According to a recent study by the Kelser Corporation, 65% of cyber attacks are aimed at small to medium businesses (SMBs). This is a concerning statistic. SMBs often are not able to support the IT infrastructure of an enterprise business, which makes them a prime target for hackers. Let’s look at three things SMBs can do – Security Awareness Training (SAT) with a Phishing Simulation program, a strong Information Security Policy (ISP) with a Business Continuity and Disaster Recovery (BCDR) plan, and consistent data backups – to help strengthen their security stature without breaking the bank.
#1 Security Awareness Training (SAT) with a Phishing Education and Simulation Program – What is Security Awareness Training? SAT is a program in which employees are provided initial and recurring education about their responsibilities around the secure and proper use of information technology, including
- Laptops, desk tops, peripherals, USB flash drives, servers, phones
- Desktop-based, Server-based, Software as a Service (SaaS)
- Physical Environment
- Data centers, server rooms, secured office space, cubicles, desks
- Classification and protections, secure storage, movement, and processing of data
A Phishing Education and Simulation program should also be a part of your overall SAT. Phishing is the most prevalent type of social engineering attack. Phishing simulation is an exercise in which employees must determine that they have received a targeted email, phone call, or text by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
Best practices include
- Train employees in the common types, features, and risks of phishing attacks.
- Run a simulation of a phishing attack on a subset of employees to see if they spot and report the phish.
- If an employee falls for the simulated phish, provide additional remedial training.
There are numerous benefits of SAT and Phishing Education and Simulation. For SMBs, it is essential that all employees know the roles they play in keeping the organization secure against cyber attacks. Why?
64% of SMBs have faced web-based attacks.
62% of SMBs have encountered phishing & social engineering attacks.
59% of SMBs have experienced botnets.
51% of SMBs have been a victim of denial of service (DoS) attacks.
91% of breaches are caused by human error.
#2 Information Security Policy (ISP) with a Business Continuity and Disaster Recovery Plan (BCDR) – One of the key takeaways of Security Awareness Training is to never assume that your employees know everything about your processes and protocols. You cannot hold employees accountable for something they do not know. This is where your Information Security Policy (ISP) comes into play.
An ISP is a set of high-level information security policies that address security controls within the organization. It provides a set of standardized rules and processes for the use organizational information technology assets. Each subpolicy listed in the ISP should include an Overview, the Purpose, Scope, the Policy text, and information on Enforcement of the Policy. What specific sub policies are included in the ISP depends on the organization and the data to be secured, but at a minimum should include:
- Acceptable Use
- Change Management
- Data Classification/Retention
- Incident Response
- Network Access
- Patch Management
- Remote Access
- Risk Assessment/Management
- Security Awareness and Training
- Third Party Service Providers
Along with your ISP, but created and maintained as a separate document, you need a Business Continuity and Disaster Recovery (BCDR) Plan. At times, there can be some confusion over the difference between an Incident Response (IR) Plan (which is a sub policy of the ISP) and the BCDR. If an incident is detected to have taken place, the IR will guide the team in the mitigation and containment of damages. It is the first plan triggered when an event escalates to an incident. The Disaster Recovery Plan comes into play after the incident has been mitigated/contained and guides the organization in recovery from any damages due to the incident and getting impacted IT systems back online safely and efficiently. The Business Continuity Plan focuses on getting the entire organization back to full functionality after an incident.
The BCDR is critical to have in place and should be tested on at least an annual basis and updated based on the test results, as well as changes to the organization.
#3 Consistent Data Backups – This one is obvious to many, but not practiced by all. Backing up your data is a critical component of securing your business. Policies such as Incident Response and Business Continuity and Disaster Recovery assume that current, secure backups of systems are available in order to execute process steps and to mitigate/contain data loss.
According to CP-9 (information System Backup) of the NIST 800-53 (Security and Privacy Controls for Federal information Systems and Organizations), best practices for data backup call for an organization to
- Conduct backups of user-level information contained in the information system (system-state information, operating system and application software, and licenses).
- Conduct backups of system-level information contained in the information system (any information other than system-level information)
- Conduct backups of information system documentation including security-related documentation and
- Protect the confidentiality, integrity, and availability of backup information at storage locations (e.g., digital signatures and cryptographic hashes).
Data backups should be frequent and regular and include remote storage. How often your business runs data backups depends on several factors, including the classification of the data, the amount of data, the number of systems holding data, recovery time/recovery point objectives, and resourcing. Where and how long you retain data backups should be outlined in your Backup and Data Retention Policies in the ISP. When you run an annual BCDR test, be sure to include the mounting of data backups to ensure the quality and consistency of the data.
Cyber attacks on SMBs are no longer a question of “will my business be a target”, but is now “when will my business be a target?”. If SMBs put in place these three practices, it will prove to be a big step forward in securing the organization. Failing to do so can lead to serious consequences, including loss of revenue, fines and penalties, loss of goodwill, and even the failure of the business.