When many people hear the term cybersecurity, they think of hoodied hackers banging away at keyboards trying to get into their computers from a dark basement somewhere. For most businesses, this just isn’t true. When we look to secure a business we need to look past this TV and movie dramatization and get to the real meat of security. We focus on three areas:
There is no doubt that need to secure our computer systems. Technical attacks are still the tried and true way of breaching a business. The WannaCry attack from mid-2017 was a wake-up call for patching. The attack could have been prevented if businesses had applied a patch issued two months prior. Two months is far to long to wait to apply patches today. Additionally, that networking protocol should have been disabled long ago. A hardened system configuration would have disabled that version of the protocol. If businesses had applied the patch or disabled the protocol version, the attack would have been minor and we probably wouldn’t have seen it on the mainstream news.
But these technical vulnerabilities and flaws aren’t being exploited by individual hackers determined to hack you. They are mostly attacked en masse by automated bots scouring the Internet for vulnerabilities and weaknesses. Even after they have been found, most of the work is still automated. How far can these automated bots go to steal information or gain a foothold? Hacking is expensive and small businesses just aren’t worth an individual hacker’s time. They are looking to amass a long list of breaches and will only interact in some cases and in the end when the stakes are high enough and the automated means have been exhausted.
You may be surprised how many of your processes have security implications. Think beyond the traditional processes of user account management and incident response to your hiring process or how you work with your bank. Almost every process in your business should be created with security in mind and regularly reviewed to ensure they keep up with the changing security landscape. One great example of a process that requires security is in how you interact with your bank. A prevalent social engineering attack involves wire transfers of money. By putting controls in place to require additional authorization above an acceptable amount threshold or even something as simple as voice passwords, you can reduce the risk of this attack and lessen the impact if it is successful.
Physical security isn’t often considered part of cybersecurity, but most compliance and legal frameworks for cybersecurity are filled with controls that protect the computer systems and printed documents themselves. While we tend to limit physical security thinking to door locks, security cameras, and alarm systems, it goes much farther than that. We should also consider common sense controls about how we use our computer systems and information outside the confines of our buildings and offices. How do you protect that laptop in your car when you stop by the store on the way home? How well do you maintain physical control over that smart phone you use to keep up with business email on the go? Physical security is often the hardest one to master since we have so little control outside the confines of our offices.
As you can see, cybersecurity is much more than just preventing the basement-dwelling hacker in a ski mask from breaking in over the internet. We need to consider the much less dramatized and flashy ways that we can lose control and allow unauthorized access to our sensitive information.
Need some help crafting a security plan for your company?
Visit our services page to see how we can help
Contact us today for a free and confidential consultation.