Setting Cyber Security Priorities

While the number of cyber security attacks grows every day, too many businesses have adopted a potentially dangerous attitude that cyber attacks only happen to large companies. Companies that are too small to employ full security teams may take comfort in having tools in place such as firewalls and anti-virus software; however, as attacks become more sophisticated, the current slate of preventative measures may not be enough to keep them safe.

According to a survey conducted by Ipsos Reid on behalf of MNP, half of Canadian businesses either suspect or know for certain that their business has experienced fraud or scams in the last year. Despite new headlines filled with stories of businesses that have experienced an attack, 80 to 90 percent of the respondents are under the illusion they could put a stop to the fraud if it happened to them.

On the opposite end of the spectrum, businesses run the risk of becoming overwhelmed by the barrage of bad news and undertake an equally misguided attempt to implement protection against every known threat in the cyberworld.

Instead of chasing every possible threat or simply ignoring the problem, businesses need to take a pragmatic approach by setting priorities and developing plans that will provide the greatest protection against the most likely risks.

Start Where You Are

Before deciding what security tools and protocols are needed, businesses need to step back to analyze their position and understand their current state. A cyber health check will help inventory assets, understand vulnerabilities, and anticipate the greatest threats.

A comprehensive inventory will incorporate the assets that need protection; including any information, technology, systems and data that could cause damage if it were stolen or compromised. By developing a risk-based view of these assets, companies can ascertain how the material is stored, who has access to it, how it could be lost or stolen, and the risk to the company if it is lost or stolen.

Capturing a snapshot of devices, systems and software programs will help identify any unauthorized changes. Without knowing how many devices or types of software are authorized to be on a system, it may be impossible to notice if a cyber criminal adds a piece of equipment or malicious software.

A current list of security controls will identify the protection already have in place. Instead of taking on the impossible task of safeguarding against every possible attack, companies can focus on the most common threats affecting their industries or businesses of the same size.

Focused Security Budgets and Resources

By assessing vulnerabilities and the most likely threats to business, companies can identify the areas where it makes the most sense to invest time, money and resources.

The Center for Internet Security has developed a 20-step security framework that can help any business build an effective security framework. Simply implementing the top five strategies could reduce security risk by 85 percent:

1. Inventory authorized and unauthorized devices
2. Inventory authorized and unauthorized software
3. Secure configuration for hardware and software
4. Continuous vulnerability assessment and remediation
5. Controlled use of administrative privileges

Adding simple monitoring and controls to high-risk areas can also have a significant impact. If intellectual is stored on system files and folders, software can be used to monitor the copying or downloading documents. Monitoring can also be easily added to databases and web infrastructure.

Don’t Make Assumptions About Security

Building a security plan based on actual priorities puts businesses in a strong position if an attack strikes. It’s not sufficient to assume that small companies are safe from attack. Unfortunately, small businesses are often targeted because they don’t often don’t have the resources to invest in adequate protection or planning.

Tomorrow’s technology is shaping business today. For help identifying where you should be setting your cyber security priorities, contact Danny Timmins, National Cyber Security Leader, at 905.607.9777 or [email protected].