Cybersecurity For Small Business: Beware of the Boogeyman!
I love road trips. Some of my fondest memories growing up are of my family piling into the station wagon. My father would spend an hour tying our bikes to the roof rack. Then he would spend another hour rearranging the luggage and snacks so the tailgate could close without squashing something important. I would be armed with a book or my “Coleco Electronic Football” or my Walkman- to fight off the boredom that hit after hours of watching some rural landscape scrolling by outside my window.
On one particularly long ride to Nashville, I became very antsy. I was really young. We’re talking 4 or 5 years old. And I was probably hopped up on a combination sugar and caffeine from all the Coca Cola, Ring Pops, and Bottle Caps I had consumed. I was driving my parents nuts by making noises, complaining, and just being obnoxious.
After taking all she could take, my mother snapped. From what I remember her head did a complete 180. Think of an owl. Actually, it was more like Linda Blair in “The Exorcist”. Minus the mess. Anyway, I will never forget the words that mom uttered:
“If you don’t stop, The Boogeyman is going to get you.”
“THE Boogeyman?”, I mumbled.
“Yup, so shut up. Ok?”, mom said with an evil grin.
I could feel my heart start to beat out of my chest. I could feel the sting of the tear drops that were almost ready to crest my bottom eyelids. I was mortified. The Boogeyman was going to get me. ME!
Well, my dear old mom continued to use The Boogeyman to her advantage over the next few years. In fact, not even the promise of presents from Dear Old Santa could keep me in line better than the fear of the shadow cast by that dark, invisible bad guy. Thanks Mom!
Hush, Hush, Hush (Here Comes The Bogeyman)- Henry Hall, et al
Eventually, I grew up. And one day, I came to realize that The Boogeyman was a myth. He wasn’t real. Mom was pulling my leg. Such a weight was lifted off my shoulders when I finally understood what that meant.
I could do what I wanted. I didn’t have to listen to anyone, or do the right thing, anymore! IMPUNITY!
I knew The Boogeyman wasn’t real. And I continued to know he wasn’t real right up until the time my IT career lead me to the world of Cybersecurity.
Now, I know for sure, The Boogeyman is… real.
He exists. And he is out to get me. He is out to get you. He is out to get your money. And he is out to get your customers.
The Boogeyman is real and, yes, you should be scared.
He isn’t a myth.
He still hides in the shadows.
And he still likes to target people who aren’t doing the right things.
You might know him by one of his new names: Hacker, Cyber Criminal, Disgruntled Employee, Virus, or Black Hat. I like to call him “The Boogeyman 2.0”- TBM 2.0.
TBM 2.0 has better technology than you do. He knows how to get to your employees. He knows how to get around your Antivirus and Firewall. TBM 2.0 can see what you are typing. He can hide on your server for months without being seen. He knows what bank you use. He knows you are running workstations with operating systems that are no longer supported. He knows you aren’t patching the newest operating system you just purchased. And he knows that small businesses are easier targets than the big enterprises.
And just like TBM 1.0, you can’t out run him and you can’t hide.
So what CAN you do?
But wait, there’s more
Almost all businesses are aware of the “Familiar Four” of Cybersecurity. The “Familiar Four” consists of:
- Antivirus/Antimalware (Make sure these are up to date!)
- Firewalls (Must be configured properly to keep TBM 2.0 out)
- Unique User IDs
- Strong Passwords
But wait! There’s more!
Well, honestly, there is a lot more you can do. Let me rephrase that: There is a lot more you should be doing.
In today’s connected world, the “Familiar Four” of prevention isn’t enough. Passwords can be hacked. Antivirus software can be tricked or, often, is out of date. Firewalls don’t know, or care, that the link your payroll person just clicked on is taking the user to a compromised site that will convince them to hand over their username and password.
You are essentially in an arms race with TBM 2.0. To make matters worse, TBM 2.0, is winning this leg of the race. It is hard for us good guys to keep up. But, you still need to try prevent him from getting access to your systems, data, and people. As I said earlier, there is a lot you can do. The to-do-list is so big, it can be overwhelming for a small business in fact. As a result, I suggest you break the process into three phases to help wrap your head around how to get started:
- Prepare- Be ready for TBM 2.0 to breach your defenses and gain access to your assets. Put controls in place to mitigate risks. Define processes to react to incidents and events (before they happen). Monitor your network and assets for evidence that TBM 2.0 is trying to breach your defenses or has already gotten in.
- Prevent- Implement the controls (technical, administrative, etc) that will make TBM 2.0 want to pass you by and look for easier prey. Antivirus and Firewalls are used for prevention for example.
- Respond- Know how to react when TBM 2.0 has accessed your data or tricked you into downloading a virus. Implement the processes needed to ensure business continuity.
“Who Ya Gonna Call?” The Phases In-Depth
It isn’t a matter of “IF” you get breached; it is a matter of “WHEN”. To prepare here are some tips:
- Know what you have. You need to identify all the devices on the network. This includes servers, routers, printers, wireless access points, and even phones. It also includes any software and services running on those devices. Don’t forget your data as well. You need to know what data you have, where it resides, and how it’s categorized (sensitive, confidential, public, etc). Essentially, you are taking an inventory of everything on your network and everything on those devices. And, by the way, your employees, their roles, and their access levels need to be identified as well.
- Know your risks and vulnerabilities. There are several reasons why you identified your inventory. One reason is so that you can identify the risks associated with those devices and data. If you don’t know an asset’s vulnerabilities, how are you ever going to be able to protect it or know how to react when there is a problem? Be sure to categorize your risk as well. For example, a server that is needed to run your business might be labeled as “Critical” or “High Priority”. The customer card data on the server might be labeled as “Sensitive” or “Restricted”. The risk that this server might be hacked could be “High” because it has direct access to the Internet. Use labels that make sense to you and your business needs. Use labels that make it easy for you to prioritize what needs to be protected.
- Pick the risks or vulnerabilities you can afford to mitigate. Most likely, as a small business, you won’t have the budget to address every risk and vulnerability discovered. However, you must do something. This is why categorizing your assets is important. If you have a small Cybersecurity budget, you might have to spend it all just addressing the vulnerabilities of your critical, sensitive, or high priority assets and data.
- Pick the risks or vulnerabilities you CANNOT afford to ignore. Criteria for choosing what risks to mitigate might be determined by state, local or federal laws (think HIPAA or FISMA). Industry groups, such as PCI, could also force you to implement one control over another. The last thing you want to be facing (after dealing with customers whose info was stolen) are fines levied by the government or an industry’s governing bodies. The fines alone could cause many small businesses to close their doors for good.
- PLAN. PLAN. PLAN.
“No battle was ever won according to plan, but no battle was ever won without one.”- Dwight D. Eisenhower
Listen to Dwight. You need to plan. Take all the assets you inventoried, with all of their risks and vulnerabilities, and make plans, policies, and procedures to mitigate those risks. There are many examples of IT Security Plans. Some are meant to Prepare like a Business Continuity Plan, an Acceptable Use Policy, or Remote Access Policy. Some are meant to Prevent like a Password Policy, a Server Hardening Policy, or an Encryption Policy. And some are meant to Respond like a Disaster Recovery Plan or an Incident Response Plan. As you might have noticed, some fall into more than one phase. For example, an Incident Response Plan can be considered a Preparation or Response plan. The take home is: You need to write plans, policies, and procedures before TBM 2.0 breaches your defenses. Cyber Insurance falls under this as well. More on that later.
- Keep an eye on things. Monitor your systems, devices, data, network, and employees to see if TBM 2.0 is knocking at the door or if he is already inside. There are lots of controls or tools you can use here. Packet sniffers, log normalizers, network mapping tools, system logs, SIEM, Intrusion Detection Systems (IDS), Vulnerability Assessment tools, file integrity monitoring, etc, etc, etc. You can do it A’ La Cart. Or you can implement a Unified Security Management (USM/UTM) platform that contains all these goodies (usually) in one device. We at ACS highly recommend these. Talk to us if you want to know more. Again, you might not have the resources to do it all. But you need to do something!
- You’re covered. That is what every business owner or C-Level manager wants to hear when he gets the bill for a breach. In order to hear those words, it is important to have a good Cyber Insurance Policy in place before TBM 2.0 causes any problems. Breaches are costly. Cyber Insurance isn’t. It is one of those things you cannot be without today. Good policies will cover things like notification costs, Breach Coaches, forensics, and rebuilding of infrastructure. Purchasing a policy falls under Prepare. Using the policy is a control found under Respond
“An ounce of prevention is worth a pound of cure”- Ben Franklin
As you can tell, I am a fan of good quotes. I am also a fan of good Cyber Hygiene. And good Cyber Hygiene includes a strong defensive posture. To prevent TBM 2.0 from breaching those defenses you should (and no, this isn’t an extensive list):
- Train Your Employees. You are only as strong as your weakest link. Your employees (disgruntled or not) are often that weak link. TBM 2.0 knows this too. Teach your employees how to keep themselves, your assets and your customers safe. Show them how not to fall victim to phishing, whaling, vishing, etc. This is another tip that covers more than one phase. One could argue it should be under prepare and/or respond as well. They would be correct. I like it under prevent. So here it is.
- Use the Familiar Four. To refresh your memory: Antivirus/Anti-malware, Firewall, Strong Password, and Unique User IDs. They are oldies but goodies. They are sort of like Robert Redford- a little wrinkled and showing signs of wear, but still relevant. Or, you can look at them like an ex-president- everyone knows they don’t have the power they used to, but you still expect to see them on your 24 hour cable news outlet weighing in on the crisis du jour.
- $^*(4#)("&*(&0p#. No that isn’t a curse word. It’s encrypted data. You can’t read it without the proper key. And neither can TBM 2.0! Encrypt your data (at rest, in motion, and in use). This includes your mobile devices! Encryption Policies are important to your business (see Plan. Plan. Plan under Prepare).
- Do I know you? Identify and permit only acceptable software on your systems. Have a policy for allowing only authorized devices on your network. Only allow known senders to send you email. Prevent users from accessing known bad or unacceptable websites. The process of allowing only the known “good stuff” into your systems and network is called “Whitelisting”. This can be done in various ways, using various tools. (Hint: ACS can help you narrow that down to what works for your environment.)
- Keep an eye on things. I know. You are thinking, “But Bill, you already said this under Prepare!” Yes I did. It fits here, under Prevent, as well. Trust me. For example, a USM could include an Intrusion Prevention System (IPS). An IPS not only monitors your assets, but it will also take action to stop or prevent a breach. Spoiler Alert: You will see this again. Soon.
“This is where many of your plans will come to fruition.”- Gordon Matthew Thomas Sumner, AKA Sting
Last quote. I promise. But Sting knows what he is singing about. It is time to respond. This IS where your plans are put into action. That is why it is so important to have them completed, tested, and in place before TBM 2.0 does his dirty work.
- Who ya gonna call? So, you have been breached. And I am talking a real breach; one where data was seen or exfiltrated by TBM 2.0. I am not talking about a virus or adware that hit your sales rep’s laptop. Who do you call first? Your Breach Coach. That’s who. Who’s next in line? If your Breach Coach doesn’t do it for you, you are calling your forensics team?And where do you find these people? In your Incident Response Plan (that you created long before the breach) of course! These folks can save your business. They can help prevent expensive fines. They can also be expensive themselves. So, having a Cyber Insurance policy that covers their fees is important to have. ACS’ 5 Steps To Cyber Solution © includes a Breach Coach as part of its low cost “base” monthly subscription. That is well worth the price of admission alone!Need another reason to let the pros handle it? You still need to focus on running your business. How will you be able to generate revenue if you have your hands in the rebuilding of a server or sending notifications to your customers? Also, don’t forget that laws governing your actions vary state by state! So much to know! A seasoned breach coach knows the rules by which you have to play.
- Pay attention and take notes! You need an audit trail of what you did to prevent the breach, how you reacted to it, and what you did to make sure it won’t happen again. Robust logging systems, “ticket” systems, reporting systems, and change management systems are a must. Picking a good USM can get you most of these tools. ACS can recommend one of the world’s best. Just ask!
- Keep an eye on things. I told you that you would see this one again. Continuous monitoring is another response to a breach. Again, you can see the importance a USM plays in today’s world of serious Cybersecurity and good Cyber Hygiene. Also, part of the response might include tweaking or adding rules to the USM.
- Keep calm and carry on. Take a deep breath. If you followed the tips I’ve laid out, you and your business should get through a breach. Post breach, make sure you take the time to review what happened, revise any plans/policies/procedures that need tweaking, and rebuild your infrastructure where needed. I cannot stress enough how a good Cyber Insurance policy can help reduce the costs associated with a breach and its aftermath. Cyber Insurance is one of the most important controls that you can have in place. Like I said before, it isn’t a matter of if but when.
As we wrap up this little journey down Cybersecurity Lane, please be aware that the tips and to-dos listed in this document are the tip of the iceberg. Each numbered item could be broken out into its own several-hundred-pages-long document. We have literally scratched the surface. This paper was meant to make you more aware and provide some “low hanging fruit” for you and your IT Security team to grab.
And if you are still feeling overwhelmed, know that the experts at ACS have created an easy to follow 5 Steps To Cyber Solution © that uses checklists, templates, calendars, online training, and more to help your business become more secure. Our solution tells you exactly what to do at each step. We have also partnered with some of the world’s leading vendors of USMs, hardware/software, breach services, cybersecurity consulting, and Cyber Insurance to further help you navigate the maze of Cybersecurity and protect your A$$et$ ©.
You have been presented with a high level view of the most common ways your small business can address the most common vulnerabilities exploited by TBM 2.0 to gain access to your systems, network, and people. It now up to you to take the next steps. Feel free to reach out to the experts at ACS!
Give us a call at 610.755.0728.
Drop us a note at firstname.lastname@example.org .
Visit us at MyCybersecurityDepartment.com .
Chief Technology Officer