The operative questions then become “what are the key cyber protections to have” and “can we afford to implement them?” The answer is yes, using the affordable recommendations that follow. We cannot let the “fog of cyber complexity” keep us from acting and being adequately prepared. This article suggests one effective and affordable path forward to execute a due diligence level of security operations. The security threats are very real, where the news shows only a small percentage of incidents, as we all will be breached (or already have been). You cannot buy cyber security, you must manage cyber and the many parts. The standard cyber security suite is effective – IF maintained. Business owners should focus on risk reduction and minimizing legal liabilities.
We recommend organizations stay current on cyber threats and mitigations by associating with their sector-ISAC, the local FBI outreach, and US-CERT. We recap the security threat using two threat summaries to highlight the recommended protections. FORBES magazine recently listed key security vulnerabilities as: social engineering, advanced persistent threats, internal threats, bring your own device, browser based attacks, botnets, targeted malware, and the cloud. The recent Verizon data breach report top threats were: point of sale intrusions, web application attacks, cyber espionage, card skimmers, insider misuse and crimeware. The complexity of cyber capabilities and functions (illustrated below) can seem daunting, but the cyber solution to minimizing over 90+% of most security incidents is doing the security basics well.
We recommend using a balanced cyber security approach accommodating people, process, product and policy. Since nearly all security incidents are associated with NOT doing the security basics (e.g., keeping the device settings and patches current), companies must implement a security continuous monitoring (SCM) capability to watch for improper settings and abnormal behavior. The organization’s risk management plan (RMP) is a critically important tool to balance risks, resources, and priorities to support the key mission essential functions of the business. Specifically for the small business sector, many security guides exist, recommending several best practice protections: keep software updated, educate employees, monitor social media, employ effective passwords, limit access to sensitive data, and control downloaded apps.
The balanced and affordable security approach premise we promote is that companies can be well protected (to at least a notional due diligence level) based on implementing these guidelines: the NIST “absolutely necessary” protections and both the NSA top ten and SANS top 20 security controls. The business environment configuration must have a high protection profile with effective security monitoring, while not overly encumbering users:
• Implement standard cyber security programs, which entails: anti-virus, firewall, VPN, IDS, and encryption (with key management) (note – only buy security programs off approved product lists).
• Manage, monitor and KNOW your IT/security baseline well – as you can’t manage what you don’t measure. (e.g., doing these few “management” activities cuts incidents by 90% (a) effective program upgrade and patch management, (b) controlling network and data access (enforce least privilege), (c) application whitelisting / secure configurations, (d) keeping hardware and software inventories current, and (e) employing SCM)
• Secure backup is paramount, use multiple sources – all storage should be encrypted, with cloud security addressed in SLAs. In fact, encrypt all data at rest (storage) and in motion (external connections)!
• Manage access to the company, both physical and virtual - Use strong passwords, changing periodically - consider a token/biometrics for sensitive data. Strictly limit privileged access.
• Proactively manage business risk using your RMP, complemented with an enforced security policy and cyber insurance.
• Provide ongoing training and education on security threats and business risks, tailored to all key stakeholders. Stay current in sector threats and mitigations.
• KNOW your security status / metrics – periodically, independently test and assess: the security suite, ongoing processes including back-ups, security policy enforcement, and all major elements in your RMP.
• (Epilog - for a very detailed overview on ‘what really matters in cyber security” – see: www.sciap.org/blog1/wp-content/uploads/what-really-matters-cyber-security.pdf)