Within the current landscape of today’s ongoing data theft activities a significant loss could be catastrophic to small businesses. Where large enterprises can attempt to ride the wave until the discovery of a loss is forgotten, small businesses may not have the liquid capital or extensive credit to fund the wait. Therefore, proper investments to protect your business sensitive data are often well worth the expenditure. This is especially true as it often consists of attention to detail and time.
We are not going to get into the deeper aspects of IT Security as that ends up being somewhat unique to each organization in knowing how to best protect different types of data. It also requires an assessment of overall risk along with evaluations of specific business processes to ensure the security model allows for the business to still run efficiently and effectively. What we will outline are the high level concerns with both inadequately protecting and over protecting your data.
Resolving issues of inadequate protections are often easiest to compensate for because it is easier for the business to comprehend what should be protected. However, there is usually a limitation on how much money can be thrown to address the key problems. Encrypting all of your data at rest as well as in transit are the best practice principles to deploy, but it can lead to slow downs to key business processes. Data encryption also leads to the creating of new business processes such as encryption key management and ensuring any business partners that you share data with to be able to securing receive the data and decrypt it when they get it.
This is why many businesses choose perimeter protections to build a wall around the data rather than worrying about internal threats to its loss by exfiltration. The issue with this implementation as the only protection is that today’s threats are more commonly through spear phishing and browser vulnerabilities. What this means is that the compromise ends up being from the internal user perspective. So once they have access to a user’s credentials and your organization has the “high wall, mushy center” security model, they have free reign to your network. The bad news becomes a matter of time at that point.
So what about over protecting your data?
Many would argue that statement doesn’t even sense. What we mean there is in regard to those new business processes you need to development. In small businesses IT departments are usually small or even a single individual. Giving all the “keys to the kingdom” to one person puts the business at risk for accidental or intention compromise. This is remedied with a checks and balance system of network management and security management. In large enterprises there are usually two groups, but creates the issue of the increased need for collaboration and business unit buy-in to overall process and procedures.
Generally speaking a one size fits all approach isn’t always the best way. Leaving all data at risk by having an open access policy to internal users is easy to manage (and why it is also so easy to steal), but locking all data away is costly and could lead to a quick end if a single encryption key is lost and you now no longer can even access your own data. This is where your time comes in. Whether you decide to take this on yourself or hire a consultant to assist, it will save dollars by understanding and mapping out where you data lives and how sensitive that data is. Protecting the most sensitive data adequately often meets business goals a bit easier. The frequent users of the business’ sensitive data are aware how sensitive the data is and will be more likely to understand why the extra protections are necessary. There will be less likelihood of violations to new security policies and this results to less risk overall.
So where does this leave the small business?
Leverage what you can and be aware yourself. As a business owner, understand your business. If you have alleviated yourself from any responsibility of the complex world of IT for your business you are at risk. There are ways for business owners to understand what it means to the business without being overly complex and getting into the weeds.
There are plenty of consultative services out there that can be a fraction of the cost of expanding your IT department. Your current IT department may not be fully aware of security architecture and best practices, but they can deploy these systems once a plan has been established by an expert in the field. There are also numerous lessons that can be learned from large organizations and even government.
The long standing organization for best practices, the National Institute for Standards and Technology (NIST) has provided a wealth of information to government. Government organizations are measured against these best practices to ensure they meet a certain standard in protecting data surrounding the services they provide. These same principles are likely to be used to measure your business’ ability to protect data by any IT security consultant you may contract with. Taking the time to begin the mapping of your internal processes to these standards will save you money since the consultant will not have to interview to gather this same data.
So what else do the “big guys” do to save money in resolving this growing area of risk to their data. Believe it or not, they are trying to work together. Very large contracting firms are building consortium programs where large organizations they typically support can contribute funds to a common goal. In the past these same companies made a ton of cash by repeating assessments for organizations individually. In today’s climate, by the time these issues are resolved the threat vectors have already changed. The model had to change and it is changing.
Now companies can team together to create a higher level plan of attack to their IT security problems. They can leverage the same high level plan and then spend less to complete the picture for their specific organization. For example, rather than 100+ organizations spending IT dollars to test the best of breed firewall or to layout a layered perimeter security architecture, they can contribute much less to a central fund and have access to the same information. This same principle can be utilized by small businesses.
Small businesses have many common issues because of their size and lack of depth in many cases to a pool of IT professionals. Where some small business owners are looking to cloud providers to leverage their expertise in protecting data, many are still fearful (and should be) to just give up the control. In lieu of the cloud, there is still a great deal of opportunity to share ideas with other businesses suffering from the same overwhelming problems everyone is facing. If common problems are identified after speaking with fellow business owners, put a common plan together. If this plan cannot be created by IT personnel already employed by one or more of the companies, look into consultants that can be leveraged for their depth of experience in this field.
Once a high level plan is established more appropriate to your size and ability to fund, it should cost significantly less if additional services are needed to map out a plan with only your specific needs in mind. From there your consultant can take it all the way or your own IT staff can implement.
The key difference here is you, the business owner, are aware of the plan, can more easily ensure it has been implemented, and can get back to your core business. Having the high level understanding of what your IT means to your business, where the jewels are stored, and how they are being protected will make you a better business owner and in turn simply have a stronger business.