Step 2: Protect

“It won’t happen to us” – the cyber myth with potentially devastating consequences for SME’s. In a recent poll by Aon of more than 1000 SME’s, 8 out of 10 said that they do not see cyber attacks or data loss as a significant risk – consequently, many are vastly under-prepared and lack even basic safeguards to protect their business.

SME’s should start by breaking down the cyber myth and shifting internal attitudes to an “assume breach” mindset. This simple yet effective defence strategy involves working on the assumption that a breach has either already occurred or that it’s only a matter of time until it does. The strategy involves training employees to be mindful of security and limit the trust they place in applications, services, identities, and networks, both internal and external.

There are various frameworks available that provide guidance on protecting the business but this blog post will focus on the National Institute of Standards and Technology (NIST) ‘Protect’ function which looks at reducing the number of cyber security incidents that could occur within your business and limiting the impact if one does occur.

Whilst by now you will know that you need to protect your data, you may not be aware of what steps need to be taken. Following the requirements of the ‘Protect’ function will help contain the impact of a cyber security event:

Never trust, always verify
Don’t allow cyber criminals to get into your network through the front door by making it easy for them to expose weak and compromised credentials. A major shortcoming in business is the fixed mindset of security leaders. In your IT environment, privileged accounts are everywhere. IT administrators, privileged users, external vendors, and business applications all use them to access critical information systems in your network. The higher the account’s privileges, the more valuable it is to you, and unfortunately, also to cyber attackers. Privileged account credentials remain an attacker’s preferred mode of entry into an organization’s network. A carelessly managed account gives attackers the perfect entry point into your system, letting them navigate through multiple servers undetected. Furthermore, when IT admins don’t know what employees are doing with their privileges, malicious insiders can abuse their position without anyone noticing. Ensure that access to physical and logical assets, and associated facilities is limited to authorized users, processes, and devices. It’s critical to control who logs on to your network and uses your computers and other devices.

Always be on the alert for phishing; a social engineering attack in which the cyber attacker poses as a trustworthy source with employees unknowingly clicking malicious links or providing personal information. These attacks usually delivered by email often suggest urgent action to address something that’s gone wrong and unaware employees regularly fall victim.

Build a human firewall through employee awareness training
Many successful cyber-attacks, such as phishing described above, patiently wait for employees to be lured into providing access to sensitive information via a phishing email for example, where an employee is tricked into clicking on a malicious link that installs malware on an organization’s systems. Other employee vulnerabilities include the provision of unauthorized access, poor management of high privilege account access and poor password practice. Those errors can be incredibly costly; sometimes providing access to a host of sensitive data. Businesses should not wait until a breach has occurred to invest in and plan for the human component of cyber security.

Employees are and should be the first line of defence in protecting the company’s digital assets which makes cyber security awareness training for all employees, contractors and any other party who uses your computers, devices, and network – absolutely critical. This training will equip the human element of your organization with the necessary knowledge and skills to protect against many common cyber-attacks – which can easily thwart a simple phishing email or other common attack methods. There are many types of awareness training available but investment in an expert led cyber simulation (tabletop exercise) unique to your organization is wise.

There are only two types of companies: those that have been hacked and those that will be
Once you’ve successfully put measures in place to manage identity/access credentials and have provided your employees with the necessary training, the focus should then move to managing data security. Aside from growing cyber threats, additional pressure, through GDPR compliance requirements, is being placed on SMEs to protect personally identifiable information (PII). In dealing with such threats and compliance obligations, you will need to manage data in a way that aligns with your business’s risk strategy, managing information and records (data) to protect the confidentiality, integrity, and availability of information. Here are some key tips on the very basic requirements. If not already implemented, you should give this immediate attention.

Use security software to protect data and encrypt sensitive data, at rest and in transit. Encrypting data is a good way to protect sensitive information as it ensures that the data can only be read by the person who is authorized to have access. Encryption is especially important when sending sensitive information that other people should not be able to access. Because email messages are sent over the internet and might be intercepted by an attacker, it is important to add an additional layer of security to sensitive information within emails.

• Conduct regular backups of data and update security software. Security software should be routinely updated with a patch management system, automating those updates if possible. All software and websites have vulnerabilities that cyber attackers leverage. Software providers, such as Microsoft, routinely look for vulnerabilities releasing updates and patches that fix them and which should be addressed once available to your IT department.
• Have a clear policy on password creation. This should include rules that enforce strong password usage, with a regular change in passwords every few months.
• Don’t allow external connections to your network. Avoid employees using USBs and other external devices on your office system especially to transfer data from one device to the other. This also includes using USB portals to charge mobile phones and other electronic devices.
• Create a plan for personal devices. As an SME, it may be common practice to have employees using their own devices at work. Have a plan to provide some protection against legal repercussions covering data deletion, location tracking, and internet monitoring issues.
• Have a system for data backup and recovery. You need both a local and off-site backup system. Important files should be backed up physically at your office allowing for easy retrieval. However, also having a copy of your files is essential for both redundancy (in case the local backup fails) and catastrophe prevention (such as a fire).

Get things documented, then test and audit
Within the NIST Framework the protect function calls for data security protection that develops and maintains security policies, processes and procedures that sufficiently protect critical data and the systems that support it. The framework also calls for the creation and management of incident response, business continuity and disaster recovery plans, as well as testing of those response and recovery plans. In preventing cyber attackers from gaining access to critical data, there’s also a need to have formal policies for the safe disposal of data files and old devices. Your IT department should always ensure that retired and reused devices and storage media have had their contents properly removed to prevent confidential company data being retrieved further down the line.

A common mistake is in thinking that reinstalling a computer’s operating system, re-formatting the hard drive or deleting specific files and folders will ensure data is erased and unrecoverable. This is not necessarily correct, and, in many cases, sensitive data is still completely accessible with freely available tools. Again, your IT department should be using a robust data destruction policy that ensures your data is unrecoverable. Reviewing audit/log records on a regular basis is also essential to know who is accessing what and when. This fits with the access control category of setting privileges based on need, but then taking it a step further to monitor who has access to what and why they have that access.

Reduce the attack surface
So far in this post we’ve discussed that you must control access, provide awareness education and training, and put processes into place to secure data. However, there’s a further and final need within the NIST framework to deploy protective technology to ensure you’re maintaining cyber resilience. Remember, circumventing your protective solutions is bread and butter to cyber attackers who are increasingly smart, operating from countries that lack the resources to tackle cybercrime and increasingly sell their know-how to less-skilled criminals. As others in your industry, including competitors, become more cyber resilient, you don’t want to be the weak one that’s preyed upon. Just as in nature, cyber attackers usually focus on the slowest and most vulnerable in the herd.

It’s crucial that you deploy the correct technical security focused on removing single points of failure and reducing the ‘attack surface’: (the total sum of vulnerabilities that can be exploited to carry out a security attack). Put another way, the attack surface is the sum of the different points (the “attack vectors”) where an unauthorised user (the “attacker”) can try to enter data to or extract data from your IT environment. Keeping the attack surface as small as possible is a basic security measure. To successfully reduce your attack surface, your IT department should adopt the principle of least functionality or another approach they deem appropriate. In very practical terms this means configuring your IT systems to provide only essential capabilities and restricting external connections and interfaces to, from, and between specific machines. In certain cases, it can also require disabling wireless access and continuously monitoring endpoints to detect, and respond to, indicators of attack.

Adopting the above recommendations within the protect function greatly strengthens your company’s ability to limit and contain the impact resulting from a cybersecurity event. Critically, it will also allow you to more rapidly identify the occurrence of a cybersecurity event by monitoring to detect anomalies and investigating to see if response is needed.

Next: Step 3. Detect– Maintain visibility into your network so you can detect intrusions