10 things that any business can do to fight the insider threat – cybersecurity

protect your business informationWe have all heard about the threat to an organisation that a staff member can do.   From having stealing critical information, running an embezzlement scheme or just being a pain in the ass, an insider threat can cripple an organisation in a minimum amount of time.

So what can you do to protect yourself from an employee going rogue?

Background checks

It is critically important, in today’s business world that you make sure you are getting the person that appears on paper.   So after the basic weeding out process and before the offer of the interview you need to check the truth behind the resume.   In most cases, a quick check of references and a look at social media will give you an inkling into a person’s character, capability and attitude.   If there are no obvious contradictions then it is safe to proceed to the next level.   (You could also use a psychology test as supplied by www.thewhitehousereport.com.au)

In addition to this when someone leaves, cancel their access as soon as possible.   Relationships can sour and it is best that when someone has left that they no longer have access to any part of the organisation.

This is doubly important, if you are firing someone.   Before you go through the actual process of firing them make sure they have no access to your systems.

Acceptable use

The insider can quite easily steal your time and money by not actually doing anything illegal.   Staff members who spend a lot of time on social media, especially when they are supposed to be working can have a detrimental effect on not only the business but also on staff morale.

Make sure that you have policies in place that specifies what people can and cannot do with business assets.

Least privileges

Staff members should only have access to information that they need access to do their jobs.   In the case of small and medium business, you have to make a conscious decision that you cannot trust everyone.   By not trusting everyone you are actually protecting your business.   The larger the organisation the more need there is to separate working areas and capability.

Administrator privilege

In any Organisation there should be only a minimal number of administrators.   In most areas there is a need to ensure that staff and users only have access to what they need to do the job.   The administrator account should not be used except for administration.   It should never be associated with an email or webmail account.

All administrators should have separate logins to do normal work.   This reduces the risk of being compromised as well as ensuring that only minimal access to the administration of the business.

Separation of duties

In a really small organisation this is very hard to do but in larger Organisations there should be an action process to spend money from credit cards and bank accounts.   There should be a separation to ensure that one person is not authorizing and acquitting invoices and payments.

Job rotation

There are 2 reasons for this.   It allows you to build resilience into the business because a backup person has access to the processes that the business needs in an emergency.   The second reason is it allows for training of personnel in the roles and as an audit.

Mandatory holidays

Everyone needs to go on holiday.   In most cases 2 – 4 weeks is mandatory.   It allows for recharging batteries as well as protecting the organisation from someone going rogue.

Auditing

Most if not all accounting packages have an auditing feature.   This feature needs to be running at all times to ensure that you can check all transactions occurring within the organisation.

Auditing can also be employed to track other components of the business including information being passed through email, cloud based technologies and cloud based storage.

Data loss prevention technologies

There are number of software packages and hardware systems that allow you to monitor and manage information leaving your organisation.   From restricting USB devices, to cloud storage systems are available to ensure that your trade secrets are not leaving your organisation.

End point protection

This last point is more a solution to one of your people getting infected through malware.   If you have done all of the other nine point’s then malware will have little impact on the organisation if it does get past the end point protection systems.

In addition there should always be 2 levels of end point protection – at the firewall and on the devices, preferably using different vendors.   If malware gets past one it may not get past the second.

These 10 Ideas will ensure that your organisation is better protected from an attack from an employee or staff member.

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

(Video) How a SMB can reduce its labour costs using a MSP

Hi. My name is Roger. I’d like to talk to you today about how to reduce your business labor cost. And how as a small business you can go forward using the right technology. As we all know SMEs in business, it can be very difficult and very complicated. How you use technology, why you use it, what you want to use it for? So, you need to get the right qualified people and at the best of times that can be hard.

On top of that you need to make sure that those people are actually going to resolve this — the problems that you have inside your business. But when it comes to paying for someone in the ICT industry that can be very expensive. Some of the people that I work with or I know can cost up to $150,000 to $200,000 for what they do.

So what you end with is someone in a business who is multi-talented. They are your sales person but they are also your IT person. They’re your marketing person but they’re also your IT person. And that does two things. It takes away from their marketing role with their sales role, with their reception role or their CEO role, which is very credible for the business.

And puts them in something that takes a long time to resolve like getting little Johnny some emails to work properly or having little john and Sara talking to the right people when setting up meetings or all that stuff. So you then have other problems associated with that. so one of the things we really need to look at is, how do you reduce those very expensive labor costs by having an ICT person on board or how do you reduce the chance that your sales person is no longer going to do sales because he is too interested in doing the IT.

One of the best ways to do that is to outsource your IT. Now if you outsource your IT, you have someone who comes in or are available on the web, on helpdesk system. They can access your PCs, they can talk you through your problems, all of that sort of stuff. And your sales person and your marketing person continue doing what they do and how they do best.

They are generating revenue for your business not wasting time making the printers work or meetings to call and all those things. so when it comes to reducing your business labor costs, have a really good look at what a MSP can do for your business because I can guarantee that by taking that role away from someone who is doing something else, that person will then go off and make more revenue for you.

Thank you.

[End of transcript]

 

(Video) Why all SME’s need a Helpdesk

Today I’d like to talk about why all SMEs need a helpdesk. So first things first. What is a helpdesk? A helpdesk is where you have the ability to ring up someone and say, I need some help and this is what I need for you to do. Now a helpdesk can be contacted through a number of options. You can just send them an email. Fax them if you’ve got a fax machine or you can just pick up the phone and talk to them.

And their role behind your business is to help you out of why you have a problem and what that problem is and get your [Indiscernible 00:00:39] working with you. So how can it help with small business? Well, small business, with the increase in technology and increase in complexity of technology needs somewhere to go, ‘what do I do here’. But that helpdesk, if done properly, can also say, when the boss rings up and goes I need to know what I can do about x.

Can I put this system in place and is it going to impact these other systems? And that is a really good way of using a helpdesk. Now helpdesk is usually supplied by a managed service provider. And that managed service provider probably has a large number of other things in the background that are working.

But for a small business a helpdesk is really critical because it takes away that nagging ‘everybody get involved because Jim or Joey can’t print from the third tray. So everybody is opening bits and playing with bits and you’ve just lost five hours’ worth of productivity because he can’t print because he doesn’t understand what’s going on.

Whereas you can pay 25 cents or $25 for someone to come in or someone to come over the phone line or as a remote connection to his desktop and workout what the problem is, rather tie him up and everybody else can go back to work. So that’s one of the good aspects of having a helpdesk. The other aspect is, as I said before, is that you can have people on the back end of a helpdesk helping you make decisions about your business.

So they can be there and you can say, ‘should we move to the cloud?’ I want to know. What repercussions if we move to the cloud are going to be involved? Okay, yes you’re going to have a monthly cost. But is it going to impact our internet connection? How we’re going to print it from our servers in the cloud if we want to print from here.

That information is also very important. But as I said, an MSP whose primary helpdesk is probably supplying a lot more as well. They are probably monitoring your systems. So, with luck, that problem that you’re having with tray three wouldn’t come up because they would’ve been alert to come up and say Joey is trying to print to tray three and that printout hasn’t gone to tray three, and that type of thing.

And on top of that an MSP will also give you reports. How many times people have rang the helpdesk? How beneficial it is to your business? What is the next step going forward? So why do all SMEs need a helpdesk? It makes you more productive.

Thank you very much.

[End of transcript]

 

(Video) How can a Managed Service Provider (MSP) make your business more competitive?

I’d like to talk to you about how you as a small or medium business or a not-for-profit organization can increase your business competitiveness.

Most of us when we get to the stage that we’ve started a new business and we now get to the point we’re employing 5-6 people, we look for an office to go into, and we’ve got an IT person that is happy to do that role, we suddenly realize that we’ve got 5-6 different platforms that we’re using.

You might have someone on who only likes Apple, or someone who only wants to use Windows 7 or Windows 8. Or we haven’t gotten around to buying a server. Do we go to a server? Do we go to a cloud? That type of environment, and those types of questions are really important for a small business going forward.

Now, if you didn’t know the correct questions to ask, then what you get out of the answers is not going to help you very much. And this is where a managed service provider really comes into the game.

Because they will sit down with your small- to medium-sized business and they will do a business and risk analysis on your business to find out where you want to go, how you want to get there, and then they will find the technology that suits your business.

If you’ve got 9 people in your office and 8 of them are on the road at all times, then you are going to need some way for them to connect and work together. And that connecting and working together is very critical to your business, because that’s the business model you’re using.

So from a small business perspective, when you’re talking to a managed service provider, you can sit there and go, this is what I want to do. This is where we are. I want to add another 5 staff by the end of the year.

I want to look at outsourcing some of my components. Where are you going to outsource them to? What components are you going to outsource? That whole plan is what a managed service provider will help you do.

So if you want to increase your business competitiveness, then talk to an MSP. An MSP will actually sit there and talk to you about how you can take your business forward and what you can do to make it more competitive.

In most cases, and most MSPs that I know, if you give them a ring and say, “we need to have someone come out and have a talk to us,” they will quite happily come out and talk to you. And most of the advice they give will be free advice.

So how to increase your business competitiveness? Talk to an MSP. Thank you very much!

(Video) What can a Virtual Chief Digital Officer (V CDO) do for your organisation?

I’d like to talk to you about the role of the Chief Digital Officer in your business.

Now most small- to medium-businesses and not-for-profit organizations cannot afford to have a Chief Digital Officer inside their business.

You’re probably asking what will a CDO do for me? Well a CDO will actually take all of the components to your business and find out what direction you are going in, what is good technology and what is not good technology for your business, and it doesn’t necessarily mean that we’re going to put everything in the cloud.

But the CDO is also anything to do with the digital world. He has the knowledge about it. So you want to use Facebook. Okay, not a problem. How are you going to use it? What are you going to use it for? How are you going to get your message out there?

That is also part of the role of a CDO. But as I said, they’re an expensive commodity in a small business. So how do you get all of that information and expertise without paying an arm and a leg and sending your business broke?

Well, when it comes to the Virtual CDO, you can have access to that information by employing someone who will come in an hour a month, an hour a week, an hour every two weeks, and sit down with the management team and work out what you need to do for your business.

And what digital components will reinforce that message, to make sure that when you are looking at how you’re going to get, that the information is not going to get cul-de-sac’d, or that information is not going to be bad for you, or in some cases, the information that you’re playing with needs to have some other components to make it really beneficial for your business.

And that is the role of the CDO. And a virtual CDO will come in, talk to management teams, talk to Board members, and find out exactly what direction your business needs to go in and how you want to do it and how much it will cost to do it.

And if it’s going to cost an arm and a leg again, then how are we going to grab it back to make it cost effective.

Now a virtual CDO, what we do as a role in our managed services is you get that for free as part of a service level agreement we put in place having one of our high-end technical experts come to your office. And none of that gobbledygook. They are based in applying technology to business to make it work.

So if you need to have someone who can come in and have a look at your business and find out where your business needs to go and what you need to do and put it in place, then a virtual CDO is what you need.

Thank you very much

Digital security – why is it so bloody difficult?

10% of the global population that use the Internet have more than a basic understanding of the digital world.   There is a severe disconnect between what is done and what needs to be done when protecting an organisation from cybercrime.

Throw terms like dark net, cloud technologies, IOT (internet of things) or BYOD and most managers, board members and owners shrug, glaze over and say that it is an IT problem.

In today’s threat landscape, cybercrime, is a business risk.   Probably one of the biggest risks a business will face.   Like all business risks it has to be addressed as soon as possible.   But what are you addressing?

In most cases management teams, board members and owners consider cyber and digital protection an unreasonable and unjustifiable expense for the organisation (until it’s too late that is).   In most cases they under invest in Digital Security, for no other reason than they do not understand the problem.

From a business perspective, of the thousands of attacks on most business systems, mobile devices and other devices that are connected to the digital world every year only one has to succeed.   As an organisation, we have to stop them all.   That compromised system is the Trojan horse to get into your organisation.

We have all experienced a virus and how hard it is to stop and clean up.   Image if that virus was just the scout of a more costly attack.   You don’t have to image it, in most cases it is the vanguard of your worst nightmare!

The recently discovered attack on 100 worldwide banks that netted the criminals around $1 billion was done through a very sophisticated process that included boutique malware (undetectable by the best AV), social engineering, bad work practices, substandard policies and procedures and a lack of auditing.

The perfect storm that netted the bad guys all of that money over a 2 year period.

Compared to walking into a bank with a gun, or blowing the safe, this theft is relatively painless.   It is very profitable! Very profitable and relatively safe!   Catching the bad guys is remote, difficult and the criminals that do get caught show Darwinism at its best.

These 3 factors make the management of cybercrime difficult:

The cost of Digital Security technology!

Walk into any office, locks on the doors, motion detectors in the rooms, alarms on the windows, possibly biometric locks and access and in some cases bollards out front.   These are known protections that have come about in the last 100 years.   Costly but important protection.

Protecting the Organisations digital assets is a little harder.

If an organisation does not understand the WHY of cybercrime and Digital Security the protection requirements are often underestimated.

The business management’s attitude that free or cheap is the solution reigns supreme.

  • Free anti-virus must be better than having to pay a monthly or annual subscription for a managed end point protection system!   The fact that it only captures 90% of the known problems is irrelevant.
  • Or purchasing the inexpensive router from the local retail shop will do the job of a router with UTM (unified threat management).   The attitude that we just need a device that connects to the Internet is often heard.

There are thousands of other examples where free or cheap is the solution that is taken by SME’s and even larger Organisations.

When it comes to technology – you pay for what you get and scrimping on Digital Security by buying the cheapest means you are exposing your business to unnecessary risk.

The cost of protection can be exceedingly high and that is the main reason that risk management and risk assessment is paramount in those decisions.   Throw away lines like “we are too small to be a target” and “it will never happen to us”.   These are based on myth and legend.   Like a normal risk factors, understanding and then mitigating the risk has to be front of mind and in Digital Security, mitigating those risk comes at a cost.

The Digital Security jargon (non jargon) is hard to understand!Businessman

There are times when the discussion around cybercrime and Digital Security  is difficult.   I will even admit that at times I have trouble understanding what sales and technical people are saying, and I have been in the industry for more than 30 years.

One of the reasons for this disconnect is jargon.   Each manufacturer has a new word, new catch phrase, new product name or new operating system, that someone somewhere in the purchasing organisation has to now learn, understand and manage.

Getting straight and understandable answers to basic questions in the digital space can also be difficult. The answers are made more difficult if you cannot understand them or worse still have not asked the right questions.

Paramount to protecting business information is to understand what information needs to be protected.

This communication disconnect also happens when describing the criminal element.   Malware, zombies, botnets are the tools of the digital criminal, but most businesses do not understand the impact that they have on the protection paradigm.

In most cases businesses do not understand why they are being targeted with viruses or malware.

“Why did we get a virus, we have nothing worth stealing” is a cry we get regularly!   Everyone has something worth stealing even if it is just the storage and cycles used by the system itself to become a zombie or to join a botnet.

Digital Security Protection is difficult to manage!

The next problem with Digital Security is the management of all of those digital components.   Organisations believe that digital protection is “set and forget”.   A couple of years ago this might have been true.

Thinking that once it is in place you don’t have to worry about in today’s digital world is a bad idea and can have devastating consequences.   Not updating a device for 12 months or in some cases 3 years is definitely not best practice.

All of the components that protect the business have to be updated regularly, checked regularly and most importantly tested to ensure that they are working to design specifics.   Once again Jargon is a problem.

The digital threat landscape is constantly changing.   The bad guys know this because in most situations they are behind the changes.

Conclusion

Digital Security is a holistic process. Once again jargon impacts the Organisations decisions.   To make a correct risk assessment on the organisation you need to know:

  1. What needs to be protected?
  • Intellectual property
  • Financial information
  • Client information
  • Digital assets
  1. How will it be protected – this is the technical component of the risk analysis process
  • Separate network
  • Restricted access
  • Encryption
  • User access
  1. Who needs access to it?
  • Does everyone in the organisation need access to all information?
  • Can components of the information be separated?

You have to have a basic understanding of the required components that are protecting that information before you can make decisions.

Convenience is usually the primary driving force for business.   It is also the driving force with applications and systems.   Security should be more important than convenience, most of the time it is further down the list.

This article first appeared on LinkedIn

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

Taking Back the Digital Streets – Cybercrime now and the future

Woman looking through dirty broken glassIn the 70’s and 80’s, there was a fight in cities worldwide to take back the streets and make it safe for normal people to walk in their neighbourhoods without fear.   Those efforts paid off—murders, muggings and other urban crimes have dropped dramatically since then. The internet badly needs a similar intervention.

The internet may be the last bastion of free speech, but it’s also the most dangerous place on the planet.   You can lose everything—your money, information and identity—before you even realise that you have been attacked.   At least if you get mugged in a dark alley you have the bruises to prove that you have been robbed.   Have you ever tried to convince the bank that you did NOT purchase that top-of-the-line snow mobile, considering you live in the tropics?   It is not a fun conversation.

But the current level of crime isn’t inevitable. I have been reading some articles on how New York City citizens took back control of their streets.   Their efforts involved forming neighbourhood watches, cooperating with police. There were also a huge number of court cases there concerning a citizen’s right to free speech and free movement. All of these solutions started with citizens demanding a safer environment.

The “citizens” of the digital world should do the same. We, the people, are the ones using the internet for practically everything, and we have to take control.   With the help of law enforcement and politicians, we can do, it but it has to start with us.

Of course, there are huge problems to overcome. I like to call them challenges.   Here are a few.

Too Many Criminals

How do we reduce the number of cyber criminals?   Well, in most cases, the neighbourhood solutions that worked were not high-tech stuff.   And the answer wasn’t more arrests— in some cases it was less, but the arrests they did make were those that had the biggest impact.   By removing the people on the lower rungs of the ladder, they left the ones on the higher rungs without their support. The ones higher up had to come down, and they were also caught in the net.

Hacker programing in technology enviroment with cyber icons andThe internet has its own forms of small-time crime.   Web site graffiti, using an exploit kit, ripping movies and music, and creating a phishing email are all at the lowest level of the badness scale.   If the people who were doing this were the targets of law enforcement, starting with an escalating fine system, then these people would quickly drop out of the cybercrime arena.   It would no longer be a cool and easy thing to do; it could get you a criminal record.   Yes, these people can be caught—the problem is that they are so numerous that it will take a concerted effort at all levels.

Look at web site graffiti: It is either done on a dare, or it is done as a political attack.   Let’s look at as a dare: When the perpetrator is caught then he is fined; if he is underage then his parents are fined.

If it is political, then there is another problem.   I can hear the cry from here—what about free speech?   Well, you can still say what you like. You have the right to go down to the street corner and shout your views from a soapbox.   Or upgrade to the digital version—get a domain name and a web site, and you can say and do whatever you like.   But law enforcement has to make clear that the moment you graffiti a website, you are defacing someone else’s property. Just like spray-painting your tag on the front of someone’s office, you are crossing the proverbial line and will get fined or arrested.

Draconian? Maybe.   But the focus of this policy wouldn’t be to ruin lives forever. Instead, it would provide small-time hackers with an incentive to stop before they have the chance to hone their skills.

Broken Windows

The victims of petty crime can also play a role in keeping the internet safe. The owner of a web site that has been defaced has an obligation to remove the graffiti and tighten up security.   In a normal business situation— the front of a building, for instance—the clean-up is usually almost instantaneous.   But I have seen defaced websites that haven’t been fixed in months.

Why does it matter? The New York mayor of the late 90’s, Rudy Guilani, had the right idea.   He called it the “broken windows” theory. ( http://en.wikipedia.org/wiki/Broken_windows_theory) If there are broken windows in an area, that sends the message that no one values property and no one is in charge. Then more windows will get broken, more crime takes place, and the neighbourhood turns into a scary place. But the moment you start to replace them (or remove other signs of vandalism), everyone in the neighbourhood senses that the rules are being enforced. The whole community starts to get involved in maintaining their space, and normal people start to move back in.

Not Enough Cops

Another deterrent of crime is for law enforcement to have a presence in the area.   In New York today you cannot go two blocks without seeing a cop car or an officer on foot. That’s harder to achieve in the online world. How do we put digital cops on every corner?

Yes, police departments can hire specially trained cyber cops. But they can only see a small fraction of what takes place. To be effective, they will need to interact with normal users.

In south Los Angeles, in innovative inner-city police department devised an effective approach to gang violence: The Community Safety Partnership. (http://www.nytimes.com/2013/07/14/magazine/what-does-it-take-to-stop-crips-and-bloods-from-killing-each-other.html) The police had a need for streetwise people who understood the neighbourhood. These people are the honest, law-abiding citizens who have close ties to gang members and are a little savvier than the rest of the community.   They inform the police when a high-risk situation is developing—for instance, when the Crips or Bloods are plotting a revenge killing. This inside information helps cops prevent crime before it happens.

It works because streetwise citizens are the best source of information on crime. So let’s create more streetwise digital users.   Let’s increase the awareness of the innocent, the uneducated and the ill-informed so they can recognize cybercrime when they see it.   If users know when a crime or scam is taking place, they can report it to law enforcement, their antivirus software provider, or a criminal’s IP.   This is a win-win situation for everyone.

Stop Hunting for Scapegoats

We have a tendency to assign blame and search for scapegoats. The solution I’m proposing is the opposite of that. We need to shift our focus away from the big crimes that grab headlines.   It’s easy to be angry at Target for letting customer credit card information get leaked, but punishing one company won’t prevent the next attack.

Law enforcement, too, needs to change their mindset, from one of confrontation to one of prevention.   Too often, cops swoop in to bust a big cybercrime ring (like the underground drug marketplace Silk Road) after monitoring it secretly for months. To prevent crime, law enforcement has to be more visible.   Bank robberies would probably be a lot more common if there were no security guards or patrol cars for miles around.

If we get the small problems sorted out, we can then put in check and balances that will allow the digital world to flourish. As with any process, we have to walk before we can run.   We have to start with the small wins and build on them.   From Twitter stalkers to Facebook trolls, from 12-year-old script kiddies to targeted phishing attacks, from malicious insiders to the dedicated hackers, we have to send a message that crime has consequences.

I know that changing the digital world will take a little time.   It took 20 to 30 years to sort out the problems in New York and L.A., and they’re still not perfect. But we have to do something about the dangers of the digital world before it really does become a broken communication device.

CyberCrime – Using Security Policies to protect your business.

Most small or medium business and not for profit organisation have policies in place to protect, not only the organisation, but also the staff and users from cybercrime.  Being human, we don’t want to follow these rules. 

We like to circumvent them so that we can do what we like and when. 

This is not a new phenomenon, but it has become more pronounced with the advent of the internet. 

With the introduction of Bring Your Own Device (BYOD), ignoring an organization’s protective polices has gotten even easier and more tempting.

This anything-goes attitude is prominent among internet users.

For instance, here’s a statement it’s not uncommon to hear at an SME:  “My organisation doesn’t have a wireless access point, so I added one to the network.”  The person who makes this statement isn’t considering the security and privacy implications of their actions—they’re thinking about the convenience of being able to surf the internet on their Wi-Fi tablet.

Most people do not understand that putting in a wireless access point without understanding the cyber security implications is a severe problem for most organisations.  SME’s do not have the robust and secure technologies that enable them to detect a rogue AP, and such an AP can remain on the network long after the convenience is forgotten.  We recently did a site survey on a new client and found three of these devices on the network that management knew nothing about.  One of them did not have a password, which means that anyone has access to the network.

What about cloud-based storage?  Let’s say I want to work from home on a confidential document, so I install Drop Box and copy my super-sensitive document into the folder, and now I can work on it from home, on my tablet or even on my phone.  Lucky me.  That super-sensitive information that I was working on is seen by someone in a coffee shop, and it is now all over the internet.

Another thing that we have found is that all internal mail for a user can be redirected or copied to an external web server—Google, Yahoo or Hotmail.  Once again, privileged and commercial in-confidence information can haemorrhage from an organisation because someone wants to be seen as important.

Now in most cases, an organisation has put in place a policy that was designed to protect them against this situation.  But an isolated policy is not enough.  In all organisations, cultural change has to be incorporated into every aspect of people’s interactions with technology.  Maybe carrot-and-stick methodology will work—maybe just stick.  Either way, to enforce a policy you need to change the normal culture of most internet users.  That cultural change can be enforced with a set of policies, as well as technological solutions to reinforce those policies.

Businesses have many reasons for wanting to deploy policies to protect their security and privacy.  Some businesses want to cultivate work/home balance; others have top-secret information or intellectual property that they want to keep inside the business.  No matter what the reason, without changing the culture of the business, the policies might as well not exist.

Business continuity is not just backup and redundancy

Contingency Planning mind mapIn all SME’s there is always the fight over business continuity, disaster recovery and business resilience.   The usual arguments are based around cost and what you actually get for your money.

One of the areas that is seldom though about is historical data.   If something happens how can you roll back that database, get a copy of that old deleted email or a copy of a very important spread sheet from 6 weeks ago or more difficultly 6 months ago.

Some disaster recovery systems are only based on duplicating the data to an off site location, it is normally a regular process of writing over the old just so that the organisation has an up to date copy of the data.   Copying data to a USB drive or an external Hard drive is great if all you are interested in is the ability to recover if the building burns down.

This fails when someone has been using the test database to input real data, where the financial information has been compromised and you need to go back and dissect the information from old backups or you have been infected with a virus and do not know when it started.   When that happens, that off site DR copy is not going to help.

Not every SME does this but there is a high proportion that do not have a way to look at old information or have the capability to bring it back into the business.   Without this capability your business could suffer substantially.   A busy office, doing 200 transactions a day, rebuilding the accounting information could take days to resolve, not the type of problem that a business would like to face.

That is when you need a proper back up system, one that takes regular snap shots of your data and keeps that information in a different back up stream.

There are a number of product in the market that does this but all of them have a cost.   Just get one that suits your business,

Essential SME business cybersecurity – the main points

To most small and medium business and not for profit organisations, cybersecurity is one of the last points of interest at the management level. This assumption is not only bad for business but it can seriously damage you reputation as well as severely compromise your cash flow.

Like anything else in business – everything is connected.   Want to take payments online then you have to implement tighter security processes to make it happen.   Some SME’s understand this correlation, many don’t!

As an SME these points are where you need to start on your cybersecurity journey.

 Everyone has something to loose

No matter who you are, what your business is and who your customers are, you are selling something to someone.   With that point comes a number of other points.   You have to protect your business.   You have to protect you business information.  You have to protect your customers and their information.   Finally you have to make sure that your staff are protected as well.

What you use to do that is a matter of personal choice, as well as how you have been sold by the best salesperson available.  Just remember one solution is not the be all and end all of cybersecurity.   Cybersecurity is a process, almost a holistic process.   All of the parts have to work together to make a secure business environment.

Before the Internet, there was such a comment as ” too small to be a target”.   This no longer applies to the Internet world.   Just by being connected to the Internet you are a target.   It is like taking you business and moving it into the worst neighbourhood in the city, putting a lock on the door and hoping that someone doesn’t steal your “stuff”.

On the Internet there are no police on the corner, there are no niceties of business.   You are a target and the only thing that you can do is arm yourself with the biggest “gun” you can find.   It would be nice if we could turn it around on the cyber criminals and go on the offensive, but we cannot.  So we have to put in place protections that will keep the cyber criminals on the outside as well as protecting those people coming to you to purchase your goods.

 Proactive and paranoia play a large part in you protection

If you are not already PARANOID, Then I suggest this is the time to do it. In the world of cybersecurity paranoid is good, because everyone is after you.  Truly after you.   They want to steal your money, your intellectual property, your business and in some cases you complete identity.

So in cricket terms, you have to get on the front foot.   You have to position your business in such a way that it is only the very clever cyber criminal who have a chance of breaching your protections.   There is no such thing as inpeneteratable, your cybersecurity objective is to make it so hard and difficult that the cyber criminal will go else where, preferably your opposition.

There are lots of things that you can use to do this but these three things are a start.    Use passwords, difficult and complicated on everything. (check this out)  Train and teach your people the art of being suspicious and questioning things that look out of place and use some level of data encryption when the information is out of your control.   Finally put a security framework around your business.

Growth and opportunities have to be tempered with protective solutions

Since SME’s have little understanding of cyber resilience and cybersecurity making the business grow without implementing some level of protection is fraught with danger.  Most SME’s understand that opportunities have to be grasped with both hands.   A cyber resilient business is not only protected now but it has the ability to react to changes in the industry that will deliver better business opportunities.

Most business that are more that ten years old have a different perspective and focus that what they had when they started.   They have seen opportunities is other markets, different markets and some in the same.   Most businesses are in areas where they did not think they would be when the wrote their business plan.

These opportunities have developed through social media, the Internet or cloud computing.   Getting your marketing and brand out there are critical to a business and it has never been easier to compete on the world stage than now.   just remember the moment you attach yourself to the Internet, you are target.

So apart from the bad and to quote a song “the future’s so bright we will have to wear shades”.    Just make sure that your cybersecurity complements you business requirements.