3 Reasons for Small and Medium Business to Care About Information Systems Security
You're a successful medium-sized business. You have worked hard to build your business and protect your assets. What about your information systems? Have you given due care to securing your systems and information? Today's technology landscape changes dramatically from day to day and it's no longer a nice-to-have nor is just the anti-virus and firewall enough to protect what you've built. Unfortunately, your size business is probably at the greatest risk of compromise.
There are a few reasons:
- You might have a limited budget and security systems are relatively expensive.
- You could have limited IT staff, with no one person focused on security.
- You have assets of value that attackers want and probably don't realize it.
Let's peel back a layer on each one of these, hopefully making information systems security more relevant to you.
Attackers just know that you are not a Fortune 50 company with deep pockets to invest in security analysis, software, and hardware. Attackers just know you probably have a standard firewall with basic antivirus protection. They know once a system is compromised it's unlikely you have tools to alert you and defend against a moderate to significant attack. An attacker is relying on you reacting to a compromise or breach instead of protecting against it. The good news is that taking a business risk / impact analysis, we can help determine with your budget what investments will have the most impact on defending your environment.
No single tool is the key to protection either. I would rather have layers of inexpensive software and hardware, than a single layer of the most expensive intrusion detection and prevention appliance out there. You can do simple things like ensuring unneeded Windows services are disabled and ensuring patches for your client systems are being distributed. Intrusion Detection Systems (IDS) software and hardware has come down significantly, in price, and can monitor your network for anomalies. You can also leverage a partner, like Kelser, to perform independent penetration testing and vulnerability assessments instead of investing directly in expensive software and/or hardware.
Again, an attacker just knows you aren't a Fortune 50 company with a CISO and entire Information Systems Security (ISS) team dedicated to nothing other than testing, detecting, and acting on vulnerabilities and breaches or attacks in your environment. The same attacker probably knows your IT staff is spread thin and can distract your admin with a simple outage while a more severe breach or compromise takes place. Attacks today are extremely sophisticated and the attacker probably has had more time to think through how his or her attack will take place.
Since your staff is limited an attacker is relying on that to quickly break in and out, taking confidential data, compromising system integrity, or impacting availability. Even post-attack, the attacker is almost guaranteed to not be detected. Are your admins monitoring the security logs on your systems every day? Probably not - they have to make choices on where to spend their time, to keep your business running.
Assets of Value
Let's be clear - if you are in business, you have things that people want. Attackers want your money. Unfortunately, theft is a reality of life and cyber theft is a trend that's not going away. You need to be prepared for when cyber theft happens. It is not an "if". There are other things, outside of money, that attackers want too. They might want to use your network to launch an attack on another network. There may be legal ramifications around due care and due diligence if someone uses your network to launch an attack on another or steal property from another network. You may have intellectual property / trade secrets that an attacker would be interested in. The bottom line - do not assume that because you are smaller than "the big guys" that you do not have anything an attacker wants; you do.
All things considered, there is a very bright side. It is true that most people generally want to do the right thing and not doing anything malicious. There is technology that can detect and defend your network, protecting your assets. There are consulting firms, like Kelser, who can help you determine risk areas helping to lower your overall risk profile, to a point where you are willing to accept the risk. Kelser can help implement defenses and help you develop procedures to mitigate and contain incidents when they happen. When an incident happens, will you be prepared to address it? Maybe start with an assessment to determine where you stand today.