One of the top five concerns noted in Vistage’s recent report Decision Factors H2 2018, is cybersecurity.
If you have employees, customers or financial data, you are a target for a cyberattack. Cyber criminals are aggressively targeting small and midsize businesses (SMBs), and cyberattacks are increasing in complexity, frequency and severity. For many SMBs, those attacks are leading to loss of data, cash, customer records, employee information, leadership credibility, and employee and customer trust.
Yet many SMBs still haven’t taken the proper precautions to protect themselves.
Cybersecurity is a silent killer, it can shut you down like nothing else, says Joe Gavin, Vistage chief research officer. Here are his suggested actions to protect your business:
- Assess the strength of your cybersecurity – To gauge the strength of your cybersecurity, use a reputable tool — such as the Cybersecurity Framework offered by the National Institute of Standards and Technology.
- Create a layered defense – A comprehensive cybersecurity plan has three core components: people, process and technology.
- Call on a cybersecurity expert – Just as you may have an outside legal counsel or CPA, consider engaging a cybersecurity professional for additional support.
With this last recommendation in mind, I called on cybersecurity expert, Michael Davis, CTO of Countertack, to share his thoughts on this important subject. The following remarks are his.
You are the target. SMBs lack the defenses of larger organizations as the Decision Factor’s H2 2018 report identified. SMBs have smaller budgets, less security talent, and usually a lack of consistent risk management which makes for an easy and unsuspecting target.
Imagine walking in to the office Friday morning and your controller running up to you saying that all the money in the payroll account just vanished and the bank doesn’t know where it went. This attack, named an account takeover, is a type of fraud perpetrated by cybercriminals using multiple pieces of malware and human social engineering to steal money. Attackers infect your computers, watch and monitor your business processes and access your bank accounts, and then pounce at the proper opportunity to get the most money in one “smash and grab” job. In many cases, your business is let holding the bag and not getting any money returned from the bank, insurance, or 3rd parties. Very rarely is any money ever recovered.
As Joe Gavin, Vistage chief research officer mentions, layered defenses are a must to protect your business, but what layers do you pick? How do you know choosing solution X vs Y is really going to help you? There are so many variables to protecting yourself from a cyber-attack and the attacks are constantly adapting, it can be difficult even for seasoned IT security experts to pick the right options. And while starting with a risk assessment from NIST or CSF is a great option, you may not have the budget or ability to perform the process without an external IT security expert.
So, what can you do now? Today? These are my straightforward must dos for protecting your business:
Use the cloud as much as you can.
An IT security expert saying to use the cloud? I thought the cloud was “insecure”? No, majority of cloud providers, especially Tier 1 and Tier 2 providers like Microsoft, Rackspace, and Amazon are doing security better than your business could ever do it even if you hired 10 people today. Leverage their investments in IT security to protect yourself.
Having data protected in Office 365 from Microsoft for example, provides lower risk while giving your business a bunch of security capabilities you would have to manually build and manage without your IT team having to do much more than “set it up”. Normally, the additional security is “baked in” to the monthly costs you are already paying to use the provider’s services, meaning there are no additional costs except the one-time setup and configuration time to receive the security value I am referring to. Little to no ongoing maintenance or monitoring is required to get the security benefits from cloud providers.
Use Multi-Factor Authentication for everything
Attackers don’t want your laptops or servers, they want your data. Your files. Your Email. Access to these is all controlled by your identity – the username and password you haven’t changed in probably years.
Multi-factor authentication is now supported by the majority of applications and cloud providers. Multi-factor authentication provides a second mechanism to validate that you are who you say you are. “Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes” according to Brian Krebs, from Krebs on Security, one of the most well-known security journalists. (See https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/)
Google’s technology to replace passwords is obtainable by any and all SMBs, for a one-time payment of less than $50 per person. You can use SMS codes, physical keys, or even simple apps on your phone to provide multiple levels of authentication that can thwart phishing attacks, malware, and ultimately attackers getting access to your data.
Multi-Factor Authentication technology is cheap, easy to use, and the most effective defense against attackers we have today. Use it everywhere you can but especially with your email and cloud providers.
Start doing Security Awareness Training
Depending on what study or survey you want to pick, phishing is either the source of 95% of all SMB attacks or at least the #1 mechanism attackers use to get malware on your computers. Security awareness training is most important for SMBs compared to larger enterprises because you simply have less layers of defense when it comes to stopping an attacker. The first layer of any defense within an organization, large or small, are your people.
More training you say? But Mike, my people hate all the compliance training they have to do now so this won’t work. Long gone are the days of “compliance training” where employees were subjected to hours of boring PowerPoints telling them to “not click bad emails”. While that approach was somewhat effective, the new approaches to Security Awareness training are exciting, amazingly impactful, and actually pretty fun! Multiple vendors now offer “sitcoms” employees can watch that also train them on proper behavior and techniques to avoid getting infected. Two of my favorites are Mulberry from The Security Awareness Company and Restricted Intelligence. See their trailers at https://vimeo.com/6580874 and https://www.youtube.com/watch?v=8_aWktl_Oy8)
Costs are low, and include a full year of content and management of who takes what training etc. All delivered online with no setup costs.
Don’t “lie” on your Cyber Security Insurance application
Ah, insurance, it is being perceived by many SMBs as the solution to the cybersecurity problem. Why invest in security technologies, people, and processes when I can pay a fee per year and be covered if we are hacked? Sounds great but the truth is, the insurance companies are not paying. Put one little exaggerated truth on the form, and that is grounds for non-payment. Insurance companies have teams of people making you prove all the processes and controls you said you had when you filled out the form were working when the hack occurred. If they didn’t work, even for just 1 day, no coverage.
Should you not have insurance than? No. It is a great way to reduce risk if, and only if, you are 100% honest with the survey’s and applications. Your premiums will not be cheap because you are investing in reducing your risk. You might not even get approved until you do the minimum required and you better make sure that whatever you agree to do on a consistent basis you actually are doing – otherwise you will be left wit the entire burden of the costs to cleanup the hack, the stolen money, and in some cases reputational damage in the eyes of your customers.
Don’t mess around with this, do it right or tell the provider you aren’t and pay the premiums.
Michael A. Davis is the CTO of GoSecure CounterTack, an Internal Managed Security Services company that provides outsourced security services. Learn more at http://www.gosecure.net
Are You a CEO or President of a Privately Held Business? If you are also a lifetime learner, and want to learn more about Vistage, click here.
You can read more of my blogs and leadership quotes here.