IT Security: Why Most SMBs Get It Wrong

Asking someone if they value IT security is like asking someone whether or not they value profit. Predictably, 100% of the people you talk to will agree, but not everyone will know how to actually improve their results.

Thankfully you do not need to be a cyber security expert to adopt a more secure approach to how you handle your businesses data. The internet is awash with quick tips and guides to improve your IT security. The most common recommendations include regular updates/patching, complex passwords or pass phrases, and multi factor authentication (MFA). Whilst these recommendations are sound, a number of businesses let themselves down in execution.

Security as a Process

IT Security is not something to ‘set and forget’ as many understand it to be. IT Security needs to be implemented in an ongoing process to be effective. To explain this in practical terms, consider the most common recommendations previously stated:

• Regular Updates – Updates are commonly configured to install automatically. The issue arises however that many devices from time to time will stop receiving updates, or an update may fail and not allow further updates to continue. Ongoing motioning and maintenance is required to recognise these failed devices, jump start them again and ensure that updates apply successfully.
• Complex Passwords – The purpose of complex passwords is for them to be harder to break. Credential theft is very common these days and without a strong password policy and regular rotation, even the most complex of passwords can become incredibly vulnerable.
• Multi Factor Authentication – A relatively new security measure designed to combat credential theft. Whilst these systems don’t require maintenance as such, they should be part of a regular security audit and strategy to ensure that all weak points of a system are adequately secure.

IT Security is an arms race. Cyber criminals are constantly updating and improving their methods to exploit targets and make money. As a result businesses need to adopt a process of continual improvement. Regular auditing of security is a must; as is the adaptation and adoption of new security practices. Above all the most important thing a business can do to ensure their protection is to adopt a disciplined process & strategy.

Security Strategies & Process for SMB

Modern security strategies consist of multiple components. Additionally, these components focus on mitigating risks associated with various ‘attack vectors’ or weak points. These vectors include Known Vulnerabilities, Remote Access. Email Filtering, Network Perimeter, etc. SMBs commonly have at least 10-12 attack vectors that they should be concerned with. An effective strategy needs countermeasures for each attack vector. These strategies need to be constantly reviewed and maintained to ensure businesses remain protected.

As an example, a security application responsible for client side content filtering not only needs to be monitored to ensure it’s correctly functioning, but should also be regularly reviewed to ensure:

• Agent installed on all active equipment. This includes any new equipment or devices that may have been missing during deployment.
• Software is still effective and fit for purpose.
• Configuration correctly optimised for ideal balance of protection vs. usability.
• Changes to policies & standards are correctly applied and consistent throughout the environment.

It’s the lack of discipline to the above which causes IT environments to become inconsistent over time. Moreover, from the viewpoint of security, inconsistency is a vulnerability. Enough vulnerabilities and you have an insecure environment, more than likely, this will be without your knowledge.

IT Security with an Outsourced Provider

Most commonly small to medium businesses (SMB) will engage an outsourced IT provider to handle their IT support, security and maintenance. Whilst every IT services company will claim to focus on security, there are some important things to consider.

• Are you paying for a security process?
  Many SMBs assume their IT provider is keeping them secure. Unfortunately as the saying goes, you get what you pay for. Security services are time consuming when done properly. This means SMBs utilising ad-hoc support, block hours or reactive support agreements will not be getting security that’s any more than best effort.
• Can your provider articulate a process they adopt?
  Visiting once a month for maintenance does not guarantee any reduction of risk or common issues. Your provider should be able to explain in plain English their security strategy and process which they execute on your behalf. If they are not able to explain this clearly, it is unlikely to be effective.
• Who dictates your security stance?
  The cart should not lead the horse. Many SMBs adopt security platforms and strategies because their IT provider told them to. It’s very easy to overspend on security. Therefore, it’s critical that these decisions are made with a business outcome in mind.  Your provider should be able to articulate the ROI or risk reduction of every recommendation. Without this they may just be selling product and not necessarily looking out in your interests.

Ignorance is NOT Bliss

In summary, most businesses fail at IT security not because of their lack of knowledge or expertise, but rather, they fail because of complacency. They fail because they assume their IT provider has them covered. Spending money on anti-virus and new routers means nothing if you do not invest in process to ensure their effectiveness.

Success requires focus & accountability. In other words, even if you do not have the knowledge and skills to manage an IT security strategy yourself, you need to have the ability to hold someone accountable who does.

This article as originally published at www.premiertech.com.au

For guidance and advice, contact our experts here or on 1300 781 148.