As a Small to Medium size Business (SMB), there are a number of steps you can take to help reduce the likelihood of experiencing a data breach.
Understand how the bad guys work
Many SMB’s feel they are too small of an organization to be targeted by an attacker. This stance fails to recognize that crime works differently on the Internet than in the brick and mortar world. A cybercriminal can quickly and easily release their malicious code out to hundreds of thousands of computers. They can then sit back, wait for their malware to call home and report what passwords, bank accounts, credit cards, social security numbers or intellectual property has been found. With a few mouse clicks they can easily select which pieces of information to exploit. So while in the physical world a criminal may first need to “case the establishment”, a cybercriminal mass propagates first, and then cherry picks later.
Take away: If you are connected to the Internet, attackers will go after you. It does not matter if you have one computer or one thousand.
A secure posture is a journey, not a destination
Back in the 1990’s, you could install a firewall, deem your network “secure” and go back to business as usual. Unfortunately those days are long gone. Modern network security requires diligence and proactive maintenance.
Think of your computers as being similar to a fleet of trucks. If you “gas them up and forget them” without periodically checking oil levels, brake pads, etc., nasty and far more expensive things will come back to haunt you further down the road.
Of course computers do not have brake pads, but some of the things you should be checking periodically:
Is the operating system on all of your computers the latest and greatest?
Are all of your computers patched and up to date?
Can you account for all high level system access?
Can you account for all access to files holding sensitive information?
Do you check your outbound firewall logs for activity indicative of an internal host being compromised?
Take away: Maintaining a secure environment requires continuous attention. Expect it to require regular maintenance.
Update your anti-malware software
Most legacy anti-virus applications are based on blacklisting technology. This mean the software needs to be preloaded with a signature for every piece of malware it will be capable of detecting. Once you download and install the signature, you are now capable of detecting the identified piece of malware.
Here’s the problem with that model. A new strain of malware hits the Internet about every four seconds, or approximately 50,000 a day. So even if you update your signature file daily, you’re potentially missing tens of thousands of malware strains that can sneak right past your defenses.
Modern malware software is based on application whitelisting technology. In this model, you identify what software you want to be able to run on your system, and block everything else. This will help keep you safe even when an unknown strain of malware attempts to take over your system.
Take away: If your AV vendor has fallen behind the technology curve and still relies primarily on signature matching to detect malware, consider replacing the solutions.
Leverage defense in-depth
Unfortunately there many different attack vectors a criminal can try to exploit while going after your data. Most security solutions are designed to neutralize only a few of these possible vectors. With this in mind, a layered posture that leverages defense in-depth from multiple solutions and technologies are the way to go.
Take away: Don’t expect any single security solution to mitigate all potential security risks.
Outsource when needed
Securing a network is a professional skill that requires a specific level of expertise. We don’t think twice about hiring a lawyer if we get sued, a doctor if we need surgery, or a mechanic if our car refuses to start. Yet when it comes to network security, for some reason we try to fall back on the DIY mentality in order to save some money.
Security breaches can be extremely costly. Not just in direct financial loss, but in reputation as well. When company names such as “T.J.Maxx” and “Sony” are mentioned, people no longer think of brand quality, but rather horrible security. It is possible these brands may never fully recover.
Take away: If you do not have the proper security skills on staff, bring in outside help.
Labeling something as “secure” is a bit of a misnomer. Really what we mean is “secure enough based on current business need and budgetary constraints”. If you want absolute security, destroy every networkable device in your organization and bury it in the back yard. As soon as we hook a single device to a wireless network or the Internet, we’ve accepted some level of risk, regardless of whether we realize it or not. This makes “secure enough” a moving target that’s going to vary from organization to organization. The trick is finding that “secure enough” point and achieving it in a cost effective fashion.