Cybersecurity strategies are an absolute must for organizations of all sizes but increasingly for small to medium sized businesses and enterprises who haven’t invested as much as their larger counterparts. It can be difficult to stay on top of cybersecurity as the landscape is constantly shifting. Cyber threats continue to evolve, and the skills required to secure IT environments can be scarce to come by and expensive to pay full-time.
However, SMB cybersecurity and cyber security for SME (small to mid-sized enterprises) can benefit greatly from being built on a strong framework of best practices when it comes to securing people, processes, and technology. There are several components that go into a successful cybersecurity strategy including tools, training, and controls.
Vulnerability Assessment Solution
To get a clear picture of where your cybersecurity strategy is lacking, you have to assess what vulnerabilities exist in your environment. If you have the skills in-house to do this, search the market for a vulnerability assessment solution that can scan your networks, connected devices, websites, systems, and other potential entry points for cyber criminals. At this point, “more than two-thirds of organizations consider security vulnerability testing to be a best practice.“
If your organization doesn’t have cyber security skills in-house, partner with a firm that provides vulnerability assessment services. They can scan these systems for you and provide a report with prioritized risks and level of effort to remediate. Once you identify what security gaps exist, you can create a roadmap to get to a secure future state.
An Example Output from a Vulnerability Assessment Solution:
Image source: https://www.resolutets.com/vulnerability-assessment/
Resolving vulnerabilities is a great place to start but without changing the processes that led to them – it will only be a temporary fix. Getting a review of your organization’s current operations will highlight any flaws in existing processes and give you a summary of your overall risk rating, maturity and a detailed assessment of how your practice chalks up against industry standard controls.
Here are the Top 20 CIS Controls to consider when shoring up typical Practices and Controls:
Implementing best practices in practices and controls delivers a strong foundation for risk management and should be a key part in any comprehensive cybersecurity strategy.
Select an IT Security Champion or Promote a CISO
Cybersecurity for SME should involve someone in the role of Chief Information Security Officer but for SMB cyber security, sometimes having someone with cyber security under their purview is enough. In any case, organizations need at least one person dedicated to taking the lead on their cybersecurity strategy. Invest in training, certifications, and ensuring your cyber security champion is confident in their ability to keep the organization secure as it grows and evolves.
In fact, many mid-sized companies lack an IT security role. According to Gartner, “24% of midsize organizations do not have anyone with a dedicated information security or IT security role.”
By keeping up to date with cyber security best practices and the cyber threat landscape, security champions provide valuable insight into internal operations and ongoing projects and initiatives. They are an important part of the cyber security strategy for business and can act as the “voice of security” on project teams. Security champions ask questions that get other team members to investigate if each aspect meets the appropriate security criteria.
“In 2018, The Global State of Information Security Survey 2018 (GSISS), a joint survey conducted by CIO, CSO, and PwC, determined that 85% of businesses have a CISO or equivalent. The role of CISO has broadened to encompass risks found in business processes, information security, customer privacy, and more.”
End User Training
It’s no secret: better user and employee training is one of a business’s best defences against cybercrime. Hackers and cyber criminals often leverage social engineering to exploit staff to help get around firewalls and technical defences. Security awareness training involves educating staff on what cyber threats are, how to identify them, what to do if they are detected.
There are many end user training and security awareness training programs that contain:
- Simulated phishing exercises to get a baseline for how many employees would fall for a real threat by testing open rates, click rates, and who attempted to open attachments
- Education modules to learn about each type of cyber threat, security options, and what to watch for in emails, social media, and other attack vectors
- Quizzes and tests to gauge the effectiveness of learning
- Advanced reporting to determine the level of risk your organization faces from human error
Even with the most advanced security tools and processes in place, users can accidentally open your systems up to threats like ransomware, spyware, data breaches and other cyber-attacks. From Verizon’s 2017 Data Breach Investigations Report, “close to 90% of successful network breaches were caused by user error.” At the end of the day, users are the last line of defence in your cybersecurity strategy.
Multi-Factor Authentication solutions (MFA) or two-factor authentication (2FA) require a second device or login to verify a user’s identity. MFA and 2FA solutions are typically employed on programs that require an additional layer of security or contain sensitive information. While multi-factor authentication solutions have existed for some time, there has been a momentous surge in the marketplace of implementing enterprise-grade MFA solutions as part of SMB cyber security and cyber security for SME.
Multi Factor Authentication prevents cybercriminals from leveraging brute force tactics, pure social engineering, and other methods of uncovering user login credentials to access accounts. MFA logins requires verification of identification via a pre-approved second method. The second method can include a fingerprint, software on your smartphone, or a security code sent via another channel.
Some of the Top Multi-Factor Authentication Solutions include:
- CA Strong Authentication
- Okta Verify
- Duo Security
- Google Authenticator
If you’re planning on selecting and implementing a multi-factor authentication solution at your business, do some research into the pros and cons of each and what sorts of systems they work best with. Different MFA solutions work best in specific situations depending on your processes, applications you are looking to protect, and the type of infrastructure or cloud platform it is hosted on.
Example of a Multi Factor Authentication Solution in Action
Advanced Antivirus and Firewall Security
Enhanced security for internal networks is essential to protecting the connected devices and data being shared and stored on it. Having antivirus software and a firewall is a good start, however there is a considerable variance between just having the bare minimum and having tools that are robust enough to protect your enterprise network, data, and devices.
Enterprise-grade antivirus should protect devices, applications, emails, operating environment, and sensitive data. There’s a diverse endpoint security software marketplace so it’s a good idea to regularly review your business’s security requirements to ensure your existing software meets the evolving needs of your organization.
Firewalls prevent unwanted or unauthorized access on networks. While there are numerous vendors for firewalls, an enterprise cybersecurity strategy should be built on a next-generation firewall with enough advanced features to protect your network from sophisticated threats. Look for features such as deep packet inspection, intrusion prevention, privacy tools, multi-layer ransomware protection, website filtering, and security policy capabilities.
Email Security Solution
According to Verizon’s 2019 Data Breach Investigations Report, “More than nine in 10 malware infections were delivered to victims via email last year. The most commonly used file type for concealing malware was Microsoft Office documents (45%), followed by Windows apps (26%).”
If your business doesn’t already have an email security and management tool, it is a worthwhile addition to your cyber security arsenal. Email Security Gateways provide features like phishing protection, malware protection, spam filtering, and blocks impersonation attempts. Beyond end user training for your team, email protection adds another layer of defence from compromising URLs and attachments. Most email security tools will come with a rich admin and reporting dashboard which allows organizations to pinpoint what type of threats they are facing and how their team responds to them.
Here is a list of some of the top Email Security Gateways:
Provide a Secure Way for Employees to Work Remotely
Many modern workplaces leverage a remote workforce or allow staff to work remotely and connect into the corporate network from outside the office. While this is a great option from a flexible work standpoint, it can cause some security concerns if not managed appropriately.
According to TrustWave in their Global Security Report, alongside weak passwords “the most common cause of data breaches was weak remote access security for workers connecting to key systems outside of the office.”
Creating clear policies and documentation on how team members and partners should connect to the corporate network should be a priority for those looking to improve their cybersecurity strategy. Determine what type of VPN your organization should leverage to create a secure tunnel and educate employees on how to use them appropriately.
Active Software Updates and Patch Policies
Enterprise hardware and software is still only as secure as your organization makes it. Servers, applications, databases, and devices need regular patching to ensure they are secure from the latest vulnerabilities and threats. Active patch management keeps cyber criminals from exploiting security holes that are discovered after the version on software or hardware has been released.
According to Trustwaves 2019 Global Security Report, “The number of vulnerabilities patched in five of the most common database products was 148, up from 119 in 2017.”
In addition to security fixes, software updates can also include new or enhanced features, or increased compatibility with different devices or applications. They can also improve the stability of your applications and remove outdated features.
Disaster Recover Strategy Aligned to Your Recovery Time Objectives
An up-to-date and regularly tested disaster recovery strategy should already be part of your business outside of your cybersecurity strategy. Disaster recovery ensures you can continue to do business and provide services if you were to lose access to your systems and data or return to being able to provide services within an acceptable window without causing a lasting impact on your business.
In the event your business gets infected with ransomware, experiences permanent data loss, an accidental change causes loss of systems, or some other reason causes your organization to lose access to core systems and data – you need a way to get back online before operations and your company’s reputation are damaged irreversibly. Alongside your cybersecurity strategy, a disaster recovery plan is a key component of risk management for your business.
If you’ve never put together a Disaster Recovery plan before, we’ve written an article that can walk you through some of the key steps including:
- Conducting threat and business impact analysis
- Which personnel to loop into your strategy and critical response team
- Setting Recovery Time Objectives
- Enacting practice drills and regular testing
- What to include in your Disaster Recovery manual
If you’re not sure your current disaster recovery plan is sufficient to get your business back online after an emergency, we’ve developed a Disaster Recovery Readiness Guide that can help you assess what areas may need improvement.
Cyber Security Strategies: Data Breach Response Plan
Cybersecurity strategies in Canada should include a data breach response plan. As of November 2018, failing to communicate when data has been exposed within a certain amount of time of discovering it opens firms up to a $100,000 fine.
“Organizations that deliberately fail to notify any data breach victim will be subject to a separate fine of up to $100,000 for every individual. Finally, “deliberately failing to keep, or destroying data breach records will also be an offense, subject to a fine of up to $100,000,” according to a government overview of the new requirements.”
Take the time to craft a template message to be used in case of a data breach and assign someone to be the point person in case of such an event. It will provide confidence in a stressful time having a process and pre-approved messaging. Elements of a data breach response plan include:
- Defining the breach circumstance (how it occurred, how many users impacted, etc.)
- Contact info for each response team member
- Pre-defined action items to take in case of a breach
- Guidelines for interacting with the media or mentions on social media
Typical data breach announcements mention critical items such as what type of breach occurred, how many people are impacted, and what type of data has been accessed so those affected can take appropriate actions to protect themselves.
Cyber security Strategies in Canada
There is a lot to consider if you’re looking to have a comprehensive cybersecurity strategy that can protect your business from existing and emerging threats. Cybersecurity requires many tools to protect each aspect of your IT environment against threats as well as the expertise to run and report on them. An IT security assessment is a good place to start for businesses looking to understand what level of investment they should make into cyber security that will adequately protect their business.
A Managed IT Security partner can help make sure your business has the right mix of safeguards to secure your operations. “The number of security pros who either already partner or plan to partner with a managed security services provider has climbed from 78% to 86%.” – Source
A cybersecurity strategy is not a one-and-done deal. It takes ongoing enhancements, regular monitoring, and initiatives to block new threats. If your business doesn’t have the capacity to manage each aspect internally, consider investing in Security-as-a-Service. Like other managed services, managed security services or Security-as-a-Service covers key aspects of cybersecurity that performed on a weekly or monthly basis to ensure your organization is protected.