Is Resilience Missing From Your Small Business?
Pre-COVID, businesses were already getting hammered by criminal activity, from phishing to wire fraud to identity theft, and so so so much more. In spite of all the signs, shared stories, and publicly-reported losses, many organizations still choose to believe "it won't happen to us."
Cybersecurity is dead. I'm not sure it ever even existed in the first place. The mindset business leaders need to have right now is "How prepared am I to strategically respond to criminal activity that interrupts my business?"
As the pandemic-era progresses, you may choose to continue living in ignorant bliss. That's a choice. I'm going to say it straight: you're one mistake away from tragedy. You'll be forced to deal with an unplanned (but most likely preventable) incident that impacts your productivity, reputation, and bottom line.
There's hope. We wrote this baseline guide to outline what you need to do and why. Now. Please do it now before it's too late.
Resilience Checklist for Everyone
Below is an austere (meaning no extras, only a bare-bones place to begin) list of tasks every organization (small, medium, or large) cannot risk ignoring. These basic steps greatly increase the cost for criminals to pick you as a target. Once you've tackled this starter list, criminals will go elsewhere to find an easier target.
Some of these things you may be doing but many of these you're not. If you're working in lockstep with your Managed Services and Security Provider on all of these items, that's awesome!
If you're not, it'll be your fault when criminal activity inevitably disrupts your organization.
These are the most practical ways you can reduce your preventable losses right now:
- Have a Comprehensive Disaster-Recovery Strategy. Annually review all mission-critical backup configurations to ensure nothing is overlooked or has changed. Ensure backups are not being stored in vulnerable places and/or on privileged machines/devices. At least twice per year, perform a port scan on related systems to understand and minimize the attack surface (this means the exposed parts that can be most easily compromised).
- Formalize Disaster Recovery Testing. At least annually (more frequently if required) test recovery of mission-critical assets. Consider conducting table-top simulations of worst-case scenarios once or twice a year so your team understands their roles in a crisis and how prepared or unprepared they are for one.
- Conduct Annual Password Audit. Attackers know to target low hanging fruit, which means your folks who use weak passwords and re-use them across accounts - makes the work easy for criminals. Make sure to include shared accounts - these often have very weak passwords, use no 2FA, and are particularly good places for criminals to start exploiting you.
- Review Security Logs Annually. Even if you're not currently protecting your logs (criminals know how to cover their tracks) reviewing them at least once a year vastly minimizes surprises down-the-line.
- Annual Account Review. It doesn't take long at all to make sure all of your accounts are still required. If accounts are no longer active or needed, disable them - these are way too often exploited by criminals.
- Verify Visibility Into Your Operations. Make sure you have an accurate inventory of hardware and software - criminals love it when you have no clue about this because it makes their work much easier.
- Conduct Vulnerability Scans (At Least Twice Per Year). Make sure you understand your network and devices by conducting semi-regular scans and have a formal process for mitigating what's found - your clients are likely starting to ask for proof of this, too.
- Use Anti-Malware On All Devices. Anti-Malware solutions are not a nice-to-have. Make sure this is installed on all your devices, mobiles, tablets, laptops, servers, everything.
- Audit Access Annually. Far too many incidents are a result of an account having too much power. Make sure you're operating using a Rule-of-Least-Privilege model to reduce your risk to preventable losses. Criminals love it when regular users have account privileges way above their pay grade.
- Ongoing Resilience Training. Give your team the knowledge and tools they need to protect your organization each and every day - offer your team a training tool they can use on their own schedule or plan a formal training once or twice a year - awareness is by far the most effective tool against crime!