Small businesses are increasingly under attack from cybercriminals. Not only are the attacks themselves increasing, but the cost to businesses to resolve the damage is increasing. Some interesting facts from 2020:
2020 was already the “worst year on record” by the end of Q2 in terms of the total number of records exposed.
By the end of 2020, double extortion tactics became the new standard in ransomware.
In 2020, the average cost of a data breach in the USA was $8.64 million.
It’s easy to find the big attacks against the big companies largely because they’re required to publicize the breach. In many cases smaller companies doesn’t have to publicize a breach and that creates a problem. Smaller companies don’t see how often they’re a target, so it’s easy to falsely believe the smaller size makes them less of a target. Quite the opposite is true. If you have a small business, it’s likely you don’t have millions of dollars you can spend on cybersecurity. That makes you more vulnerable to attack, and more likely to be breached.
Cybersecurity is a real need for businesses of all sizes, and you must deal with it. You can’t sit back and let it run wild on its own, because when things go wrong, they go horribly wrong. Proactive management of your network security needs to be a priority for your business. I know that security comes at a cost and it’s a cost many businesses don’t want to incur. Many small business owners choose to take the issue of security into their own hands. I believe this is a big mistake, but if this is your mindset please allow me to give you some pointers on where to begin.
First things, first, “security” is a broad topic that encompasses a lot of things. There are a lot of aspects to security that pertain to your business; not monitoring any one of them could be disastrous. This list is not a comprehensive review of what your network security should look like. As a matter of fact, these alone won’t keep you safe. But if you insist on not hiring an expert to manage your security, this is a good place to start. Just don’t fool yourself into thinking this counts as meeting any duty to protecting your clients’ information.
THREE BASIC SECURITY ELEMENTS
Antivirus is the front line of defense keeping your computer free of viruses. Antivirus software is complex with endless configuration options. There’s a lot to keep up with here.
When checking the status of your antivirus, ask yourself:
- How do you know your antivirus software is running all the time?
- How do you know it’s scanning when it should?
- When it does scan, how do you know it’s scanning all the dark corners of your computer that it should scan?
- When it finds a malicious file, what does it do with it? Does it delete it? Put it in quarantine? Ignore it?
- How do you know it’s handling infected files correctly?
- Does it report to you?
- Did you configure the antivirus? How do you know you configured it correctly?
- When is the last time the virus definitions updated?
It’s entirely possible that your antivirus software isn’t updating, isn’t scanning everywhere it should, or isn’t reporting its findings to you. To know that your antivirus software is operating 100% correctly, you need to check on it constantly, so that when it finds a problem, you can attack it immediately.
The best way to do this is through a management server. From the central server you can configure the antivirus software to meet your network security policies. The antivirus agents will all report in to your management server with their status and scan reports. If there are any issues, you’ll see them all in one place, and can quickly remedy the situation (or better, you can automate the remedy).
As time goes by, software developers fix bugs, add functionality, and fix security problems. Your operating system is the most complex piece of software running on your computer. It’s also the most privileged – meaning it has the most direct access to the most important parts of your computer, without anything second-guessing it – software. As a result, it is the most prone to bugs, security holes, and conflicts with hardware and other software. It is the most patched software on your computer.
Microsoft sends patches monthly, on a set schedule. Sometimes Microsoft releases “Out-of-Band” patches for the most serious of security related fixes, or to fix a broken, recently release patch. If there’s a problem with that process you may not know that you’re missing patches. You wouldn’t let your child go without a band-aid, would you? Leaving them exposed to germs that could make them sick. If you don’t monitor that status of your patches, you could be months behind on security updates that are making you vulnerable to hackers.
Don’t neglect your other software either. Just as important as patching the operating system is keeping all – I mean ALL – other software updated as well. You have to keep up with every single software vendor and know when they release a security patch. When they do, it’s up to you to patch the software.
The only way to know for sure that you’re up to date on your patches is to check. Every month, when your computer should get the latest patches it is important to verify it installed them. If there’s a problem, you need to find it and fix it fast.
Backups are notorious for failing without warning. Backups are one of the most common points of failure in a business’s security. There are some very good backup processes out there. But all backup processes fail. Sometimes they fail without knowing they’ve failed (like corrupting data in the backup location). It’s important to check your backup logs and test the backup files regularly. Your backups are only as good as the most recent one you’ve tested. And when you’re testing, make sure you test the entire process. Ask yourself:
- Is the backup software is running when and as it should?
- Is the hardware storing the backups is operational?
- Is the entire process of reading the backup data and getting back to the original device fully tested and documented?
Put some serious thought and planning in your backup plan.
Follow the 3-2-1 Rule. 3 copies of the data, on 2 different media, 1 is off site. I suggest you test every copy of the backup data. So, for every device you backup, you have at least 2 different tests to run. Be warned: This is a time-consuming process that will keep you away from customers.
DOCUMENT, DOCUMENT, DOCUMENT
You have a lot of options for managing your antivirus, backups, and OS patches. All can achieve the same results, but the methods will vary. Likely you will delegate this task to a team, or at the least, a couple of people. Documentation is crucial to reproducing results, not missing key items, and proving you are doing what you say you are doing.
Document the configuration of the software. Document the expected behaviors and results. Create a checklist to follow when you do your reviews. Checklists allow you to demonstrate you have a consistent process you follow. Checklists make it easy identify areas you’re lacking so you can improve your processes. Checklists allow people new to the job to understand how things run. As your business needs change, you can easily see what to adjust to meet your additional needs.
Many state and federal laws and regulations require businesses to not only secure their environment but also be able to prove they are doing do. You must be able to prove you are regularly watching your environment, addressing issues in a timely manner, and changing your security policies to keep up with your changing business requirements. For each security area (antivirus, OS patches, backups), have a checklist of what needs to be reviewed and its expected condition. Note the actual condition. If it’s different, document the required fix. Note the date and person who executed the checklist. Note the date and person who implemented any fixes found (you may not always fix a problem as soon as you find it). If there’s a legitimate business case for leaving a problem unresolved, be sure to document that, and identify the person with the authority to make that decision.
MAKE IT EASY ON YOURSELF – GET GOOD HELP
A Good Managed Services Provider is Invaluable
Done properly, managing these various systems should only take a few hours every day. And these alone won’t keep you safe or out of trouble. When you get serious about security, especially if you are in a business that has any kind of compliance requirements (PCI, HIPAA, etc.), we’ve only scratched the surface. Auditing, firewalls, security reviews, training, and more come in to play as well.
Most businesses have a reasonable duty to protect their clients’ information. When you consider what your actual job requires of you, and what managing your security requires, ask yourself if doing this on your own can meet the expected level of care. This is where a good Managed Services Provider (MSP) comes in. A good MSP will have the tools necessary to monitor it all, see what you’re missing, and provide the active management your security requires.
If you’d like develop a more robust security policy, I suggest starting with a Baseline Information Security Policy.