November 2019

Do These 5 Things to Protect Your Small Business

We often talk with small business owners that know they aren’t spending enough time and effort on Cybersecurity, but it’s simply not a top business priority.  We get it. When you are focused on sales and delivery before your business is in high growth mode, and you are far off from hiring an IT expert to manage your digital footprint. 

At the same time, most of these leaders know they need to do something that goes beyond the basics like anti-malware and firewalls.  Where does one start to get a good footing and assure themselves they have done more than 80% of other companies their size?  Trust us, you do want to get in the top 20% because the bad guys are going for the easier target.  

Here are the top 5 projects you can kick off in short order that are your biggest bang for your buck.

1.     Password Managers and Multi-factor Authentication

By far the biggest gap we see is the lack of a password manager.  We all know your employees, management, vendors, and customers are using shared passwords.  This is the biggest risk in information security by far. 

Let’s be clear, good security policies are not in direct conflict with office productivity.  In fact, a good security practice should actually improve your efficiency. In this case, using a password manager can save you a huge amount of time (and direct costs) by simply reducing typing passwords and the inevitable issue of forgetting your passwords and going through the pain of resetting.

Using a good multi-user password manager also means that you can share accounts with vendors and customers and turn off access immediately when the relationship has ended. Two of the best are LastPass and 1Password.

One last thing on this topic, you will be forced by major technology and finance providers to use multi-factor authentication soon, so you might as well turn it on when you have free time.  You don’t want to be forced when you try to login to your bank to perform a time-critical transaction.

2.     Web Site Security

If you still have the web developer down the street hosting your web page in his basement or GoDaddy is hosting because that’s where you registered your domain, it’s time to move.

Old web servers or WordPress versions that are rarely updated WILL be hacked if it’s not already owned.  There is nothing more embarrassing than finding out you were compromised and your site was defaced after that coffee with your new prospect.  Of course, the worst-case scenario is customer data was leaked and you don’t even know. This one attack could bite you, not tomorrow, but months or years from now.  Your online reputation is critical. 

Migrating to a provider that forces security updates or manages in the backend is an absolute must.  Most can get away with Wix, Squarespace, or if you need more customization, leverage a top tier WordPress provider like WPEngine.  If you are using WordPress, implementing WPFence and/or Cloudflare are also good ideas to block the tons of hackers looking for easy prey.

3.     Security Awareness Training

Accidentally or not, employees represent the single most important point of failure in terms of actual security breaches. Similar to updating hardware or operating systems, you need to consistently update employees with the latest security risks and train them on how to recognize and avoid them.

There are a ton of free tools out there to easily perform this training. One of the bigger ones is KnowBe4. You can send out lessons via email for phishing, password management, social media attacks, and many others. Then you can rollup the results and know who your weak links are and ensure they spend more time practicing good security hygiene.

4.     Cloud-Based Email and Identity Management

If your email provider is Rackspace or an on-premise Exchange server you have a huge gap in your environment.  There are really only two viable options for your business today. Microsoft Office 365 or Google’s GSuite.

Let’s not forget, availability of business-critical applications is a key part of Cybersecurity.  Running a complex email platform is not trivial and it should not be trusted to those that consider it a side business.

Identity management (standard company user accounts) is also an important part of your security posture which these providers bring to the table.  You need to be able to easily and quickly turn off accounts when needed and these two email providers can also be your Single Sign-on solution. Gsuite has a leg up here since most cloud apps allow seamless account creation with your Google business account.

5.     Customer Privacy Compliance

Where is your customer data?  A spreadsheet on your employee’s laptop, your marketing tool, Quickbooks, and/or Dropbox?  Probably all four and more. We know you want to be a good steward of this PII (personally identifiable information) data because it’s simply good business, but you may have to worry about the legal obligations.  If not now, it’s around the corner. GDPR requires technology and operational changes to protect data if you have customers in Europe. Starting on January 1st, 2020 if you have customers in California you have many of the same requirements with the California Consumer Privacy Act (CCPA.)  Multiple states are also introducing similar legislation along the same lines.  It’s best to chat with an expert soon to see what changes you need to make to securing and sharing customer data.

Read More
How to Select a Cybersecurity Consulting Firm

As businesses and individuals have increased their digitization activities, cybercriminals now have a larger surface to conduct malicious activities with their sophisticated cyberattacks. The cost of data breaches is estimated to exceed $2 trillion in 2019, which is four times the 2015 projections. [1]

Most data breaches come from existing physical, network, and application infrastructure. In addition, emerging threats are targeting newer technologies, such as mobile, cloud, and the Internet of Things (IoT). Organizations also face risks that originate from insiders, including current and former employees, consultants, business partners, or board members. The 2019 Verizon Data Breach Investigations Report revealed that 34% of data breaches are caused by internal actors. [2]

As cyber threats rise in number and complexity, information security is essential for businesses of all sizes. Selecting a reliable and trusted cybersecurity firm is a key step towards securing your business’s information assets and digital presence. To start, the cybersecurity firm will identify your company’s assets and security needs, which can be achieved by conducting a risk assessment.

You can use the table below as a guide for identifying key security requirements and a service provider. 


Cybersecurity RequirementService Provider Description
Physical SecurityOrganizations can contract companies that offer asset protection through access control applications, surveillance (CCTV cameras), intrusion alarms, barriers, and security personnel.
Network SecurityNetwork security providers that offer comprehensive assessments and penetration tests of network architecture and examine the security of local networks, intranets, and internet connections.
Cloud SecurityCloud providers with top-of-the-line perimeter firewall, intrusion detection systems, event logging, data-at-rest and in-transit encryption, and data centers with strong physical security.
Mobile SecurityProviders that secure your mobile infrastructure with effective mobile device management strategies, mobile communication encryption, and management of apps used on the device
IoT SecurityIoT security solutions that feature endpoint protection and management, secure communications, alerts, and crisis communication.
Application SecuritySecurity service providers that protect business software from deploying either in house developed or commerical applications with vulnerablities. An expert reviews the application design, code, and development to mitigations to possible exploites before and after the software goes into production.
Organizational SecurityAn auditor is brought in to review a company’s overall security posture and compliance with different standards, frameworks, or regulations. Such as SOC2, NIST CSF, CIS 20, GDPR, etc. Typically the deliverable are detailed reports with certificates, policy documentation, and security awareness training.
Event Correlation and ResponseA security operations center (SOC) collects data from application and host logs for analysis and performs relevant actions, such as sending alerts based on defined rules. They are experienced in data intelligence, fraud detection, vulnerability assessments, and digital forensics.

Improving cybersecurity requires an organization to work with many or all of the above service providers. But that approach can be costly and ineffective. Alternatively, you can hire an experienced chief information security officer (CISO) to handle the administration and oversight of these security providers. Although for many small and medium-sized businesses, this can be overkill. Most of the time, the sweet spot is leveraging an experienced virtual or fractional CISO consultant at a lower cost. A CISO consultant can focus on maintaining an enhanced cybersecurity vision and program for your business. This will allow you to effectively manage information technology risks, protect critical assets and ultimately ensure business continuity.

[1] https://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion-by-2019

[2] https://www.varonis.com/blog/insider-threats/

Read More