One of the amazing questions I received this week was about layered security. “What does that look like Micheal?” This week I’ll break down common ways for small businesses to implement multiple levels of security into their business networks to stop the cyber bad guys.
Text book definition
At the most basic level, the concept of layered security is multiple measures that work together to stop an attacker from getting control of a computer or data. When one layer fails to stop the intruder, another stands ready to defend the business. Think of this like a medieval army; composed of infantry, archers, cavalry and lastly catapults. Each specialized unit has a weakness, such as armored horsemen falling to infantry with pikes or infantry being mowed down by the archers, the layers of various soldiers compensate for each other and the weakness are no longer as prevalent. Security in a business works the same way. Antivirus is used to stop a virus once it’s in a system, user training to identify phishing emails before they are clicked, strong passwords to prevent guessing attacks, software updates to stop old attacks, etc.
That sounds great but …expensive
I know what you are thinking, all that sounds good but very expensive. You’re right, small businesses do have tight budgets. So, how can they afford all these layers of security to protect themselves from cyber criminals? Luckily many of the things I recommend are either free or affordable options (look for the list at the end of this blog). One stat from Dr. Jane LeClair, states that 96% of attacks are fundamental. Meaning if we take a layered approach targeted at removing basic cyber attacks, risk of a breach plummets.
But how about …
Unfortunately, the items on our top ten list won’t protect against every threat. In fact, there is no combination of defenses that will 100% protect an organization. Even the United States government is struggling with protecting themselves from cyber threats. Statistics show that over half of all small to medium sized businesses have been the target of an attack and that 60% of small businesses attacked go out of business within six months. Among other issues, items like legal fees, investigations, fines, brand repair, identity protection, and downtime are what kill businesses after a breach. So, what can businesses do to help mitigate these costs? I recommend insurance. While we don’t sell insurance at Tandem, I’m an evangelist for Cyber Liability because it helps reduce this risk by covering most, if not all, of those costs. This coverage isn’t necessary for all business, just those with the utmost sensitive data, like healthcare facilities or financial institutions. In some instances, the policy pays for increased security measures to prevent the same attack from occurring again. A word of caution, not all policies are built the same. Tandem has spent several months dissecting policies and talking with providers to get a better understanding of the insurance marketplace (expect a blog on this topic soon).
Cyber Security is not about completely eliminating the chance of a cyber attack but rather reducing the risk to a manageable level. By implementing basic defensive strategies, like layered security, and having insurance as a stop gap, businesses can rest easy knowing they won’t go under after an attack.
For more Information
Top 10 Cyber Defensive Measures
1. Train employees at least annually on trending cyber attacks and company IT policies
2. Anti-virus should be installed on every system and regularly updated
3. All computer software should be updated frequently
4. Encrypt all device that hold business data
5. Backup business data at least weekly
6. Use a policy of least privilege to ensure normal users of computers and software do not have administrator level access unless absolutely needed
7. Use Multi-factor Authentication where possible
8. Change all default passwords on computer equipment and peripherals
9. Use VPN’s or mobile hot spots if remote employees are on free WiFi
10. Uninstall any unnecessary software
Co-founder + Ethical Hacker
Micheal has over 13 years combined experience in Information Security, Information Technology, and Physical Security. He has tackled some of the most daunting certifications in the industry and his passion for the cyber world is unparalleled with exposure to virtually every industry. He continues to hone his skills in Incident Response, Penetration Testing, and Consulting. Recognizing the need for change in cyber security, he volunteers to help entrepreneurs, veterans, and recent graduates.