There is a children’s book, “Inside, Outside, Upside Down” featuring The Berenstain Bears, that teaches young children about spatial concepts. When it comes to securing your organization’s data, it may feel like you need to cover all of the spaces: inside, outside, and even upside down. It’s no wonder, since security risks exist everywhere: inside the network and outside the firewall, from employees accidentally leaking information via their mobile devices to outside phishing and malware threats trying to get in. With these increased cyber risks, companies of all sizes are constantly challenged with how to spatially navigate the security landscape.
Small to medium-sized businesses (SMBs) may not have dedicated security staff or security budgets compared to larger organizations. Yet their cybersecurity risks aren’t any smaller. In fact, ransomware is hitting SMBs hard. More than half of SMBs experienced a ransomware hack in 2017, according to a report by Ponemon Institute. Nearly 80 percent of SMBs said that ransomware was launched through a social engineering attack.
Your security needs are big, regardless of your organization’s size
The following can be done by your staff, even if they are not technically savvy:
Having a good idea of the real risks facing your business and how threats to your business may accomplish their goals is an essential business trait that doesn’t always require a technical background.
Unless you know exactly what your business leaders want to protect and are required to keep confidential, cybersecurity efforts may be wasted even if you’re simply following best practices. Sitting down with key managers and leaders to understand the key assets and goals for the security program is an essential first step.
What data do you work with every day? What data is confidential? What data is essential to making your product? What data is public? What data would scare you if it got out? What would you do if that data was unavailable? What information is regulated? Once you scope out the data categories, you can start developing policies and procedures.
Start applying security controls at every step of the data handling transactions. Data security controls, according to the Infosec Institute, are used to safeguard sensitive and important information. They help to detect, minimize or avoid security risks to your computer systems. If you don’t know what data security controls are needed, then you may need to consult with a third-party technical professional. However, by performing a stakeholder workflow review, you have already done a great deal of work towards a proper risk assessment.
For example, a SMB may be able to send the team to a technical conference to soak up knowledge, or spend one hour a week to listen to a webinar. Taking on technical challenges as a group, with a fun tone around the activity and rewards around solving puzzles, can help team comradery and teamwork. Technical content may be difficult, but having a staff that is eager to learn and crack hard puzzles will be an asset.
There are many people in school or just out of school itching to get some real-world experience. Consider hiring an intern with technical experience. Many colleges and trade schools have well-trained students studying cybersecurity.
The more you know about your operations, network topologies, business workflows, and regulations, the better you will know what data could be at risk. Once you know what data is at risk, you can start researching and learning how a “bad guy” could get this secure data.
If you start doing both, regardless of your technical background, you can effectively manage and outsource the more technical items.
If your company has some technical experience, where should you prioritize? In addition to concentrating on your most confidential information, here’s a checklist of your core security must-haves – especially if you are under FFIEC, NCUA or HIPAA regulations:
This is where humans interact with machines, especially the mobile ones.
If you made it this far, you have built a solid security foundation. Now a process of re-evaluation and external testing will determine your next steps and tools to automate all of the above.
If your company has only one network technician who is busy installing new firewalls and routers, plus typical day-to-day troubleshooting and maintenance. You may find that the time and costs are too great or too inefficient for your organization to do it all. When it comes to maintaining and improving your security, you don’t want to be stuck inside a box like Brother Bear in The Berenstain Bears’ story. And you certainly don’t want to be stuck upside down inside a box.
