Security on a Budget, Part One
In my 17 year career in Information Security, I have worked with businesses of all sizes and in many industries. One of the most common (and incorrect) schools of thought amongst small to mid-sized organizations is that Information Security is a big ticket item. Many business leaders feel that Information Security is something that larger organizations, like big banks or governments, should and can worry about. As a result of this thinking, smaller businesses often think of information security as something unaffordable, out of their scope and, therefore, not something they can or should be worrying about.
There are two things that are wrong with this line of thinking:
- Security Breaches do happen to smaller businesses, often with dire consequences.
- There are things that you can do, inexpensively, that will dramatically improve the safety and security of your company’s sensitive information.
Subconsciously or not, many wrongly calculate that the cost of the control is more than the potential damage from the risk. This basic mental math combined with an “it won’t happen to me” attitude inevitably leads to security being an afterthought in many small to mid-sized organizations. In part one of my two part post about Security on a Budget, I will show you that an ounce of prevention is worth a pound of cure, and that businesses can and, more importantly, need to make information security a priority.
Most attacks are opportunistic in their nature. You don’t have to go far to prove this – take a look at your firewall logs. You will see that there is a constant barrage of activity—incessant testing and probing—something is constantly looking for a way to get in. This continuous pressure is referred to as advanced persistent threat or APT. APT is applying pressure on your organization not because someone is explicitly after you or your customers; they are simply jiggling the door handles of everyone on the net, looking for a weakness to exploit. If these threats gain entry, there is no end to the damage they can cause. In the past, these drive-by compromises would lead to your network being used as an additional attack point to go after bigger fish, but recently a different type of behavior, called ransomware, has become a disturbing new trend. The CryptoLocker Trojan, the first successful ransomware, encrypted documents and other data, then demanded payment of $600 in order to get the key to decrypt your information. I once helped on a case where one of the smaller Maine businesses had their database—the heart of their operation—encrypted by this malware. With no backups of the data and the cost of recreation higher than the ransom, their only option was to pray that a ransom demand was made so they could get the key. It is estimated that the total take from CryptoLocker operations have netted attackers about $27M globally as of December 2013.
By definition, the security level of a system is inversely related to its usability. For example, a good ol’ DOS running standalone on Intel’s 286 system was a lot more secure than a modern Windows 8 with all of its security bells and whistles. With DOS, your users had to physically introduce a virus into it, often on an infected floppy disc. That still happened, but it was a totally different game then. Of course, the most secure system – the one that’s turned off – is also the most useless, so the key is finding the right balance of ease of use and security. The good news is that there are plenty of controls and tools, ranging from free to reasonable, that can help you achieve these goals. Without going into too much detail of each measure, here they are in order of most positive impact and cost, starting with the highest:
Establish and maintain a security culture at your organization through personal engagement and security awareness training. This can be accomplished for free if you are willing to do the work, and there are plenty of low-cost resources to help you on the way. If you are successful, you will considerably reduce the number one risk to your security – the human factor. It will reduce the probability of successful malware attacks and improve resilience to social engineering attempts.
Outsource your IT and security to a reputable organization. You will be betting on the economy of scale with these providers, who can ‘time share’ their talent, their specialists and their established processes with you. You will find that recent improvements in tools and stiffer competition lead to decreased prices as well as better coverage and expertise, which is available to you at a fraction of a cost of those resources in-house.
Assure your backups are timely and valid. This will save your company from a costly disaster in case of a successful attack or equipment failure, which is the number one non-malicious threat to your data. You should enforce centralized file storage and image your systems locally. In addition to that, consider backing up (and encrypting) the most important business data remotely. There is a myriad of very inexpensive service providers that will help you accomplish this. And, most importantly, periodically test the restore process. Without this assurance you may not have that backup – we’ve seen it too often.
As you can see, Information Security does not have to be a big ticket item. In part two of this series of Security on a Budget, I will talk about five more ways you can affordably and efficiently protect your most sensitive and valuable information. If you do not feel or you do not know if your company’s sensitive information is secure, perhaps it’s time to talk to a trusted IT provider about ways you can manage your Information Security Program.
The Winxnet Security Team provides information security services to customers throughout the Eastern United States. Led by Eugene Slobodzian, PhD, CISSP, the team has over 15 years of experience helping organizations keep their information safe. Winxnet security offerings include Managed Security Services, Penetration Testing, Vulnerability Management, Social Engineering Tests, IT Risk Assessments, and Virtual Security Officer consulting.