Know Your Risks
The state of cybersecurity is ever-evolving, and the sophistication of cybercriminals’ attacks is only increasing. Those of us in the cybersecurity field do all we can just to stay one step ahead of the game, sometimes by the skin of our teeth. According to a ISACA survey of 461 global cybersecurity mangers, 75% of respondents expected to fall prey to a cyber-attack in 2016. If cybersecurity managers aren’t positive about the state of their own internal cyber security, what can you, a small- or medium-sized business owner, do to keep your business safe? Know Your Risks! It really is that easy and in this blog we are going to chat about how you can assess your risks and formulate a plan to prevent yourself from falling victim.
To know your risks, first you must ask what an outsider may want. What valuable information is at risk? According to the State of Cybersecurity Implications for 2016, a ISACA and RSA Conference Study, the major activities of cybercriminals are: http://www.isaca.org/cyber/Documents/state-of-cybersecurity_res_eng_0316.pdf
- Breaches that lead to financial gain
- Theft of personal identifiable information (PII),
- Intellectual property and classified data theft
- Disruption of service
As a business owner you must ask yourself these questions:
What data is critical to your business and would you recover from a breach if that data was stolen? Sixty percent of small- and medium-size businesses that experience a breach of data do not recover and close within the year following the breach. Many businesses go out of business due to the fines they must pay due to the stolen data.
Next you must ask yourself and the other leaders of your business: what are our biggest threat actors? Or in other words: who is most likely to put our business at risk of a breach? According to the State of Cybersecurity Implications of 2016 study, the biggest threat actors are cybercriminals, hackers and non-malicious insiders. As a business owner you can buy equipment and software to keep the cybercriminals and hackers at bay, but your biggest risk is the non-malicious insider or insider threats: you and the other employees of the business. This means that in many instances of a data breach the threat came from inside the walls of the business, usually by mistake.
According to http://staysafeonline.org/ , your organization could face the following insider threats as possible gateways to a breach.
- Employee uses a USB drive from home that is infected with malware. The employee is unaware of the infection and plugs in to the work computer. The work network is now infected.
- Employee loses laptop. Since the majority of small businesses do not have full-disk encryption enabled or have a remote wipe configured this missing laptop is now an open, unsecure gateway to your business data. It only takes two minutes to remove a hard drive and start to access the saved data without the login password.
- Lack of password policies, internet use policies and mobile use policies make it easier for hackers to get in under an internal user’s account.
- A disgruntled employee takes company information with him on a USB or sends data to a personal email before he quits or is let go.
- Finally, security experts are seeing a rapid increase of extremely sophisticated socially-engineered attacks in which hackers gain access by using other methods of intelligence. For example, there have been many cases in which hackers have called IT help desks and impersonated employees. With social media and the resources available on the Internet, it is not difficult to gain enough knowledge on an individual to be able to convince an IT department to reset a password over the phone.
With those examples in mind, you should have a better idea of what threats your business may face. What should you do now? Plan your defense! This is the simplest part of protecting your business and should not be over thought. The best laid plans are ones that can actually be achieved. We at K2 Tech recommend starting with a 3rd party Network Security Assessment. This will check your network in place and ask all employees/owners of your business how they use their computer. Once you have your assessment and an idea of your biggest threats, you can create a customized plan for your company.
Replace any old or unsupported equipment and software first and foremost. Make sure to include the development of company IT policies or procedures to your plan, including internet use, mobile use, email use and equipment use. We suggest these polices be in the Employee Handbook and reviewed with all new hires immediately during orientation. We at K2 Tech also suggest the setup of a separate guest Wi-Fi for guests to your business and for employees to use for their mobile devices. This will protect your company’s internal Wi-Fi and keep the bandwidth at its peak. For more help with your plan you can use the FCC’s Cyber planner tool.
Last, and the most important part to keeping your business safe from risks, is to stick to your plan from the top down. Many businesses have IT policies in place but they do not make the policies a part of the internal company culture, so employees do not know the policies. A plan doesn’t work if no one knows it. K2 Tech suggest internal trainings at hire and at least an annual review of the policies or any changes. Make sure it is not just in the handbook but discussed on a regular basis. An untrained workforce is what creates non-malicious internal threats. Create a culture of data security with tips that your staff can use at home and protect your community from more threats as well!
K2 Tech Group is your local National Cyber Security Awareness Month Champions; we are here to support local business with any questions or trainings. To contact us call 803-828-7871 and ask about our Total Network Security Assessment.