I have written frequently about various scams and wrongdoing that have been perpetrated by “bad actors” around the world. Their attempts to profit by phishing for your personal information, obtaining your company’s data, or by wreaking havoc on your computers to collect a ransom have continued unabated. According to several threat analysis reports, these violations are escalating.
Accordingly, I have built what I consider to be an adequate security solution to offset, if not lessen, those threats. But as we all know, these unscrupulous offenders are relentless in their pursuit of illegal gains – because of the high payoff from their activities.
While reducing the number of attacks is one thing, I no longer believe that it is possible to eliminate them. I want to make sure that small business owners are aware of a variety of defenses that they can put in place to help prevent various attacks from ending badly for them and their business.
If you think back in historical terms, a castle had many defenses: the moat, the drawbridge, the battlements, the inner wall, and finally, the walls of the building itself. A business must have similar levels of security mechanisms in place to prevent cyber-attacks from causing devastation. Because without multiple layers of protection, the likelihood is, something malicious will get through, and whatever that something is, it will wreak havoc on you and your business.
In mid-June, I attended a webinar that featured one session that blew my simple analogy to shreds. Bruce McCully, president of Galactic Advisors, has come up with a more sophisticated method of determining risk, and thus, identifying areas of improvement for security measures for small businesses.
His approach comprises six layers of protection, which surround the assets of a company. He defines assets as any file system data, a Human Resources system, Payroll data, or database. Those six layers are:
The Human layer describes, as you would expect, the actions taken by the employees of a company. They are the first line of defense against any attacks on any small business, but they are also the weakest. This is why policies, procedures, and training are so important.
The Perimeter layer describes the rules required by the company’s firewall. A firewall is an appliance that reads the incoming and outgoing internet traffic and scans for anything unusual.
The Network layer is one that focuses on how an organization connects their computers and devices.
The Application layer involves the remote monitoring and maintenance software that IT technicians employ.
The Endpoint layer consists of the computers that run next-generation antivirus security.
Finally, the Data layer is the one that details the company’s back-up and restore policies. After all, if you are not backing up your important files – with the foresight of knowing how quickly you can restore them in the event of any attack – you are not protecting your assets.
All of this seems reasonably straight forward, and it is. Where it gets more complicated is when McCully says that it is not enough to have those layers and apply rules to them. No, he adds that it is essential to add gradations to those layers. He proposes four, although not all four apply to each segment. Those categories are:
Yes, it would help if you prevented terrible things from happening. It takes a significant amount of discussion with a business owner to determine just how he or she would want to go about doing that. But it would be best if you also guard against inadvertent data loss that is not necessarily controlled by people. Next is the ability to detect intrusions of almost any kind, and define the alerting mechanisms to ensure they are acted upon promptly. Finally, you must develop Breach Response Procedures and possibly involve a third-party Security Operations Center to track the elusive path of the threat vector that attacked your company — and clean up afterward.
McCully then describes three levels of business needs for each of these components:
- Basic needs
- Security compliance requirements
- Compliance-driven mandates
For each of these, he includes the following scale:
- Non-essential, meaning it is not a core component of the company’s security program.
- Recommended, because it is necessary to educate the company about the solutions, whereby they will invest in a more secure environment.
- Mandatory, which he defines as “table stakes items;” these are items that, if not implemented, are considered negligent.
This vast matrix of layers, categories, and levels is truly wonderful, and incredibly thought-provoking material. I plan to spend several weeks working to formulate my responses for each aspect of this new roadmap. And the very first step in this arduous journey will be to apply all of these elements to my business, and to shore up my documentation and defenses. I am certain the result of those efforts will be various proposals for new and improved ways in which to safeguard your home computers, your “work at home” laptops, and all the small business networks that I serve.
Thanks, and safe computing!