On October 18th, Utah Business held a Cybersecurity summit for senior level executives, solution providers, and security experts in need of innovative solutions to protect their company’s critical infrastructure. Here’s a recap of the event from presenting experts Eide Bailley, Executech, and Maschoff Brennan.
According to the Verizon Data Breach Report, 61 percent of breaches hit smaller businesses last year, up from the previous year’s 53 percent. A similar study published by UPS Capital identified that almost two-thirds of all cyber attacks are now directed at small business and that an average cyber-attack costs a small business between $84,000 and $148,000.
Surveys conducted by several institutions, including the Better Business Bureau and the SANS Institute, identified that, when it comes to implementing effective cybersecurity practices, a lack of resources and expertise is the top challenge facing small-to-mid-sized businesses (SMBs). How will companies address the cybersecurity resource challenge?
The key to effectively and efficiently managing cybersecurity at SMBs is to balance cost and risk.According to a study conducted by Gartner: “Enterprises should be spending between four and seven percent of their IT budgets on IT security: lower in the range if they have mature systems, higher if they are wide open and at risk.”
It is important to note that the spending Gartner talks about are the activities that would be under the control and responsibility of the chief information security officer (CISO). The responsibilities of a CISO include activities such as: pursue the sources of network attacks, balance security needs with a company’s strategic business plan, develop security policies and procedures, plan and test responses to security breaches, and oversee the development and maintenance of security products.
Estimates of the average salary of a CISO range between $150,000 and $190,000, consequently, most SMBs can’t afford to hire their own CISO. If this is the case for a given company, that company should outsource this function.Most companies manage cybersecurity risks using one of two approaches: the risk assessment approach or the best practices approach. Larger companies or those that operate in a heavily regulated industry will utilize the risk assessment approach to assess a wide range of cybersecurity-related activities across their entire enterprise. They will adopt a control framework (e.g., ISO 27002 or NIST 800-53) to help facilitate this assessment and focus resources on the areas of greatest residual risk.
Smaller companies don’t always have the resources to conduct risk assessments for managing risks. Instead, these companies will adopt a best practices approach to ensure the fundamental or most critical cybersecurity activities are being conducted at their company. For example, the Internet Security Alliance has identified the following seven basic cybersecurity controls that small businesses should implement to protect themselves:- Have an information security policy
- Patch your systems and applications, automatically if possible
- Require multi-factor authentication
- Restrict employees’ ability to surf the web on company computers
- Train employees on cybersecurity practices
- Scan and filter email and web traffic
- Set up logging and store the data for the long-term
By finding the right balance of cost and risk, SMBs can begin to tackle the challenges of protecting their systems and data.
According to Eric Montague, founder of Executech, when it comes to cybersecurity, there are three main areas businesses need to focus on: infrastructure, email security, and account/system configuration. Here is an overview of the basic principles, guidelines, and tools to safeguard each facet.
There are five ways to protect infrastructure: infrastructure integrity, external penetration tests, internal breach detection tools, generation firewalls, and effective software.
Ensure the integrity of infrastructure systems by layering in firewalls, anti-virus systems, backup systems, etc. This will provide the best foundation for all security endeavors. From there, external penetration tests can be used to assess the network and look for any vulnerabilities. For best results, businesses should perform these tests regularly.
Internal breach detection tools can alert businesses when security breaches take place. Sixty-six percent of security breaches go unnoticed for weeks or even months. Having tools in place to catch breaches early can mitigate a lot of potentially damaging factors.
In addition, generation firewalls can be used for intrusion prevention, dynamic blacklisting, and content filtering. These are a company’s first line of defense and ensuring that firewalls have all of the above capabilities will stop most cyber-attacks in their tracks.
Finally, using effective software programs such as Cloudflare, Sophos Intercept X, and Sonicwall can keep internet activity and websites secure, predict and stop malware attacks, and prevent cyber attacks on all systems both internal and external.
To protect email accounts from infected or phishing emails, businesses should enable these three settings: spam filters, geofilters, and email blocking. Spam filters will filter emails that could carry cyber threats, while geofilters will filter emails from locations that could carry threats. In addition, make sure to block emails sent from an employee’s own email address. Hackers can easily imitate company email addresses and send employees malicious emails. Blocking them will defuse the problem.
Configuring accounts appropriately will add an additional layer of security. That means enabling two-factor authentication, ensuring consistent backups in the case of hacked or lost data, and maintaining revision history logs should a business need to revert to prior versions.
In addition, make sure networks and systems are up to regulatory compliances. Industries that handle sensitive information will have certain standards that their systems need to be kept at in order to protect customer information.
Finally, all businesses should have a disaster recovery plan in place for IT. Establish protocols if systems go down or if systems are breached. What systems are the most critical to get back up first? How will you access your backups? These are cybersecurity threats all businesses need to plan for.
To learn more about cybersecurity, how you can better protect your data, and where to get started visit www.executech.com/cybersecurity.
While reports of data breaches show that data can be a liability if not protected, business data is still very much an asset that can be legally protected against theft under trade secret laws. In order to be legally protectable, businesses must make “reasonable efforts” to keep their information secret.
Common cybersecurity controls can help show reasonable efforts were made to maintain trade secrets and can help provide evidence to show misappropriation should court intervention be necessary.
News of personal-information disclosures or data-breaches also means heightened public concern and pressure for additional privacy and security laws. US businesses are subject to a wide variety of security and privacy laws depending on the industry and the residency of persons or other business about which they collect information.California and Utah have been pioneers in many security and privacy laws. For example, California enacted the first data-breach notification law in 2002, and today all 50 states have done likewise and enacted their own data-breach notification laws. Last summer, California, at the forefront of privacy and security legislation, passed a sweeping consumer privacy act with severe penalties for data-breaches involving certain personal information. And other states are poised to follow suit.
Despite a business’ best cybersecurity efforts, data breaches may still happen. Data breaches often mean lost resources, reputational damage, and hefty response costs. In addition to these direct consequences, businesses may also be subject to administrative investigations and possible non-compliance fines for failure to comply with privacy or security laws.Class-action lawsuits are also common in the wake of a data breach. With potential liability coming from all directions, lawyers can help manage these risks by attention to compliance obligations, offloading risk to vendors though vendor contacts, helping secure appropriate cyber-insurance policies, and developing legally defensible security policies and procedures. In the event of a data breach, a lawyer should help direct a business’ response so that reporting obligations are observed and communications with vendors and enforcement authorities are controlled with an eye toward avoiding further liability.
Lastly, many of the business motivations for cybersecurity have legal underpinnings. If cybersecurity assessments are directed by a lawyer in furtherance of the lawyer providing legal advice, those assessments may be protected from disclosure in litigation or administrative investigations.