With all the talk surrounding cybersecurity, it is easy for the owner of a small business to be overwhelmed. The good news is that you don’t have to feel overwhelmed. While there are no magic bullets, using a layered approach to securing your network is still the most effective way to protect it. Below is my common sense checklist, based loosely on the CIS Controls and broken into three sections based on complexity, for securing your small business.
Back to Basics
If you like sports analogies as I do, you will be pleased to hear that your ability to secure your business involves perfecting the blocking and tackling associated with the basics of network hygiene. If you are going to have a network, these are the most elementary things you should be doing if you are remotely concerned about securing your data.
Inventory Control / Asset Management – Know what you have, where it is and what it does. These are the systems that can and will be attacked in any cyber-attack.
Software Control/ Asset Management – Know what software is running on each of the systems listed above. The more software (or older the software), the more vulnerabilities each system will have.
Manage the Vulnerabilities with Hardware and Software – Make sure to regularly install software and firmware for the hardware and software in your network. You will need to implement regular internal and external vulnerability scans. If the vulnerabilities cannot be patched, consider replacing based on the risk this presents to your organization.
Backups – Once you know what you have and where it resides, make sure you have a reliable backup solution that allows your team to restore the data and systems you need, in the time frame needed to maintain your operational objectives. When you have the solution in place, periodically conduct restoration tests. Nothing ever goes as planned in an emergency – make sure your team has rehearsed the disaster recovery/ business continuity plans.
Limit Administrative Privileges – Only provide users the permissions needed to do their job (Role-Based Access Control – RBAC). When it comes to your IT staff, provide them an administrative account and a normal user account to limit the risk when they are inevitably targeted. When possible, separate the roles and responsibilities so that one person cannot wreak havoc with your network.
Manage User Accounts – Know what accounts exist, what access those accounts are granted and ensure you have a process to disable accounts when not in use. This goes for vendors as well – do not give them complete freedom within your network.
Review Audit Logs – (Yes – it is that important!) – Understanding what is happening, who is accessing or attempting to access resources within your network is critical to identifying problems with your current security posture. This goes for cloud email and applications as well.
Use a Current Firewall – 5th generation firewalls, aka Next-Generation Firewalls (NGFW), offer traditional firewall capabilities with significantly greater inspection capabilities that help identify attacks and malware. To fully leverage these features, you will need to keep your firewall’s subscription services up-to-date.
Web Filtering – Leverage a solution (such as your firewall) to limit web browsing to safe/allowable websites. Regardless of how relaxed your Acceptable Use policy may be, some control is recommended in what websites you allow your employees to visit.
Security Awareness Training – Implement a program that trains and tests your employees on their ability to perform their job securely. Hackers realize your greatest weakness is your employees – make sure they are well trained, know to report suspicious activity and act as your first layer of defense.
Email Protection – Since the majority of malware comes from email, and everyone uses email, you will need a solution to help filter these risks before they get to your click-happy users. If your email is hosted (in the cloud), you will need to ensure you are using an appropriate solution.
Policies, Including Acceptable Use Policies – It is important to implement policies that define appropriate and inappropriate behavior on your network. These policies will not only help protect your company but also define repercussions for misuse of your assets.
Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers – Clicking “Next” a bunch of times and then “Finish” is an easy way to deploy a horribly insecure system. The preloaded systems from dealers are often even less secure. Understanding what is needed on a system, and only deploying that, configured securely is a critical step in having a defendable network. This covers installed features, functions, ports, protocols, services, etc.
Wireless Access Control – Wireless connectivity is convenient, especially to hackers, so make sure that if you must deploy wireless access, it is deployed securely, segmented from your internal network, uses web filtering and closely monitored.
Foundational Controls
Malware Defenses – Given the prevalence of malware, malware will get past your perimeter defense, targeting your endpoints, so you will need a solution that helps mitigate this risk.
DNS Filtering – A low-cost solution to help protect users from phishing links and web browsers from malicious sites is DNS filtering. While this won’t protect you from many of the more advanced attacks, this is better than nothing.
Manage Vendor Relationships – Know who you work with, who you share data with and when, why and how they access your network/data. Supply chain attacks focus on the weakest link in the supply chain, so a clever attacker may take advantage in a weakness in one of your vendors to take access of your network.
Multi-Factor Authentication – Given the mobile requirements of most organizations, your users will want/need access to their email and your resources when outside the office. Multi-factor authentication (MFA) can mitigate the risk associated with remote access to your network.
Perform Annual Risk Assessments – Every IT staff, no matter how talented, has blind-spots in their skillsets or makes assumptions about your network. Employing an independent, third-party auditor to perform annual risk assessments helps confirm that you, as the business owner, are doing everything you can to identify and manage the risk associated with your network.
Advanced Controls
Protect Mobile Devices – If your staff accesses corporate email and other resources on their phone, you may want a solution to mitigate risks with data loss and man-in-the-middle attacks.
Managed Detection and Response – The best MDR/EDR solutions add enhanced abilities to detect threats, respond to incidents and continuously monitor endpoints.
Create an Incident Response Plan – As I mentioned earlier in my discussion with backups, nothing ever goes as planned in an emergency, so it is important to plan what happens if/when you experience an incident to have a well-documented plan that includes who will be responsible for communicating to the public and your clients.
Conduct Penetration Testing – Pen testing services attempt to evaluate the security of your applications and infrastructure by safely attacking, identifying, and exploiting vulnerabilities.
Encrypt Critical Systems – There are a variety of encryption solutions, but if you house medical (ePHI), private (PII) or other confidential information, you need to strongly consider encryption to mitigate your risk with an appropriate encryption solution.
Implement Data Loss Prevention – DLP is a solution to prevent critical/sensitive information from being ex-filtrated from your network.
Summary
With all of the misinformation surrounding cybersecurity, it is easy to get overwhelmed. There are no “magic bullets,” no shortcuts, no secrets and no outrunning statistics. If you want a secure network, it will take preparation, commitment to the process and learning from failure. This checklist provides a list of many of the common security tools and methods for protecting networks but should not be considered a complete list.
As a full-service, managed security provider, we assist organizations of all sizes and most verticals with their cybersecurity and risk management needs. If you are looking for a security provider who offers a consultative approach to risk management, we would love the opportunity to earn your business.
