SMB Cyber Security and Audits. The Why’s, the How’s, and the steps…

SMB Cyber Security and Audits. The Why’s, the How’s, and the steps…

Why?

    • To maintain your company’s “security hygiene.” 
    • To identify critical weaknesses in your cybersecurity protection measures
    • To Keep in Compliance with Industry Regulations – When you get audited for non-compliance the large auditing firm’s assessors and examiners may charge up to $500 per hour for reviewing systems for noncompliance and your network for vulnerabilities.
    • Because You’re Not as Safe from Attack as You Might Think
    • To Increase Cybersecurity Awareness

Audits Consist Of…

The examination includes looking for vulnerabilities in not only your information technology systems but those related to your business processes, physical security.

A security assessment can identify risky behavior by employees. It identifies the areas where more training is needed to increase their security weaknesses as well as testing your IT systems for vulnerabilities.

The purpose is to not only document areas that are vulnerable but to identify and recommend steps that to take that will lower the risks of attacks in the future.

Additionally, they identify operating systems, software licenses, unpatched systems/software and policies and procedures that may no longer be applicable or might be out of date.

A security assessment not only allows you to test your IT systems for vulnerabilities; it can also help to identify risky employee behavior.  Allowing you and take corrective actions to prevent incidents and provide awareness training them.

Think of this as a cyber technology assessment, much like you would your annual physical at your primary care physician.

Here’s Where Simple Audits Come In

Performing simple audits more frequently will allow you to regularly monitor the current security status and effectiveness of your systems. Also, ultimately, take less time.

There are a few ways to handle conducting security assessments, internally or through a trusted assessment provider.  Third-party security assessments, though more costly, are essential, unless you have a dedicated team of IT security professionals.

The Cost of Not Doing Audits and Assessments Are Going Up

Security breaches are costly, and they are up 1.5 percent this year to a whopping $3.92 million (According to the Ponemon Institute’s Cost of a Data Breach Report) and installing a security solution alone is not enough to stop them.   It takes conducting regular security assessments to building a culture of security and constant vigilance.

Corporate data is not only stored electronically, but it is digitally processed, and transmitted over IT networks, requiring a secure and efficient use of technology. So how do you secure against external and internal threats, like data breaches, data loss, and system failures?  For the SMB, any of these can result in several disastrous consequences that may prove catastrophic.

The Cloud, Regulations, BYOD, and Hackers are killing small businesses

1. You’re on the Cloud – 24% of cloud hosts haven’t even applied high-severity patches. Additionally, 49% of cloud databases are not encrypted while at rest. (Think the latest Capital One hack.) Your data liability does not pass on to your cloud service provider. You are still liable for any data loss. Not your cloud service provider. (It wasn’t Amazon’s fault that Capital One misused their platform.)

2. All major regulations require regular security assessments and audits of third-party providers as part of their compliance certifications. 

3. To keep up with the newest technology threats – big data, Bring Your Own Device (BYOD), IoT (internet of things), virtualization, the mobile revolution, and consumerization.

4. To detect security breaches – The faster you identify and contain a data breach, the lower your costs will be.

But My Small Business Isn’t a Target.

Don’t fool yourself. You’re likely an easy target.  Most SMBs do not have a sophisticated IT infrastructure.  When attacked, the likelihood of a hacker infiltrating their system is close to 100%.

Also, you’re responsible for doing something about it.

A security assessment has two components: 

    • A Comprehensive Security Review
    • Security Testing

The Nine Steps of a Comprehensive Security Review

Step 1 – Create a core assessment team.  A team of professionals from within your organization that includes the owner/CEO, the IT manager, and heads of different departments, if necessary. Your assessment team will take responsibility for leading the assessment, preparing the report, and suggesting recommendations.

Step 2 – Security policies – Your business may or may not have a set of security policies. If not, now is the time to create them.  If you do have them, review each one to make sure it’s still relevant with any recent legal changes. These policies should cover your security strategies, data backup plans, password management policies, security update/patch timelines, and other cyber-technology related details.

Step 3 – Create an IT asset Database. Make a comprehensive list of every software and hardware asset that your company owns. Say What?

How do I do it?  Make a complete checklist of what the business owns by listing all the valuable assets of the company that requires protection. 

    • Hardware and equipment:
      • Computers
      • Laptops
      • Servers
      • Hard drives
      • Firewalls
      • Routers
      • Switches
      • Printers
      • Phone systems
      • Mobile devices
      • IoT devices 
    • Software
      • Online tools
      • Applications
      • Email servers
      • Cloud storage
      • Data management systems
      • Financial accounting systems
      • Payment gateways
      • Websites
      • Social media account
    • Files and data storage systems 
      • Company finance details
      • Customer databases
      • Product information
      • Confidential documents
      • Intellectual-property
      • To name a few and there may be more

Step 4 – Understand threats and vulnerabilities. Prepare a list of the potential risk and threats to the business. You can base this on past experiences, experiences of your peers, news reports, etc. Identifying these risks and threats helps you better conduct your security test.  It assures that all your security measures can be well-implemented, and you identify any gaps in your system that are exploitable. 

    • These risks and threats can include:
  • Hardware and equipment failure
    • Natural Disasters (Earthquakes, Hurricanes, Tornados, Fire, and Floods)
    • PC viruses
    • Malware
    • Phishing
    • Ransomware
    • Hacking attacks
    • Theft of physical property or equipment
    • Theft of data whether external and internal
    • Data Loss
    • Unauthorized access

Step 5 – What is the Impact on my Business? The effect may include loss of brand value or credibility, monetary, or loss of clients

Step 6 –Categorize the probability. What is the likelihood of a particular risk happening?  Higher the risk = higher the likelihood of occurrence

Step 7 – Make a Plan.  List what you are currently doing and outline further actions that can help mitigate the identified risks. These topics may include policy changes, new procedures, training content, new hardware/software, new business applications, and configuration changes. 

Step 8 – Prepare a report that summarizes your findings

Step 9 – Take steps to implement the needed actions

The Five Steps of Security Testing

Once you have completed the security review, it is time to take a more in-depth look into your system to evaluate your security posture.

Security testing can help you evaluate and test the security strength of your hardware, software, networks, and other IT systems. It can be done concurrently along with your detailed security review process, or independently.

Step 1: Cyberattack simulation tests also called Penetration tests or “Pen Tests.” These are pre-authorized simulation attacks on your computer system help identify the weaknesses as well as the strengths of your existing system. A comprehensive Penetration Test uses ethical hackers and will run a small-medium business about five-thousand dollars.

Step 2: Security scanning – uses some specialized scanning software to run a complete scan of your network, all attached devices, and applications.  To identify threats and risks, you should be performing these scans monthly. If you have a security software package, it probably provides a feature that includes real-time and automatic scanning. Having software in place that has these features is a priority, so if you don’t have one, you should get it implemented as soon as possible.

Step 3: Vulnerability scanning – When you have been using a system for a long time, you run into a situation “where you can’t see the forest for the trees.” A vulnerability scan is an inspection of the potential points of known exploits on a computer or network that locates security holes and rates them based on the possibility and severity of problems.  

    • These include:
      • To identify the use of outdated versions or unpatched software.
      • To identify users with weak domain passwords. According to the 2019 Verizon Data Breach Investigations Report, 80% of hacking-related breaches still tied to passwords 
      • To automatically scan your systems and detect weaknesses.

Step 4: Survey employees to identify weaknesses – Human error is a significant cause of cyberattacks. Interviewing employees helps to identify risky behavior and correct poor security practices.

    • A few questions you might ask
      • Do you know your friend’s system password, just in case of an emergency?
      • How many times do you postpone an automatic security update?
      • Do you write down your system passwords?
      • Use vulnerability management software to scan your systems and detect weaknesses automatically.
      • Are you aware of any confidential data that you can access?

Step 5: Ensure vendor compliance. It is not enough to secure your systems, but you must also verify the credentials of your vendors and other business partners. It is crucial that you routinely check with your suppliers and business partners through surveys and questionnaires to ensure that they are maintaining compliance with all industry regulations.

When to Bring in Professional to Help

  

Some companies provide third-party security assessments. They have experienced and certified staff who can conduct a complete evaluation of your security posture and advise you the next steps to take. Additionally, many offer services that will assist you in the implementation of proper security protocols. 

Costs vary widely and can range from $1,000 for simple tests to over $50,000, depending on the size of your business, complexity of operations, and scope of the assessment.

Face it no matter what your size, businesses are vulnerable to the hazardous threats and cyber-attacks that can cripple your operations.  The survival of your business depends solely on how fast you can adapt to the continually transforming digital landscape that faces firms today.

Establish and Enforce a Security-First Mindset.

Conducting security assessments puts you firmly on the path to maintaining a secure IT environment that is equipped and ready to meet these challenges head-on.