There are ways to improve small (and mid-sized) business security, by implementing a set of principles, an organization can achieve a certain level of internet security. The principals are organized into five functions or basic activities — Identity, Protect, Detect, Respond and Recover.
These functions can be used to organize and group together information that management can use to implement security safeguards, measure progress and prioritize security efforts. Each of the functions is then divided into categories to define more specific security practices and capabilities (e.g., asset management, access control).
Subcategories describe more detailed or technical controls needed to meet objectives within each category. Informative references can be used to refer to industry standards and best practices (e.g., NIST “Special Publications” or ISO 27001 standards).
I’ve summarized a set of critical safeguards that may most benefit small (and mid-sized) businesses. The safeguards listed below are organized by the function and appropriate category.
Identify: “Develop the organization’s understanding to manage security risk to systems, assets, data, and capabilities.”
1) Asset Management — businesses should inventory devices, systems, and software. If you don’t know what you have, how will you know how to protect it? Assets should also be managed through its lifecycle and also prioritized based on its data classification and value to the business. For example, your internet-facing web systems, customer database, HR systems, and financial systems should be the highest priority to protect.
2) Governance — businesses should ensure that information security policy and procedures are established. Ensure your business is managed and monitored to meet regulatory and legal requirements. For example, do your employees and contractors know data protection requirements and their employment obligations in order to protect your customer data and protect the company’s brand. Failure to do so could land your business in legal or regulatory hot water.
3) Risk Assessment — identify and assess vulnerabilities on the organization’s assets. Prioritize fixes and patches of those vulnerabilities by evaluating both internal and external threats, likelihood and impact used to determine risk. For example, are vulnerabilities you have identified being exploited in the wild? Are they applicable to your web servers or other critical assets?
Protect: Develop and implement the appropriate safeguards to ensure the delivery of critical infrastructure services.
4) Access Control — entire identities and credentials are managed appropriately for your users and devices. For example, review access periodically to ensure users have appropriate privileges and access to sensitive data and systems. Revoke access when employees leave the firm or change jobs. Lockdown physical access to your critical servers and sensitive areas via lock/key, badge readers, etc. Ensure two-factor authentication is used for remote access to your network and to administrative cloud consoles.
5) Security Awareness and Training — Ensure your employees, contractors and third parties are informed of data protection and information security responsibilities. For example, ensure users take information security awareness training upon new hires and annually to keep up with the latest security threats and increase knowledge.
6) Data Security — Ensure data-at-rest and data-in-transit are protected. For example, encrypt customer or personal data using strong crypto algorithms such as AES-256 for storing personal data or SHA2 for hashing passwords. Ensure credentials are encrypted when sent across your network, such as using HTTPS/SSL for securing web logins. Keep track of assets when first purchased or added to the network. Make sure that your testing environment is separated from your production environment.
7) Information Protection Processes and Procedures — Ensure you have a ‘known good” baseline configuration for your systems that have been hardened to meet industry best practices (e.g., NIST or DISA). Implement good change management procedures to ensure changes are approved by management and documented. Don’t forget to also backup your data!
Also, implement a good incident response and business continuity program (to include a disaster recovery plan) in the event your business is hit with a natural disaster, power failure or internet threat. Test, test and test your plans.
8) Data Loss Prevention (DLP) Technology — Keep and maintain audit/log records on your systems. Protect networks and telecommunications from unauthorized use and access. Monitor or prevent data leakage by limiting the use of removable media in accordance with company policy. For example, DLP software can be used to restrict the use of USB drives and/or web e-mail that is not authorized.
Detect: Develop and implement the appropriate activities to identify the occurrence of internet security breaches.
9) Detect and monitor for anomalies and breaches — Detect and analyze network and system events for unusual activity. Small businesses should review access logs and weblogs for unusual activities, spikes in activities or a large number of failed login attempts. For example, do you see any unauthorized accounts added to your systems? Are your daily weblogs larger than normal that doesn’t correlate to average web traffic? It is also critical to install and keep up-to-date anti-virus software on all of your systems. Continuously monitor for detected malware and remove malware immediately when detected. Also, scan the network for vulnerabilities and patch systems consistently and timely.
Invest in Security Information Event Monitoring (SIEM) systems designed to help correlate and aggregate security events in a centralized console. Intrusion Detection Systems (IDS) should also be implemented for larger networks.
Respond: Develop and implement the appropriate activities to take action regarding a detected internet security breach.
10) Response Plans are executed, maintained and communicated — Ensure your staff is prepared to respond and contain an internet security breach. Staff should know their role and how to communicate and contain breaches. For example, employees should report suspicious activities (e.g., phishing attempts or unauthorized access) to management and appropriate authorities. Understand who your internal and external stakeholders are and how to get in touch with law enforcement agencies.
11) Mitigation of security breaches — Ensure incidents are contained and mitigated. For example, you may have to take that malware-infected laptop or web server offline to prevent the spread of malicious software or access to the rest of your network. Preserve logs and document activity as needed for forensics or legal requirements or to assist in potential law enforcement efforts. Address vulnerabilities to ensure breaches or infection does not happen again. Finally, analyze breaches to understand lessons learned through appropriate sharing of information and security awareness training.
Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore capabilities or services that were impaired due to a security breach.
12) Recovery planning, improvements, and communication – Ensure your business has a plan to recover systems or services affected by an internet security breach. Incorporate lessons learned to improve future response and recovery process. Communicate recovery activities to internal and external parties (such as victims, ISPs, vendors and coordinating centers). Finally, manage public relations and repair any damaged reputation as appropriate.
In conclusion, these safeguards may give you some ideas on how to improve security in your business being a startup, small business or complement your existing security program.
If you want to learn more about security principals you can contact me.