Of the 12 top technology challenges businesses will face in 2021 as identified by the Forbes Technology Council, four of them involve IT security. Cyber security risks are increasing at an exponential rate. According to a study by the University of Maryland, there is a new attack somewhere on the Internet every 39 seconds. That’s about 2,244 attacks per day.
For most of us, the pandemic required us to rely on technology more than ever before. Our workplaces have become increasingly digital. Technology is more than just a computer on your desk; it’s permeated throughout our entire operations, with mobile devices, social media, Internet of Things, artificial intelligence, application automation, and more. In turn, this expands what the techies call the attack vector. There are more opportunities for hackers to access your business systems, more “doorways” to exploit.
Unfortunately, there is no silver bullet that can effectively close the doors. No one product, solution or action can definitively protect your business. However, by using a deliberate cyber security strategy comprised of multiple layers of protection, you can mitigate your risk and enhance data protection.
Purpose of a Layered Cyber Security Strategy
The goal of a layered cyber security strategy is to make it as difficult as you can for a hacker to infiltrate your systems. Small and midsized businesses are a prime target because they often don’t or can’t employ the sophisticated security tools that larger companies use. Hackers attack SMBs because they are easier to breach. You must make access to your systems harder for them to break through. Ultimately, you want to be sure you are not the low hanging fruit.
Layers of security controls close gaps and minimize potential loopholes to reduce your risk of being compromised. Each layer provides another level of defense that makes it harder for a hacker to access your systems. The sum of the layers is greater than any of its parts; with each layer your level of protection increases to build an impenetrable fortress.
We base our clients’ cyber security strategy around three main layers. People, process, and technology have long been the pillars of organizational success. They are also the foundational layers of a strong cyber security approach.
The Human Layer: People
Your employees are simultaneously your biggest cyber security risk and your greatest asset. The risk in the People layer lies in its very nature. It is human. Mistakes and accidents will happen at some point. Although the people layer is never fail-safe, risks can be mitigated with proper actions.
The main risk in this area are human/user error and trickery. Examples of user error include physical accidents (dropping/losing a device), accidentally deleting a file or folder, clicking on a compromised link, browsing to a compromised website, or accessing company data from a personal device.
Trickery involves the use of social engineering by hackers to manipulate someone to perform an action or divulge confidential information. The action might be to click on a compromised link or download a malicious file attachment. Should your employee fall into the trap, they essentially unlock the doors and let the hacker into your systems. Social engineering occurs through phishing emails, smishing of mobile devices, or vishing through the phone.
Your people are targeted because they are not security experts. They don’t know how to identify the red flags that indicate a potential attack nor understand how to protect themselves. The Human Layer of a sound cyber security strategy mitigates that risk with ongoing education and awareness.
- Cyber security Training - There are many ways to do this, but we prefer periodic online security training that provides you with a method of tracking to ensure employees complete the training. Look for a training platform that also includes ongoing phishing email testing of your team. We use KnowBe4 with our clients.
- Cyber aware culture – A one-time security seminar won’t cut it. You need to create a culture that prioritizes cybersecurity to keep it top of mind. Check out our video on the five ways to create a cyber aware employee culture.
- Security policy annual agreement – Just like you accept your doctor’s office HIPAA policies on a periodic basis, so should you require employees to review your organization’s cyber security policies annually. A good time to do this is at an annual performance review, or do it company-wide during cyber security awareness month in October.
- Ask first/Report quickly – Although the terrifying screen shots of a computer infected with ransomware are quite familiar, it is not always obvious that a breach has occurred. It’s important to instruct your team to always report anything suspicious even if there is no obvious compromise. Hackers often enter the victim’s system quietly and work to infiltrate other areas of the network in secret. The faster a compromise is identified, the less damage it can do.
The Organizational Layer: Process
The Process layer is truly the foundation of a comprehensive cyber security strategy. The IT policies and procedures put in place guide your people and the technology you implement to create a secure network environment that protects your data and systems.
Procedures consist of the more technical guidelines your team must follow when configuring new systems or interacting with the network environment in any way. Procedures should be documented and updated continuously to ensure the IT team follows the defined company process. Examples of procedures could include new workstation setup, network segmentation, remote access/VPN configuration, or IT asset tracking.
Policies consist of the business’ defined rules employees must follow in various areas. Policies may center on specific areas like compliance and industry regulations, data destruction, or third-party vendor vetting and documentation. The cornerstone of a business’ cybersecurity policy is the Written Information Security Policy (WISP). A WISP defines and documents your organization's security policies and includes customized guidelines covering:
- Passwords
- Access controls
- Physical access
- Approved software
- Email usage
- Blogging and social media
A WISP also defines internal and external threats. A copy of your WISP should be given to and signed by each employee annually.
Defining, documenting, and communicating the policies and procedures in the Process layer takes a lot of work. It requires consideration of three main areas: access, data, and permissions. Examine how data and systems are accessed and by whom. Understand where your data is stored and how it is backed up. Define data archive needs. Identify and define who can move or delete data and set up an audit process to periodically review user permissions. This takes time and effort, but is a critical layer to an effective cyber security strategy.
The Technical Layer: Technology
The technical controls are often the first things people focus on when thinking about cyber security. Some small businesses we talk to have a false sense of security because they are running an antivirus program and back up their data. But cyber threats have grown much more sophisticated than that.
Today’s small and midsized businesses must be extremely deliberate when setting up their technical controls. Create a security framework that is comprehensive, integrated, and automated. This includes:
- Equipment – only use current generation, business-grade routers, firewalls, etc.
- Tools – cloud-managed antivirus, anti-malware, edge protection, dark web monitoring, advanced security monitoring, password managers, etc.
- Configuration – web filtering, multifactor authentication, encryption, wireless, access policies, deception technology, zero trust, etc.
- Access – access controls, VPN tunnels, remote access, single sign-on, etc.
- Compliance – documented technical controls specific to specific industry compliance regulations
The technical layer is unique to every organization. Although you should deploy established, industry-proven technology, the way it is configured will be specific to your business’ data structure, access needs, and risk assessment.
Although it will vary in terms of scope and complexity, every business should create a layered cyber security strategy centered around People, Process, and Technology. Each layer contributes to make it harder for a hacker to breach your network and compromise your data. Although it’s impossible to be 100% fully secure, a layered cybersecurity approach greatly reduces the risk that your business will become a victim. If you need help tackling a security strategy, we can help.