Of the 12 top technology challenges businesses will face in 2021 as identified by the Forbes Technology Council, four of them involve IT security. Cyber security risks are increasing at an exponential rate. According to a study by the University of Maryland, there is a new attack somewhere on the Internet every 39 seconds. That’s about 2,244 attacks per day.
For most of us, the pandemic required us to rely on technology more than ever before. Our workplaces have become increasingly digital. Technology is more than just a computer on your desk; it’s permeated throughout our entire operations, with mobile devices, social media, Internet of Things, artificial intelligence, application automation, and more. In turn, this expands what the techies call the attack vector. There are more opportunities for hackers to access your business systems, more “doorways” to exploit.
Unfortunately, there is no silver bullet that can effectively close the doors. No one product, solution or action can definitively protect your business. However, by using a deliberate cyber security strategy comprised of multiple layers of protection, you can mitigate your risk and enhance data protection.
The goal of a layered cyber security strategy is to make it as difficult as you can for a hacker to infiltrate your systems. Small and midsized businesses are a prime target because they often don’t or can’t employ the sophisticated security tools that larger companies use. Hackers attack SMBs because they are easier to breach. You must make access to your systems harder for them to break through. Ultimately, you want to be sure you are not the low hanging fruit.
Layers of security controls close gaps and minimize potential loopholes to reduce your risk of being compromised. Each layer provides another level of defense that makes it harder for a hacker to access your systems. The sum of the layers is greater than any of its parts; with each layer your level of protection increases to build an impenetrable fortress.
We base our clients’ cyber security strategy around three main layers. People, process, and technology have long been the pillars of organizational success. They are also the foundational layers of a strong cyber security approach.
Your employees are simultaneously your biggest cyber security risk and your greatest asset. The risk in the People layer lies in its very nature. It is human. Mistakes and accidents will happen at some point. Although the people layer is never fail-safe, risks can be mitigated with proper actions.
The main risk in this area are human/user error and trickery. Examples of user error include physical accidents (dropping/losing a device), accidentally deleting a file or folder, clicking on a compromised link, browsing to a compromised website, or accessing company data from a personal device.
Trickery involves the use of social engineering by hackers to manipulate someone to perform an action or divulge confidential information. The action might be to click on a compromised link or download a malicious file attachment. Should your employee fall into the trap, they essentially unlock the doors and let the hacker into your systems. Social engineering occurs through phishing emails, smishing of mobile devices, or vishing through the phone.
Your people are targeted because they are not security experts. They don’t know how to identify the red flags that indicate a potential attack nor understand how to protect themselves. The Human Layer of a sound cyber security strategy mitigates that risk with ongoing education and awareness.
The Process layer is truly the foundation of a comprehensive cyber security strategy. The IT policies and procedures put in place guide your people and the technology you implement to create a secure network environment that protects your data and systems.
Procedures consist of the more technical guidelines your team must follow when configuring new systems or interacting with the network environment in any way. Procedures should be documented and updated continuously to ensure the IT team follows the defined company process. Examples of procedures could include new workstation setup, network segmentation, remote access/VPN configuration, or IT asset tracking.
Policies consist of the business’ defined rules employees must follow in various areas. Policies may center on specific areas like compliance and industry regulations, data destruction, or third-party vendor vetting and documentation. The cornerstone of a business’ cybersecurity policy is the Written Information Security Policy (WISP). A WISP defines and documents your organization's security policies and includes customized guidelines covering:
A WISP also defines internal and external threats. A copy of your WISP should be given to and signed by each employee annually.
Defining, documenting, and communicating the policies and procedures in the Process layer takes a lot of work. It requires consideration of three main areas: access, data, and permissions. Examine how data and systems are accessed and by whom. Understand where your data is stored and how it is backed up. Define data archive needs. Identify and define who can move or delete data and set up an audit process to periodically review user permissions. This takes time and effort, but is a critical layer to an effective cyber security strategy.
The technical controls are often the first things people focus on when thinking about cyber security. Some small businesses we talk to have a false sense of security because they are running an antivirus program and back up their data. But cyber threats have grown much more sophisticated than that.
Today’s small and midsized businesses must be extremely deliberate when setting up their technical controls. Create a security framework that is comprehensive, integrated, and automated. This includes:
The technical layer is unique to every organization. Although you should deploy established, industry-proven technology, the way it is configured will be specific to your business’ data structure, access needs, and risk assessment.
Although it will vary in terms of scope and complexity, every business should create a layered cyber security strategy centered around People, Process, and Technology. Each layer contributes to make it harder for a hacker to breach your network and compromise your data. Although it’s impossible to be 100% fully secure, a layered cybersecurity approach greatly reduces the risk that your business will become a victim. If you need help tackling a security strategy, we can help.