Holistic Security: The Most Effective Strategy for SMBs
By: Terry Hearn
The fight against cybercrime is constant—as soon as new security measures are established, hackers are working to counteract them. Whenever a new tool or update is released, it introduces other vulnerabilities that could potentially be exploited. In addition, with attacks costing small businesses an average of $34,000, and as many as 60% having to close their doors within six months of being attacked, SMBs cannot afford to leave gaps in their security defenses.
Despite the advances in technology, the most common cause of a breach remains the same, and the solution is just as old-fashioned. Research from the UK Information Commissioner’s Office found that 88% of data breaches were a result of some form of human error, be it poor security awareness, misplaced devices or even malicious activity.
The insider threat is very real and needs to be managed carefully, but the IT team also has to monitor the rapidly changing threat landscape, the office’s network and the devices of mobile workers—all on a tight budget. In order for SMBs to manage this, they need to develop a holistic security strategy that balances the demands of a modern workforce with a renewed company culture around security policy, allowing staff to take increased personal responsibility and freeing up IT specialists to focus on broader issues.
Culture
With limited resources, it is unsurprising that SMBs often are forced to prioritize the daily running of the company over security. However, with an average of 65,000 attempted attacks each day in the UK, this is putting the company’s reputation and possibly even their existence under serious threat.
Security is only as strong as its weakest link, and in most cases, it’s human error that’s allowing a breach to occur. This is not to say it is intentional, but factors such as weak passwords, failing to identify suspicious communications and using unsecured networks while working remotely can all be minimized without significant investment.
Regularly updated staff training is vital for all levels of the business. The intention of this is to ensure that employees of all levels are confident in their abilities and are not afraid to ask questions or flag potential issues. Without this, individuals might be more reluctant about admitting to errors that could lead to a breach. But if there is no fear of repercussions and there is a process for communicating concerns, it is likely that issues can be quickly assessed and contained before becoming a major problem.
Improve communication
Personal responsibility also needs to be managed. Should workers wish to use personal devices, an effective Bring Your Own Device (BYOD) policy is essential, not just to make clear the importance of personal responsibility with unsecured endpoints, but to provide transparency so that workers understand the need for increased security measures and do not feel they are being monitored because they are considered untrustworthy.
Without sufficient explanation or justification, increased security measures could see staff feeling their privacy is being infringed, making them less likely to engage positively with new security measures and resist the use of security software on their personal devices.
Endpoint protection
The rise in mobile usage has not only seen an increase in staff working from personal devices, but has ushered in IoT, meaning that the number of devices to keep track of is rapidly increasing. This means that the first stage of any effective security setup is to secure your network.
To help keep the network secure, Mobile Device Management (MDM) systems are becoming increasingly popular. These tools can ensure that only authorized devices can access your network and, in some cases, include additional security features such as the ability to remotely install security updates and wipe a device should it be lost or stolen.
Response strategy
As important as preventative activity is, damage limitation when a breach does occur is vital to minimizing the level of disruption. Larger companies might be able to weather the storm, but the negative impact on revenue and customer relations could be enough to force some smaller businesses to shut their doors.
And yet, in 2017, only 14% said they had a response strategy in place for managing incidents despite 52% of small firms and 66% of medium-sized firms identifying a breach in the previous 12 months.
Training staff on how to spot risks is important, but that is just the first stage. If your team can identify a breach but do not know what to do next, your strategy will have failed. Companies should identify the primary types of threat and ensure there is a set of guidelines in place so action can
be taken as quickly as possible. This should include email templates for alerting clients and assigning staff response roles in the same way you would ensure there is a designated first-aider or fire marshal on-site.
Clear communication and an understanding of individual roles will ensure that the necessary parties are informed as quickly as possible and action can be taken swiftly.
Modern threats are complex and without a combination of security software, staff training and a company culture that tackles cyber security, the threat of a breach or attack succeeding could dramatically increase. Battling the ever-increasing number of threats that SMBs face is not a simple task, but building a holistic strategy that puts individual responsibility at the center of your security plans will help to identify potential risks quickly and minimize the damage should an attack occur.
1808 Views