SMALL BUSINESS CYBERSECURITY: SHIFT FROM FOCUS ON TECHNOLOGY TO FOCUS ON PEOPLE
My company, Optimal Networks, has provided outsourced technology support to Washington DC-area small businesses (SMBs) for over 25 years. Finally, our clients are initiating conversations about security, not the other way around. Small to mid-sized businesses have long operated under the assumption that because of their size, they are of little interest to cybercriminals. Slowly but surely, SMBs are accepting the unfortunate reality that (1) they are very much at risk, and, (2) basic technology defenses are not enough to keep them protected.
To what good fortune do we owe this awakening? From my vantage point, there are a few factors at play:
- Media attention. Breaches make headlines. We hear about what was compromised, who or what was to blame, and how much it cost the company. We know, for example, that Target’s massive breach was possible thanks to their much smaller HVAC subcontractor who did not have proper controls in place.1 We see time and time again that massive, costly attacks aren’t the result of ultra-sophisticated tech-wrangling, but of something far more mundane and pervasive: human error. With enough repetition, the concept of “risk” begins to widen.
- Pressure from the government. Our SEC-compliant clients are seeing their requirements tighten year after year.2Our HIPAA-compliant clients are seeing this too, and we’re experiencing it firsthand as a Business Associate.3Periodic risk assessments, incident response plans, and regular, company-wide awareness training – none of which are standard IT functions – are mandatory, and the consequences for noncompliance are expensive at best, dire at worst. This, not surprisingly, is a fairly powerful motivator.
- Industry push for user-facing security tools. In response to this increased attention, more and more security vendors are approaching companies like mine to resell their tools to the SMB community. While some of these tools are more standard back-end solutions (e.g., advanced network monitoring), we’ve noticed an interesting new trend: many of these security tools affect end-users directly. Multi-factor authentication, phishing tests, and ransomware simulators, for example, force our employees to take extra steps in the name of security. In other words, neither the SMB nor the user can ignore the role that individuals play in keeping our businesses protected.
Whether the push to get serious about security is due to external causes or merely a natural response to the increased threat landscape, SMBs are understanding that it can happen to them, and that their definition of “vulnerability” must identify employees as a critical part of the security puzzle. As a result, businesses are adopting a more comprehensive approach to security that includes staff training as a cornerstone.
Historically, most small businesses have been content with basic technology defenses like an updated firewall, centralized anti-virus and anti-spam, and ongoing maintenance such as regular patching for servers and workstations. These make for a solid foundation, but that foundation alone is insufficient as far as protection goes.4 These protections don’t account for human error (i.e., downloading a malicious attachment) nor do they help contain and remediate a breach or infection if one were to occur.
And cyber criminals know this well.
Symantec’s most recent Internet Security Threat Report5 shows a startling uptick in malicious emails because, “it is a proven attack channel. It doesn’t rely on vulnerabilities, but instead uses simple deception to lure victims into opening attachments, following links, or disclosing their credentials.”
Overall, 1 out of every 131 emails sent in 2016 contained malware, up from 1 in 220 during 2015. For small to mid-sized businesses (250-500 employees), the rate was at its most aggressive: 1 in 95.
In other words, our employees are our weakest link (and potentially our strongest defense) when it comes to network security. If small businesses intend to protect themselves in this ever-evolving landscape, they should:
1. Hold regular, consistent security awareness training.
Even if company-wide awareness training is not mandated by compliance regulations, security awareness training should be central to every cybersecurity initiative. A team cannot protect themselves against what they don’t understand.
This training should touch on types of threats, how they present themselves, what’s at stake, what controls are in place to mitigate risk, where those controls fall short, and how staff can help bridge the gap.6 If in-person company-wide training isn’t feasible, film or otherwise distribute the training and verify that each employee (executives included) has reviewed the content. The less savvy the team and the more sensitive the data, the more frequently these sessions need to be held.
If the business can’t or doesn’t want to run this training internally, they can:
- Outsource to an IT company. An IT team will likely deliver a presentation tailored to the organization’s unique needs in terms of staff skill level, the IT landscape, and the company’s level of risk. Keep in mind that most IT companies are not known for their presentation skills, so be sure to vet that as part of the process.
- Outsource to a training company. If the company is comfortable with a slightly more generic presentation, perhaps supplemented with a tailored handout, training companies (local or online) have modules for staff to work through.
2. Incorporate security into their company culture.
This part cannot be outsourced.
It is, of course, important to have written policies that address passwords, mobile device use, business continuity, data privacy, employee separation, and so forth. IT teams can help businesses design and enforce these policies to an extent.
The problem with only having policies in a handbook is that staff will read them and either forget or ignore them soon thereafter.7
What we recommend, is that SMBs adopt a security-oriented culture to reinforce those policies, and to give them life beyond the policy document. This means adopting a mindset of slight paranoia, where every member of the organization (executives included) questions that odd email they received, hesitates before sending a document with sensitive information, speaks up when a coworker writes their password on a sticky note, and refuses to leave their desk without first locking their machine.
More than anything, if we are to protect our businesses from cyber threats, we can’t keep operating under the delusion that security is purely a technical matter; we must invest in our people, too.
Because one click is really all it takes.
1http://money.cnn.com/2014/02/06/technology/security/target-breach-hvac/(link is external)