Is your company too small to be secure?

Security is a challenging topic for all businesses regardless of size. Smaller businesses have it especially rough because many of the best tools are designed for large enterprises with security teams. The security landscape is also driving salaries of security-focused personnel.

According to tripwire.com security experts can cost up to 222k per year¹. If you want a CISO level expert in a metro areas, Forbes estimates it will cost upwards of 380K².  Many online sources estimate salaries in information security are increasing 30% year over year.

The FCC posted tips along with a planner to help small businesses keep their information secure³. Network World also posted a 12 step guideline for securing small businesses⁴.

In reading these articles, many of the suggestions seemed obvious. I don’t think there is an issue with companies knowing the basics of what needs to be done; the issue is how.

Let’s dig into the FCC recommendations along with my recommendations on where to start.

1. Train employees in security principles.
   A critical often overlooked component of security. Having security professionals come into the business and train employees is also very disruptive and expensive.  To get this started, I recommend employees use the free online courses offered by ESET.  The webinar isn’t too salesy and gives everyone a nice baseline of how to protect company data online.

   I would also ask employees to go through PhishingBox’s phishing IQ test.  Forbes estimates phishing scams cost businesses half a billion dollars per year⁵. Take phishing seriously. Travelers Insurance also puts together a helpful handbook which explains many of the compliance terms and security best practices. You can find the handbook here.

   I also highly recommend periodic testing.  For phishing testing I like PhishingBox. It’s inexpensive for small businesses and gives you easy to understand reports.

2. Protect information, computers, and networks from cyber attacks.
   This topic deserves a blog post on its own however I can give you a few pointers to get started. The absolute first step is to stay current with operating systems and application. If you are still running Windows XP close this website, I don’t want to be infected (LOL!). On a serious note updating, OS and software is job number one. If you can’t afford to keep current, you should look into a cloud-based virtual desktop company. I recommend Horizon Cloud on Microsoft Azure. Learn more here.

   Once you are running modern software on your computer either on your desk or in the cloud, you need to protect it from viruses and malware. Traditional antivirus is iffy at best. I recommend Carbon Black for endpoint protection. It is a next-generation antivirus solution. You can read about what NGAV is here.

   The next topic we will see come up throughout this blog post. It is critically important. You can not protect any device on your network without an identity solution. I would imagine you have Microsoft active directory, cloud-based email, and some software solutions all requiring a login. Do not skip this step. Unify all the authentication with an identity management system. I recommend Workspace One. It’s inexpensive and checks boxes all along the security landscape.  Learn about Workspace One here.

   Network Security is a can of worms which is highly dependent on your infrastructure, goals, risk profile, etc. If you already have a virtualized infrastructure, you should look at VMware NSX to protect the virtual machines. NSX allows you to choose the traffic flowing between servers and out to the users. If one server gets compromised it is less likely the compromised server will be able to infect anything else on the network. NSX also give you a platform to apply even more comprehensive security policies and products. Learn about NSX here.
   

3. Provide firewall security for your Internet connection.
   I would recommend the first step is a remotely managed on-premises firewall. I would look at providers such as Rackspace or CenturyLink. Cloud providers can bundle in monitoring, alerting and intrusion prevention among other things.  If you are a very small business with less than five servers, I would ask the cloud providers to help you migrate to Microsoft Azure using the same account as you did for Horizon virtual desktops. You can then use your Workspace One identity to log into your office 365, Azure Servers, Horizon desktops, and all your apps.
4. Create a mobile device action plan.
   In addition to creating policies for reporting lost or stolen devices, a business must protect the confidential data stored on mobile devices. The trend is real, companies are buying fewer desktops and more laptops or other mobile devices⁶. In addition, 59% of companies are allowing employees to bring in their personal devices and use them for business functions⁷.

   I know what you are thinking, no, it’s not just phones.There is a fine line between protecting corporate data and being “big brother” to your employees. I recommended Workspace One earlier for identity management and mentioned it also checked many other security boxes. One of those boxes is mobile device management. Yes, for the same $6.50 you can remotely delete corporate data on an employees phone or personal laptop among other things.

5. Make backup copies of important business data and information.
   Everyone knows this.  Since this post is targeted to the Small Business owner, I’ll assume most of everyone’s “documents” are stored in Microsoft OneDrive. If so, turn on OneDrive versioning. Here is how you do it.  Hopefully you use OneDrive for shared folders as well. If not, there are many good online backup options. Check out Microsoft Azure Backup.
   
6. Control Physical Access to your computers and create user accounts for each employee.
   I may sound like a broken record. Workspace One identity management integrated with Microsoft Active Directory. In my opinion, every company should have an Identity management solution.
7. Secure your Wifi networks.
   If you are a very small business, take a look at openmesh.com. Anyone can install it and if you have a small warehouse or have to go outside the mesh system will come in handy.  If you are on multiple floors or have a complex environment, you will want to contract with a technology company which sells Ubiquiti wireless. There are many choices for wireless, and most of them are good, Ubiquiti and Openmesh are my preference.
8. Employ best practices on payment cards.
   I’m not going to tackle this one in this post. Start with the Travelers insurance paper for terminology and definition. Consult with your payment processor for more specific advice.
9. Limit Employee access to data and information, limit authority to install software.
   Consider all corporate data “need to know.”  If an employee doesn’t need to know it to do their job, then don’t give them access to it.  Workspace One will manage access to the apps and install them if necessary. The end user typically does not need admin access to the end device. If it’s an employee-owned device ensure it has the Workspace One endpoint software installed.
10. Passwords and Authentication.
    Broken record again, Workspace One. If you force your employees to have ten different logins and passwords to get onto company systems, you can guarantee they will be insecure or constantly have issues remembering them and getting logged in.

I hope putting actions against the FCC security tips is helpful. The blog is intended to get you started. It is not a complete list of how to be secure. In many cases, you will be best served by moving to a cloud provider which offers managed security. Security is absolutely a team sport. If you don’t have or want to build a team, I recommend moving to a VMware Cloud Verified service provider.

Thanks,

Greg Kaffenberger

1. https://www.tripwire.com/state-of-security/security-awareness/the-top-10-highest-paying-jobs-in-information-security-part-2/
2. https://www.forbes.com/sites/stevemorgan/2016/01/09/top-cyber-security-salaries-in-u-s-metros-hit-380000/#206828647ef8
3. https://www.fcc.gov/general/cybersecurity-small-business
4. https://www.networkworld.com/article/3171657/security/12-steps-to-small-business-security.html
5. https://www.forbes.com/sites/leemathews/2017/05/05/phishing-scams-cost-american-businesses-half-a-billion-dollars-a-year/#2f3409a23fa1
6. http://www.eweek.com/mobile/computer-sales-continue-to-evolve-away-from-desktop-pcs-says-report
7. http://www.techproresearch.com/article/byod-iot-and-wearables-thriving-in-the-enterprise/