How Small Businesses Can Mitigate Cyber Risk
This following article I was required to write as part of a requirement for a job interview. It isn’t doing any good just sitting in my documents folder so I decided I would publish it here. There weren’t many requirements for this paper- just around 2 pages and informal. So it is very informal.
With that being said, take a look at it! I’d love to hear your thoughts on it. Did I miss anything or get anything wrong? How do you approach mitigating cyber risk for small businesses? Let’s discuss!
Cyber risk is the potential harm to a business from a failure of a business’s communications systems. This harm can be monetary loss, productivity loss, intellectual property loss, reputational damage, or even physical damage. Every business is affected by cyber risk because every business has or provides something of value. Luckily there are ways to reduce or mitigate this risk. Focusing on mitigating cyber risk for small businesses, it is assumed that there is little to no budget allocated for cyber security spending.
Before we get into how to mitigate cyber risk, we need to understand the goal of cyber security. The three pillars of cyber security are Confidentiality, Integrity, and Availability. Confidentiality ensures that only authorized users can access data, and those who are not authorized cannot access said data. Integrity ensures that data has not been altered and can be trusted as reliable. Availability ensures that authorized users can access the data that they need when they need to. Understanding the CIA triad is fundamental to any security program no matter how simple or complex the program is.
While we can implement countless technical controls, we can’t neglect the end users. Human error plays a huge role in successful cyber-attacks. Do the employees of your business know what a phishing email looks like? Do they know who to report phishing attempts or any other cyber security issues and concerns to? Are they kept up to date on the newest cyber-attacks relevant to your business? Employees can be educated through regular training, lunch and learns or even regular cyber security related newsletters. We should also foster an environment of transparency in the workplace. Being notified that someone clicked a malicious link right after they realized their mistake is better than finding out months later that every employees’ address and SSN are being sold on the dark web.
Next up is asset inventory. Taking inventory of assets can become a lengthy project. But how can you protect what you don’t know you have? Taking inventory will allow you to better understand your security posture. Is there a forgotten database server connected to the internet? Are there any rogue access points set up?
One of the first lines of defense for a network is a firewall. Firewalls separate networks from each other and allow only authorized access to a network. Packet filtering firewalls allow data through based on packet addressing. If the firewall only allows traffic on port 443 and not port 80, it would drop packets addressed to port 80. Stateful packet inspection firewalls work like packet filter firewalls except they examine the entire conversation between the client and the server. Another type of firewall is a proxy firewall. A proxy repackages each packet before it gets sent off to the next hop or destination. This then isolates the user from the external network.
Along with firewalls, an antivirus program should be installed on the network. While antiviruses produce false positives or false negatives, they are still crucial to implement and are more user-friendly than Intrusion Detection/Prevention Systems. Antiviruses scan your network for any suspicious items or files and notify you of them.
Another way to mitigate cyber risk is to enforce a strong password policy. Both complexity and length are important in making a strong password. A minimum length of 10 with special characters should be required. Encourage employees to use passphrases like lyrics to a song that can easily be remembered and encourage them to not reuse any of their passwords. If there is a password expiration policy currently in place, disable it. Having employees reset their password every 30, 90 or however many days is an inconvenience and they’ll find that incrementing their password by 1 number is an easy workaround. Along with a strong password policy, passwords should be hashed and salted. Using tools like Specops or Have I Been Pwned can notify administrators if any Active Directory passwords have been leaked in any breaches. Password managers should be used where possible. People shouldn’t have to memorize countless passwords if it can be helped. Password managers also ensure strong and unique passwords are used for each account. Any default passwords on any network devices such as routers should also be changed.
Another crucial tactic to mitigate cyber risk is implementing need to know and least privilege principles. Users should only have the permissions to perform their job and nothing more. For example, day-to-day users don’t need administrative privileges. If, and when a user downloads a malicious program, and they only have the permissions to do their job, it’s going to be easier to contain this malicious program.
Ensuring Active Directory service accounts have strong passwords, can only access the services they’re meant to access, only allowing these accounts to be logged into at certain times, and auditing these accounts for activity will also mitigate cyber risk.
Something crucial to both mitigating cyber risk and business continuity are backups. It’s important to make backups regularly and store them somewhere off-site such as in the cloud. Cloud-based solutions are great because they encrypt the data and are easily scalable. It’s also important to create a retention policy. It’s not necessary or feasible to store every single back up for all time. Retention policies should be tailored to each business’ needs. If malware is installed on someone’s computer, there’s a backup available and this malware can be taken care of without much disruption.
Another important task to do regularly is update and patch software, network devices and end points. Or better yet, schedule these updates. If there’s any worry about incompatibility with applications, updates and patches can be rolled out incrementally to test if there’s any real disruption with usability or functionality. And if proper backups are in place, these updates can be easily rolled back if necessary.
The last tactic I will mention is ensuring that if there is a WiFi network in use, that it is using the WPA2 security standard rather than WPA or WEP. WPA2 uses AES encryption and is the most secure out of the 3. Turning off SSID broadcasting is another tactic but can be discovered with tools like Airdump-ng.
This document serves as a starting point advising small businesses on how they can mitigate cyber risk; it is not exhaustive. Each business is encouraged to implement and improve upon this document. Cyber security is everybody’s responsibility because it affects everybody. When employees are educated on cyber security, changes to operations that benefit cyber security will be more openly accepted. And with an open conversation between end-users and the IT department, “weak links” or areas that security is lacking in the business can be more easily identified.