Building a Security Culture with People and Technology
Companies rely on their data and systems for everyday operations. If they suddenly find their critical data and systems have been compromised, business is put on hold, draining money and time from the organization until recovery is achieved. Today, IT security is about more than implementing the right technology. Defending against a security incident requires businesses to establish a security culture that balances maintaining a strong defense and preserving employee productivity. Everyone in the organization must understand the cybersecurity risks they face and keep up with the new threats on the horizon. Without having a clear picture of these risks, it’s impossible to determine the level of technology, processes, and employee training necessary to create an effective IT security solution.
Small and Midsize Businesses Are Not as Secure as They Think
Small and midsize companies usually have one goal: grow the business so they can deliver value to more customers, building trust and a strong reputation along the way. Their resources are often stretched, and key personnel are busy wearing many hats. A strong cybersecurity defense is a nice-to-have they aim to cross off once the business reaches its goals and becomes more lucrative and appealing to cybercriminals. The problem with this perception is that the bad guys aren’t after large enterprises with a full cybersecurity defense team. They’re after soft targets, the growing businesses they can successfully exploit to yield enough gain to justify their efforts. The second problem is that when it comes to protecting against security threats, the bad guys only have to be right once, while the people they are targeting have to be right all the time.
Why are small and midsize businesses considered soft targets for cybercriminals?
- They have few, if any, IT security policies and procedures
- They lack the necessary cybersecurity experts on staff
- They have minimal resources dedicated to cybersecurity
Cyberattacks Cost Businesses More Than Money
The grim reality is that only 13% of small business owners feel at risk of a cyberattack, but two out of three average small businesses have experienced an attack in the last year. While some of these companies are beginning to prioritize IT security, this change of heart often happens after the organization suffers the pain of a breach. Why is a cyberattack so jarring for these organization? Because they cost, not just money, but trust, time, and peace of mind. According to Continuum’s survey, cyberattacks cost small businesses with 10 to 49 employees an average of $41,000. This number only accounts for the direct damages associated with recovery. It doesn’t include the losses that result from business downtime, lost revenue, and damages to the business’s reputation and customer trust.
The Changing Landscape of Security Threats
In the past, cybercriminals were mainly just virus-writers looking for notoriety by seeing how far they could spread their malicious software, and how much chaos they could cause as a result. Companies could get by with an acceptable anti-virus software and email spam filtering technology. Today, security threats exist to exploit weaknesses in an organization’s security defense for financial gain, or to cause damage to the business and its reputation. The security threats facing businesses today target both technology and human vulnerabilities.
The main IT security threats facing businesses today are:
- Social engineering
- Advanced Persistent Threats (APT)
- Denial of Service (DoS)
- Insider Attacks
- Password Attacks
- Man-in-the-Middle (MITM)
- Impersonation Attacks
IT Security Threats are Always Evolving
Hackers aren’t just looking for ways to exploit your technology, but ways to take advantage of how your organization uses technology every day. They are continuously developing new ways to put themselves in the middle of your business’s financial transactions, vendor relationships, and customer relationships so they can redirect funds for their benefit. They leverage social engineering tactics to exploit your own trusted reputation and relationship equity to trick and compromise your organization’s vendors and your customers. Then, they work to do the same to them. The further they can make it into your network and the networks of your business relationships, the more they benefit from their efforts. At Aldridge, our IT security team works with clients to identify their cybersecurity risks and create a plan to implement the appropriate IT security solution for their unique business. To do this, we have to first understand where the holes in their technology and human security defenses exist.
IT Security Vulnerabilities: Human Risk Outweighs Technology Risk
While awareness around cybersecurity is spreading, many businesses focus on bolstering their technology defenses and fail to realize their most pressing vulnerability is their people. Employees hold the keys to an organization’s critical data and systems. Cybercriminals take advantage of this fact with social engineering techniques like phishing emails and vishing calls to trick their targets into providing sensitive information they can use to abuse other weaknesses in the company’s IT security defense. This does not mean implementing the proper technology security solutions is not critical to preventing a security incident. But, technology alone can’t protect your business when employees do not have the security knowledge they need, or are not actively practicing cybersecurity awareness in their daily work life.
Our team of IT security professionals take a multi-layered approach to establishing a security culture within our clients’ organizations. We use the information we gather around their technology, business operations, and the day-to-day lives of their employees to build an IT security defense that covers both the technology and human vulnerabilities that we identify. Some of the most common IT security holes we find are:
- Shared passwords
- Inadequate backups
- Unsecured administrative accounts
- Outdated applications and software
- Unpatched systems
- Employees with unnecessary access to business-critical data
- Employees who are unable to recognize a phishing attempt
- Employees who are not aware of, or held accountable for following IT security policies and procedures
- A lack of standard procedures for financial transactions and requests
- Passwords written on post its or saved on personal computers
- Shadow IT and unsecured BYOD technology
- Plugging in unknown USB drives
3 Pillars of a Strong IT Security Defense
Companies with an IT security team that lacks both technical expertise and an understanding of business operations are often left with an incomplete IT security solution. This leaves them vulnerable to a security incident, and usually unaware of when one occurs. At Aldridge, we use the NIST framework as a guide for helping our clients cultivate cybersecurity vigilance within their organizations. We used this framework to build the three pillars for a strong cybersecurity defense outlined below:
1) Building an IT Security Culture
A common misperception we have noticed among small and midsize businesses is that security is a destination that can be reached and forgotten about once they get there. Unfortunately, this misperception is a primary contributor to the false sense of security that leaves many businesses unaware of how vulnerable they are to a security incident.
There are three key phases to creating a culture of cybersecurity vigilance: 1) Prevention, 2) Protection, and 3) Response.
The first step for establishing a security culture is refinement, which is part of both prevention and response. As a part of this process, our IT security team looks at the existing measures our clients have in place, such as anti-virus, email filtering, and maybe even multi-factor authentication (MFA), to evaluate where and how they can make improvements while balancing security and productivity. These improvements are often centered around implementing security policies, standards, procedures, and guidelines that help mitigate security risks that accompany the client’s unique operations. This requires input from both the company’s leadership team and individual departments to account for all potential risks, as well as effectively align new security measures with the business’s goals and objectives before implementation.
Common IT Security Policies
Common policies we help our clients implement are around IT security such as Bring Your Own Device (BYOD) and information security. These policies cover both the kind of technology used by employees, how they use this technology, and the everyday habits that put the organization’s technology and information at risk. When defining IT security policies for our clients, we collaborate with them to determine the appropriate level of security while balancing functionality and convenience.
For example, if your organization wanted to enforce a BYOD policy, you may require that employees follow standard procedures such as:
- Company e-mail can only be used with Microsoft Outlook or Microsoft Outlook Web Access; the native e-mail client on your phone is not secure or acceptable for use with your company e-mail.
- You can bring your own device to the office, but you’re only permitted to connect to the guest Internet access, not the corporate network.
- If you bring your own device but want to run company software on it, IT must have administrative control, management, and monitoring of your device, just as if it was a company-owned computer.
The challenge many companies face is not only identifying which policies and procedures are necessary but holding employees accountable for following them. Accountability brings us to the next phase of prevention, employee education and training.
2) Routine Employee Education and Training
Employee security awareness training is not a one-hour course your staff completes once a year and promptly forgets about. It’s a consistent effort to educate, train, and test employees around both the latest cybersecurity threats, as well as your organization’s policies and procedures. One way we do this for our clients, and our own organization, is by using automated phishing tests to deliver spoof phishing emails directly to an employee’s inbox. These emails range from obvious attempts with noticeable errors in the email address or body, to email templates that carefully mimic notifications from widely used company software such as Office 365. If the employee fails to identify the email as a phishing attempt and takes an action such a clicking on what would have been a malicious link, they are notified that they have been fake phished, and enrolled in additional training.
The stats around the success of a phishing campaign help provide our clients with insights into the vulnerabilities that exist in their human cybersecurity defense so they can work to address these issues with additional training and processes. Interactive training and regular reporting are key to making education effective and promoting accountability around your organization’s IT security efforts. Security education is an ongoing process and the content covered will change as IT security threats continue to evolve. It’s critical that your employees are aware of and take steps to avoid the external and internal risks they face as they perform their daily tasks.
3) Technology Reinforcement: Prevention and Recovery
The human element of IT security is important, but the most harmful security incidents exploit weaknesses that exist across both the technology and people that make up a company’s core business. When cybercriminals combine both vectors in their attack approach, they are able to assume the identity of an employee and leverage this identity to access even more information without being detected. It’s an inevitable reality that people are going to make mistakes, even when they pass security awareness testing and know how to spot a security threat.
Cybersecurity Incident Prevention:
There are a number of technology tools our team uses to reinforce our clients’ cybersecurity prevention measures such as:
- Multi-factor Authentication (MFA): A combination of methods used to verify a person’s identity such as a password and a smart phone authenticator application.
- Microsoft Advanced Threat Protection (ATP): An Office 365 add-on that helps detect malicious attachments by predicting and analyzing their behavior before delivering them to your inbox.
- E-mail Caution Flags: Alerts that help employees identify phishing attempts by cautioning them when an email came from someone outside of the organization.
Establishing the Parameters for Your Security Incident Recovery
When an organization experiences a security incident, there are additional technologies that are crucial to mitigating risks during response and recovery. We help our clients understand what level of technology and processes are necessary for their organization to be recovery ready. To do this, we help them identify their:
- Critical information assets: File storage methods, CRM database, accounting data, etc.
- Critical business systems: Warehouse inventory and control systems, payment processing portal, client activities and management systems, etc.
- Recovery Point Objective: How often assets need to be protected through means such as the appropriate frequency of backups.
- Recovery Time Objective: How quickly the organization needs to complete the recovery of its critical assets and systems.
Creating a Security Incident Response Plan
After establishing the above parameters, we advise our clients on the appropriate level of complexity necessary for their organization’s backup storage and recovery plan. A security incident response plan does not have to be overly complex and should be refined over time. A common mistake companies make when they try to create a plan on their own is losing sight of the intent. At the end of the day, your plan should clearly communicate its purpose, what triggers its start, and a high-level overview of how the plan should be carried out. A security response plan will cover the below five phases:
Detect: How a potential incident can be recognized and detected using automated tools and the processes for notifying the rest of the organization.
Validate: How the response team will confirm the validity of the incident, what level of damage has been incurred, and who in the organization has been affected.
Damage Control: How to Control the damage by informing the organization, stopping the spread, and re-establishing a trust perimeter for operations.
Recovery: How to recover from it once trust is re-established, so systems and information can return to normal operations.
Refine: How the organization will evaluate the effectiveness of its security plan, tools, policies, and expectations in light of the incident and the lessons learned in the process.
Security is Not a Destination
Security is not a destination. It’s an ongoing process of refining and testing your defenses to determine what needs to improve. Unfortunately, as a business operating within today’s evolving security threat landscape, it’s not possible to be completely secure. Cybercriminals are continuously innovating new ways to leverage vulnerabilities and remain undetected as they exploit organizations for their own benefit. But this doesn’t mean you should give up. IT security is key to enabling the success of each piece in our Framework for Successful IT. If you don’t have a clear picture of your current IT security risks and do not have a plan for mitigating and responding to a security incident, seek help from someone with the right resources and expertise.