There are many similarities between how we manage our health and how companies manage information security in terms of preventing and detecting various ailments that may otherwise compromise our "networks."
On the one hand, our doctors and parents always tell us to eat right, exercise, don't smoke and don't stress out all the time to keep our body healthy. On the other hand, we also know we need to monitor our health (via doctor visits when we feel sick or for annual check ups) before those nagging ailments could turn into something major. Detecting and correcting serious health ailments early is much less costly, in terms of money and your health, than ignoring the warning signs that could lead to a trip to the emergency room.
Similar to healthcare, information security can also be thought of in terms of prevention and detection controls to safeguard data and the long term "health" of your business.
Like your health, we are always looking for ways to prevent bad things from happening with our data. Security controls used to prevent security breaches before they occur can include patching software vulnerabilities, writing secure code, hardening your systems and implementing strong access controls just to name a few.
Just as most of us may not have that perfect diet or have been blessed with Superman's genes, we will still need to monitor our networks and systems and swiftly respond to incidents. Our controls can never be perfect and we are all human and will eventually make mistakes. That's why many experts in the security industry (to include many security monitoring tool vendors) continue to argue that you should always assume you're going to be hacked. They go on to warn us that detection beats prevention since you have to be agile in quickly detecting and containing incidents.
But what is more important for most small businesses -- prevention or detection?
As Benjamin Franklin once said, "An ounce of prevention is worth a pound of cure
." I would tend to agree and also add that prevention should be a top priority in any small business. By first focusing and investing into prevention controls, small businesses can get a big leg up on future cybercriminals and attackers. Don't get me wrong -- detection controls, such as security monitoring, are still important and most likely increases in importance the larger your company gets and can afford.
However, if you can prevent incidents from ever occurring in the first place, you may be able to reduce the likelihood of future events turning into an expensive game of "wack-a-mole". Remember that fun arcade game? The objective of the game is to hit the mole with a 'hammer' as it pops its little head from one of many holes before quickly disappearing. Only to see another one appear from a different hole... Sound familiar?
To help bolster this idea, I'd like to present six easy prevention security controls
that can help protect your business.
1) Developing Secure Websites
There's no big secret that security needs to be included in the design of every application. Application Security is most effective and less expensive when planned and implemented throughout the development lifecycle of the application. If you have an external website used to host services for customers or employees, ensure to have your website scanned to identify application vulnerabilities (such as "OWASP Top 10
") BEFORE you actually host internet traffic on your site. Scans will help validate that bugs are addressed and ensure code fixes are done in a timely and proactive manner.
2) Patching and Updating Software
Be proactive and patch your systems regularly, but place special attention to address more critical vulnerabilities that are actively exploited in the wild. Don't forget to patch your applications as well such as Java, Adobe, QuickTime and others. How many times have you heard of phishing and social engineering attacks that try to trick unsuspecting users into clicking malicious links or attachments laced with malware? Most of these tricks are designed to run malicious programs designed to exploit vulnerabilities on your local system
. Of course, you can always monitor and contain the malicious actors after the fact, but wouldn't it be easier to prevent the event from occurring in the first place?
3) Hardening Your Systems
Sometimes overlooked by even larger organizations, small businesses should also establish standards or processes for how to harden your systems (e.g., servers, PCs, smart phones). Make sure your systems are securely configured in order to reduce the attack footprint of your network. Don't install unnecesary software as these applications will also need to be patched and could be exploited. The more securely configured your systems are, the fewer the vulnerabilities that can be exploited by attackers. My personal favorites are NIST and DISA-STIG standards that include system hardening guidance for IT platforms (e.g., Windows, Mac, Linux, Network devices), also used by the U.S. government and military systems. This is especially important for your web systems connected to the internet.
4) Access Controls
Access to systems and applications should be controlled to ensure access is commensurate with job requirements and adhere to the "least privilege" principle (i.e., the minimum amount of privileges required for the role and nothing more). Once roles are established, new user requests should be approved by the role owner or manager prior to authorizing (or "provisioning") user access to sensitive systems or data. Access should be reviewed periodically and revoked immediately when users leave the company.
Strong passwords should be implemented and changed periodically. Two factor authentication is also imperative for remote access into your network or when accessing sensitive websites such as banking sites.
5) Encryption of Sensitive Data
The easy solution to protect sensitive data is to implement whole disk encryption on company or third-party owned laptops. One lost laptop can lead to expensive fines, loss of trust or worse yet, put you out of business. Encrypting customer data in files, databases and applications is also critical to not only protect your business but also may be required to meet regulatory obligations.
6) Security Awareness Training
Your weakest link is often the human element and often is root cause for many breaches (e.g., victim of phishing e-mails or malicious websites). Ensure your employees, contractors and third parties are informed of data protection and information security responsibilities. For example, ensure users take information security awareness training upon new hire and annually to keep up with latest security.
By following these six simple prevention controls can significantly improve security and make monitoring that much more efficient and valuable (for defense in depth) when you are ready to move to the next level in your security program.
Remember, be secure. It's a zoo out there.