Despite the best efforts of some of the smartest minds in security, companies still get hacked. As we increasingly live our lives online, our digital information is vulnerable, but the biggest risk is actually us.
This month, the IT security conference RSA was held in San Francisco. As one of the largest events of its kind, it attracts some of the best in the field to discuss what is the right mix of technology, talent and processes to keep intellectual property out of the wrong hands.
"The reality is that everyone will get breached at some point and how your organization responds before any real damage occurs will dictate whether you have a publicly reportable problem or a simple remediation," President and CEO of Arctic Wolf Networks, Brian NeSmith said.
At Xero we recently deployed two step authentication, last login details, and for a while now, we've enabled customers to create multiple logins to one account so passwords don't need to be shared. During the development of these features we found there was a general lack of understanding around the management of IT security in small businesses.
Here are NeSmith's top tips to build security into a small business.
Hire an expert
Just like an accountant generally understands taxation rules better than a plumber, and a florist will usually have a better grasp on what flowers are in season than an accountant, an IT security pro will know how to protect your intellectual property and keep your data secure.
"Every organization needs a basic level of security, which generally includes a firewall, some e-mail, and anti-virus protection. There are many great solutions out there but deploying these properly requires decent security expertise. The sensitivity of the information or the criticality of your IT systems to your business will dictate what you need and how to deploy it," NeSmith said.
The scary fact is that most small businesses don't extend IT security beyond installing virus protection, NeSmith says in that scenario it's almost guaranteed your organization will suffer a breach of some sort.
"If you are connected to the Internet now, most likely you have a compromised network that can range from someone simply using your infrastructure to serve spam mail or maybe part of a botnet network all the way to a hacker pulling down your customer list or key intellectual property," he said.
"More recently we've seen a growth in ransomware that will lock your systems up and you can only recover by paying a 10-20k ransom to get the keys back for your data."
This is where security gets tricky. You need to have continuous monitoring to recognize when your protection has failed.
"Once inside your network, a hacker usually stays quiet and surveys the environment to find the truly valuable stuff. From the first breach the hacker moves laterally to compromise something worthwhile. Continuous monitoring of various types of systems allows you to detect this behavior and remediate the basic breach before the hacker can compromise anything valuable," he said.
Build a security conscious culture
Even if it's just you in your business, always having security front of mind when checking emails, choosing a password or sending information will help protect your data.
"Most breaches start very simple with little damage. Hackers look for any way to get around your basic protection. The most obvious way is your employees. Your people will click on links, download content, respond to emails that look benign but help the hacker bypass your defenses."
Plan for the worst
Recovery from a breach needs to be planned in advance. NeSmith recommends working with your advisor to compile an incident response plan for how you clean up various types of breaches, and a business continuity plan with proper backups to recover from more significant hacks.
"You plan in advance what you will do depending on the nature of the breach and what was compromised. Do you remove the device from the network? Do you run some sort of clean-up tool or do you reimage the systems and restore from backups. A good incident response plan along with a business continuity plan with proper backups ensures that any breach is an inconvenience not a disaster," NeSmith said.
A little preparation will serve you well when, not if, you do get attacked and breached.