The Five Step Security Plan
Information Security is easy. There I said it, and no you didn’t read that wrong. Almost every other company on earth is going to tell you the opposite. It’s complicated, you can’t do it alone, it’s going to be a minimum of $50,000 to even start your program. I’m going to give it to you straight: they are wrong. They may throw complicated jargon at you “VPN, IPSEC, IRP, DRP, BCP, NIST 800-53” but fortunately you don’t need to memorize that list of acronyms to build a coherent, effective, and affordable cyber-security program. In this article I’m going to tell you exactly why you should build an information security program and how you can start.
“Alright” you say, it may be easy to build a security program but why should I? “I’ve been getting along perfectly well without one so far”. Well in the spirit of straight talk I feel obliged to tell you, you are playing Russian roulette with all cylinders loaded. Bad guys target small businesses because small businesses have this exact attitude “I’m too small nobody will bother with me”, think again. The statistics are bad. The majority of cyber-attacks target small, not large businesses and 60% of small businesses fail within 6 months of a successful attack. Costs can range from a few thousand, to hundreds of thousands of dollars. Either way it’s enough to close your doors.
Don’t stop reading! I promise I’m not trying to scare you into buying anything. In fact, you won’t read a single call to action or marketing pitch in here. This article is to help you, not us. So, you now recognize that the threat is real, and the landscape is dangerous but you still feel overwhelmed. People typically give in to apathy when they get overwhelmed: don’t. Stop take a breath and realize that you can do this. Here’s how we recommend you start.
Get visibility over your Assets
Every business has assets. Your company vehicles, buildings, and IT equipment are assets. However, your data is also an asset, perhaps your most important one. Sometimes this fact is overlooked because it is all too easy to become complacent and assume that critical company data will always be accessible and is perfectly safe, think again. Your first step in building a security program should always be identifying what you are aiming to protect. Do you hold customer names? Email Addresses? Social Security numbers, employee payroll data? Let me tell you something, bad guys can steal those and in the process destroy the business you have worked hard to build: don’t make it easy. Learn where your data is housed and what is protecting it. Is it protected by a firewall? Is it encrypted? Don’t worry, that is as technical as you are going to have to get. It’s smooth sailing from here. Get this information even if it means calling your wife’s second cousin twice removed who set up your computer systems 3 years ago. Then you need to set up log monitoring. There are ways to do this for free but in general you can expect this to cost you $50-$100 a month depending on the size of your IT infrastructure. If you aren’t technically inclined, we recommend using a paid service. (I said it was affordable not free!).
Create an Incident Response Plan
You have identified where your information is stored, current protections in place, and you have set up log monitoring. “Wait!” you exclaim, “Why am I creating a response plan when the goal is not to have incidents?” Well unfortunately you are almost guaranteed to have an incident no matter what you do. “Then why am I wasting all this time?” You ask, irritated that you’ve spent 5 minutes reading only to confirm your suspicion that all this information security stuff is useless. Well the short answer is it can save you money and the longer answer is it can save you ALOT of money. If your employee Bob torrents 2 terabytes of movies on to your company network (Bob’s got a problem) and in the process downloads a keylogger on to his computer, it is far better to know about this issue sooner than later. If you have log monitoring, the spike from Bob’s download will show up and you can confront Bob before he unleashes an unholy disaster onto your network. However, without that visibility over your network, you are forced to trust Bob, and let me give you a tip; never trust Bob. An Incident response plan allows you to have a procedure in place to quickly effectively respond to an incident. The Bobs of the world make these plans necessary. There are many incident response plan templates that you can find online for free. Use one. If you know what you are going to do to manage an incident you are well on your way to surviving one. An Incident response plan serves as the cornerstone of your overall security plan.
Train your employees
So, you have visibility over your network and an incident response plan. You are halfway done. Now you need to train your users not to download unsavory materials over the company network. No this isn’t a joke it’s actually quite common. There are many free training programs online, or you can create your own (make sure to consult any compliance requirements you are bound by). You should cover at a minimum phishing emails, downloads, fake websites and other common methods that cyber-criminals use to get access to information they shouldn’t. Your employees need to know that the African Prince wanting to give them 50 million dollars is most likely a teenager sitting in a basement in Eastern Europe (Who probably does not have 50 million dollars). You can google “Free End User Security Training Programs” and come up with many that will fit the bill for your organization. Training is essential for a competent security plan.
Test your New Program
Congratulations, now your security program doesn’t entirely stink, it’s pretty bad but it does have a heartbeat. Fortunately for you that means you are beating 90% of other businesses out there. Now you need to test it. Run through the Incident Response Plan with your employees. Run simulated phishing campaigns against your users, then retrain employees who click the link (Bob we told you the Nigerian prince was lying!). Make sure that your log monitoring covers all your endpoints and can detect anomalies. Testing is key—a month later test another part of your program and keep doing it.
This is the part everybody hates. Let’s be real, who actually wants to write out 50 pages of security policies and procedures that nobody is going to read? I sure don’t, and I work in Information Security! However, you do need to have them, and it doesn’t have to be entirely awful. Create your policies and procedures, document your incident response plan, acceptable use policy, log monitoring policy, business continuity plan, disaster recovery plan, and all the other plans you need to have in place. You can find templates for almost all of these online and it doesn’t take long to fill them out. Don’t stop there. Condense the information (Especially Acceptable Use and Security policies) into something that’s easy to read then post it all over your office. Make sure your employees know that you take information security seriously and that not following policies is unacceptable. Your Security plan isn’t complete yet, but you are off to a running start.
There you have it. Take these five steps to start your security plan. Remember, speed kills problems so don’t wait, start today. Don’t forget to get Bob some help.
Nothing in this article should be taken as legal advice. If you have compliance requirements to meet, or if you are unsure if you have compliance requirements, please consult an attorney to ascertain the extent of your legal obligations.