Designing a cybersecurity plan for your business that adequately mitigates the risk of suffering a crippling data breach can be an overwhelming undertaking. Truth is, while this requires technical expertise from your IT security team or managed security provider, knowing what fundamental questions to ask will give you confidence that you're taking the right steps to protecting your data.
The cybersecurity breaches that make the news typically involve millions of client details and millions or billions of losses to companies and consumers, so small enterprises can think that they’re not large enough to be at risk, but that’s a mistake that can cost you significantly.
According to IBM’s 2019 Cost of Data Breach Study, the average total cost of a data breach has reached $3.92 million, up 1.6% from 2018, and more than 12% from five years ago. Nearly 26,000 sensitive or confidential records are stolen per breach. That’s a lot less than what makes the headlines, but even small businesses likely hold this volume of records. And no matter how large or small you are, you can expect to lose $150 per record stolen when thinking about immediate damage, lost business, poor PR, and work to regain a positive industry reputation.
That’s a massive amount of risk. You’ve got to do your best to mitigate it, which starts with a plan. Business cybersecurity plans are the standard way to set your company’s approach to securing its data and people.
We’ve put together ten questions that your plan should address specifically (whether you create it inhouse or hire consultants for support). These are just the tip of the iceberg, but they’ll get your team and mindset in the right place to ensure more robust protection.
Identity Protection Against Unauthorized Access
Today, most security breaches occur when an attacker steals the identity of a user of your system or one of your team members. Once the attacker has personal details or login information, even if it’s just to access low-privileged user accounts, it becomes much easier for them to gain access to essential company resources via lateral movement.
Studies and research vary, but one notable review of cybercrime found that 81% of all hacking-related breaches used compromised credentials. Unfortunately, with inadequate data protection policies, you can be at risk even if credentials for your service aren’t stolen directly, because 75% of individuals use only three or four passwords across all of their accounts.
This risk leads us to our first two questions:
1. Do you know who is accessing your data?
You might have a gut reaction that only your team can access data that’s relevant to them, but is this truly the case? You know you only want authorized people to access corporate data, but the policies to ensure that have become more complex. Usernames and strong passwords are no longer enough.
You’ll need to verify that sign-in attempts are legitimate through more complex measures and have staff trained to prevent unauthorized access requests to circumvent your requirements. The best place to start is deploying multi-factor authentication (MFA) across company resources — email, CRMs, ERPs, financial accounts, and other core applications — and then look for ways to restrict specific data based on roles and responsibilities.
2. Do you grant access based on real-time metrics?
On its own, MFA can also fall short because there are ways around this type of data protection. Just because the right credentials are entered doesn’t mean it is the actual user accessing the data.
Your security team or partner should help you create the ability to automatically restrict access based on contextual information to deliver additional layers of protection. This methodology is called Conditional Access, and some common examples of it include:
- User Location - Blocks access coming from unconventional geographic locations
- Device - Limit data access to specific, company-approved devices
- Application - Data can only be accessed through specific applications
Meeting criteria for these elements, in addition to username and password requirements, can help you determine that it is the right person in the right scenario. For example, you can see if someone is trying to sign in from Seattle and Paris at the same time, flagging a sign in as ‘high-risk’ due to impossible travel. Or you can tell that someone is using the proper credentials but isn’t connected to your in-house network, or using non-approved devices. There are even methods to ensure that people use only managed and compliant devices to access email, corporate data, Software-as-a-Service (SaaS) apps, and on-premises apps.
The security element to this is the ability to identify real-time elements for access. It’ll help you control and manage teams and can give you plenty of useful data on how your team accesses information legitimately.
You need control over the access to information, no matter where it’s stored or who you give access to.
This includes the ability to maintain control of enterprise data without harming the user experience or opening up inappropriate data to users. Control sensitive information, share correct access and be a useful service.
To put this risk in perspective, Forrester’s 2018 report — Security Concerns, Approaches and Technology Adoption — says 88% of organizations lack the confidence to detect and prevent loss of sensitive data. To be a successful and useful service, you need that control. Understanding if you have it or not brings up a few questions to ask your security team or partner.
3. Is your data secure regardless of where it’s stored or shared?
Data loss comes in a variety of ways. It can be an external breach, an intentional data leakage from within, or an accidental sharing by an employee.
Your staff needs access to the right data on computers or mobiles they use to complete their work. So, you must deliver access while protecting data through encryption at rest (server where data is stored) and in transit to their device.
We believe that this must also include email encryption capabilities.
At the same time, you need to offer convenient collaboration with internal and external parties. Your team should be able to not only support that effort but tell you how you can prevent people from sharing sensitive information — intentionally or by accident — with an outside party. This is especially important for areas with additional regulatory controls and risks, such as customer details, bank accounts, and medical information.
An adequate cybersecurity plan will include Data Loss Prevention (DLP) tools and best practices that enable you to limit the information that is shared within and outside the organization. Ask for the DLP.
4. Does data compliance control access to sensitive information?
Your data needs to be protected and restricted appropriately. The job of your security team and partners is to determine how to do that and make it easy for you to understand and implement.
What it boils down to is that you need to grant access to sensitive information to authorized parties. The systems you use should be configured to control access, and limit use, plus have ways for this data to be labeled as sensitive. We’re discussing specific configurations, not just written policies.
There’s no good standard or default here to look to — everything has to be customized to your needs. Reach out for a quick conversation about what that might mean for your industry, especially if you have customer requirements.
5. Do you have the ability to classify and encrypt sensitive data?
Data encryption limits the ability of someone to see private or secure information by restricting access to intelligible information. Encryption is the process of encoding data to keep it hidden or inaccessible from unauthorized users, requiring a platform to encrypt it when created or sent (usually via servers) and then unencrypt it when attempting to access it (client apps).
The aim is to make it so that if someone finds a way to access your data stream, they still can’t understand what’s being sent.
To keep your platforms and tools running smoothly, you’ll want to encrypt the right data in the right way. So, you may have default encryption on all traffic but more significant encryption in highly classified items. Doing this requires a labeling system to apply that “confidential” note to documents, emails, and data streams. Labels make it easier to classify data and set appropriate controls, giving you better protection.
Thankfully, many cloud systems and tools have encryption and support built-in. For example, you can deploy the Azure Information Protection system if you’re using Microsoft Azure and Microsoft 365 Business.
6. Can you remotely manage and remove corporate data from company devices?
Company devices are lost and stolen frequently, and it’s not until we start looking at this from a high-level security picture that we start to understand the threat.
Back in late 2012, a NASA laptop was stolen from a locked car. If that were your business, this would be a pain. But, to make matters worse, the laptop contained thousands of personnel documents, including social security numbers of NASA employees and contractors.
The laptop was only password protected. The data wasn’t encrypted. Every second that someone had the laptop, people were at risk. This theft caused an internal review that found nearly 50 laptops and mobile devices were stolen or lost in two years, many containing sensitive data.
Your business is at risk of this kind of theft, or if a disgruntled employee takes their laptop home instead of turning it in when in trouble or fired. If you have remote staff, the risk of these concerns increases significantly.
Whether you’re NASA or just a small shop of 10 people, the best protection against this is the same. Build mobile device management capabilities that can, among other things, wipe company data without compromising personal data stored on them.
Attack Detection and Prevention
7. Can you quickly find and react to a breach?
Every business needs tools and personnel to identify and respond to a threat. Build out the list of options and what they’ll target with your IT team (outsourced or in-house). Create layers of tools to detect breaches as fast as possible, while setting up an incident response plan for staff to follow in response to the attack.
Remember, incidence response covers more than just technical aspects of business, so you need to include HR, legal, PR, senior management, and other core departments. And be sure to cover how they will communicate during an event.
Your response is designed to minimize the risk that a threat moves between endpoints in your network. Best practices include implementing a combination of Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM) solutions. EDR software is often called the next-generation Anti-Virus because it proactively monitors devices for threats. SIEM analyzes and correlates data across devices, cloud resources and the whole network to identify potentially malicious activity.
Unfortunately, implementing and managing an SIEM in-house can be very complex and prohibitively expensive for the average business. You’ll need to buy and install the solution and then dedicate space and specialized staff to keep track of all security alerts and go through logs of network activity on a regular basis.
Typically, buying one of these solutions outright is reserved for large businesses.
A good alternative for smaller organizations (even those with in-house IT staff) to access this enterprise-level tools is to outsource this to a Managed Security Service provider at a much more attainable price.
8. Can you automatically guard users against phishing attacks and dangerous links?
In your discussion of tools and policies, you’ll quickly realize that every company needs support for team members to directly address phishing attacks, social engineering, and dangerous links.
Why? An estimated 91% of all cyberattacks start with a phishing email.
Anti-phishing software is designed to help your team avoid threats while also responding to those that get through. So, it should come with the ability to create blacklists and whitelists for emails to block appropriate threats, identify patterns of attack against your systems, and stop people from doing things like clicking links.
Primarily, this covers a combination of robust email security tools anti-malware software and DNS security that can quarantine suspicious emails and scan for dangerous links. Services like Mimecast and Proofpoint actively look for phishing attempts in your company emails and can help you set policies to protect your people and equipment.
The first line of protection aims to prevent threats from reaching your people and servers. Anti-spam and -virus filters plus traffic monitoring and other tools can help eliminate most messages that target your teams.
9. Are you leveraging machine learning to uncover suspicious activities?
Most breaches go undetected for a long time, and often after data exfiltration has occurred. On average, it takes companies 197 days to detect a breach, and then another 69 days to contain it.
In that time, your business faces significant loss and harm. It’s long enough to close your doors.
That threat is one reason many companies are looking for advanced systems that can continuously run and look for breaches and threats. Machine learning (ML) and other analytics tools are helping companies constantly look for threats. Automation makes it possible to cross-reference massive amounts of activity from workstations and other network devices such as firewalls and switches. They’re looking for potentially suspicious activity at rates faster than a human can.
Discuss with your team to determine if these capabilities are needed for your organization. Ask about tools that support ML and other leading functionality — the tools will generally be called Security Information and Event Management (SIEM) platforms. Ask about how these SIEM solutions can aggregate and analyze activity across your network and from multiple resources, including workstations and networked devices.
You need tools that can adequately handle the volume of data you create.
10. Are all users in your organization adequately trained to identify and look out for phishing attacks and other scams?
The last line of cyber-defense is proper training.
Your business cybersecurity plan needs to include ongoing training and reminders for team members on company policy. Determine the procedure for people sharing links or resetting passwords. Remind everyone that there are no exceptions. It’s easy to be fooled, and we’ve seen professionals who were tricked by the sounds of a crying baby on YouTube.
Train your staff. Retrain your experts. And teach people how to look out for bad links or spot inappropriate requests from emails claiming to be colleagues. Everyone should get support for identifying and resisting social engineering, while IT professionals learn the software chosen above.
The anti-phishing training you run should include a real-life simulation. It helps your team learn what these events look, feel, and sound like, and gives them practice in following orders and needs. Regular training with follow-ups where people don’t know an email is a phishing attempt can help your team solidify best practices.
Those finish our top 10 questions, but there are plenty more your business cybersecurity plan needs to address. Learn more about these concerns by joining our Biztech Insider or reaching out for a no-obligation consultation. We’ll learn about your needs and help you find the right path to getting started with your technology and cybersecurity needs.