WannaCry was a wake-up call for many organizations, crippling businesses around the world and demanding Bitcoin cryptocurrency payments to retrieve their access to data.
But is it possible to fully protect your data and IT systems from cyber threats? Almost every industry expert says ‘no’ — but that doesn’t mean the situation is hopeless and you’re doomed to pay out Bitcoin to hackers holding your data hostage.
These days, it’s almost impossible to avoid cyber threats. They’re constantly changing and evolving, and no one is immune — not even small businesses, non-profits, schools or hospitals. But having a security strategy in place can help you get back up and running if, and when, something goes wrong, as quickly as possible.
“You’re never going to be able to protect yourself 100 per cent,” said James Morris, Director, Security and Professional Services with Epic, a Bell MTS company. “I would honestly be planning for both recovery and prevention.”
While perimeter security — trying to keep the bad guys out with firewalls and anti-malware software — is important, it’s not foolproof. Malware can sneak past your perimeter defenses through a back door, or use techniques such as social engineering to trick employees into giving away passwords, account information and other sensitive data.
Recovery and prevention
Morris says there should be a heavier focus on recovery capabilities than prevention. In the recent past, the focus has been on prevention with a lion’s share of the security budget allocated toward that area. There is now a shift in the industry whereby prevention and recovery spending are very close to an equal portion of the IT security budget.
Your recovery strategy should include offline backup or advanced snapshotting technologies, which could save your data if you’re hit with ransomware. If backup isn’t offline or secured, it could also be encrypted or deleted by hackers.
“Some companies have been moving away from tape or offline backup, and largely don’t understand the capabilities from a snapshot perspective,” said Morris. “Now we’ve had to go back to those types of technologies because of ransomware.”
Offline backup is one component of an overall security strategy that focuses not only on prevention, but on response. For many SMBs, this can seem like an overwhelming task, particularly if you don’t have an IT pro on staff (or if your IT pro doesn’t specialize in security).
How vulnerable is your SMB?
The best way to start is with a vulnerability assessment, according to Morris, which will pinpoint any vulnerabilities and identify what’s potentially at risk — not only as it relates to technology, but to people and processes as well.
“Anyone who has had a vulnerability assessment in the past two months would have seen the vulnerability associated with the WannaCry ransomware pop up,” said Morris, of the crippling ransomware attack that affected users in more than 150 countries.
“I would recommend getting one done at least once a year, unless you’re regulated otherwise, but it has to be part of some sort of security program,” he said. A security program allows you to act upon information that comes out of the vulnerability assessment.
After all, there’s no point in reviewing your IT architecture, systems and processes if you aren’t going to do anything with that information — or heed any warnings. “Oftentimes, the attitude is, ‘I have a firewall, I’m not too worried,’” said Morris. “But that isn’t going to cut it.”
Security is a business problem
Fixing problems is often considered a cost, with no visible ROI.
“Small business sees it as a cost, but it’s critical to the business,” said Morris. “Business sees it as an IT problem, but they must also realize that security is an overall business problem — not just an IT problem.”
This is where business leaders and IT pros need to come together, and it starts with a baseline security policy. However, this can be quite a task. Thankfully, there are some good templates available, including one from Public Safety Canada, among others; Morris recommends selecting the bits and pieces that make sense for your business.
Getting the right help
“Find somebody who can take that information and turn it into a security policy — and you’re 10 times further ahead than you were before,” said Morris. After rolling it out, ensure you schedule regular audits and assessment.
“It needs to be a formalized process and it needs to be in the security policy,” he said. That security policy should include an incident management plan so if something goes wrong, there’s a strategy in place to deal with it.
For those who simply don’t have the time or resources, managed security services are another option, where a third-party provider does the heavy lifting for you. They can assist with writing a security policy as well as rolling it out.
Having a security strategy in place does require time, money and resources — but that’s a piece of cake compared to the time, money and resources required to recover from a crippling cyberattack that could destabilize your organization.