For many small firms IT security considerations are as simple as ensuring the firewall is turned on for each PC and perhaps a malware tool is installed. However, in the era of bring your own device, or remote working due to COVID-19 and as more companies set up as remote-first, there are huge risks every business faces.
The security problem for any business isn’t just a statistical or technical one. Criminal cartels are industrializing cybercrime to hack the largest number of companies in the shortest possible time. They don’t care if your business is a one-person show or a booming high-growth success, they just want to hack in, steal your digital valuables for profit or hold your data to ransom.
For any company, that means taking IT and data security seriously, from the basics like having strong passwords and backups to using what you might think of as advanced protection services. But these are really just the minimum for staying safe. Fortunately, what used to be hugely expensive IT security services are now available as low-cost cloud tools to help protect everyone.
Security comes with standards
The practical way to establish what you need to do to improve your cybersecurity is to conduct a security audit or analysis. Enterprises have all sorts of audit tools and processes to follow to ensure they comply with particular standards - and many firms won’t do business with an enterprise that doesn’t meet international standards like ISO/EIC – 27002 or HIPAA.
For British firms there’s guidance in the BS 10012:2009 specification for a personal information management system. It provides a framework for maintaining and improving compliance with data protection legislation and good practice. It’s been developed to help businesses to establish and maintain a best practice personal information management system. Others like BS ISO/IEC 18043:2006 focus on the selection, deployment and operation of intrusion detection systems.
Scanning your business for security gaps
When it comes to practical security, your firm needs to know what risks it faces and where the virtual weaknesses are around your hardware, networks and applications.
Services like penetration, vulnerability and intrusion testing (commonly known as pentests) see security professionals use automated tools to scan your networks and highlight risks to the business. They help you discover vulnerable areas, recommend fixes for them and provide an in-depth analysis.
Having established any weak points, the next step is to secure the business at the hardware level. This might mean upgrading your network hardware or getting rid of old but loyal PCs that don’t support the latest security apps. Moving your teams to cloud services where the risk of that 1% downtime is outweighed by the massive digital security built into each service is another positive step and helps firms who are increasingly remote.
Bolstering your IT security
That still leaves the physical business network to protect, even if it’s just a server, printer and a couple of WiFi hubs connecting the local PCs - it’s still a target for hackers. Using next-generation firewalls that come with intrusion protection will defend you from most threats. However, it won’t protect from 100% of them, so a layered approach is often the best defense for any business.
Virtual private networks (VPNs) and endpoint security tools can add another layer of protection to the business, ensuring that only valid users and applications can access your data and services. Additionally, email gateway security tools can protect your email servers and keep phishing and scam messages off the network before a busy worker accidentally opens one.
As your business grows it can adapt newer security methods, the latest being zero trust solutions. These are the ultimate guardians of any business network; as the name suggests, they trust nothing until it’s validated or authorized within the network. That could be a new PC, a new user, a network address or application - all are suspect until authorized.
Zero trust combines a number of technologies to identify users and sort the good intentions from the bad. In a few years it will become the standard method of IT defense, so getting used to it now isn’t a bad idea for any firm.
Solve the people problem
While all the apps and tools in the world might solve most of our IT security issues, there remains the human element.
This can only be addressed through awareness and training to make sure people don’t do things like bring malware-infected devices into the business or click emails claiming to be from the boss demanding an instant payment.
Addressing these issues with regular sessions and making everyone aware of the risks and consequences of a hack attack is key. Showing them that 95% of hacks are due to human action should help the best practices you (or a third-party security trainer) teach them have more impact.
Finally, there’s the knowledge that few businesses or staff have the time to truly deal with the cyber threat. It’s better to invest in security solutions and integrators to do the job for you or to hire experts who will make it their business to protect the firm within the budget restrictions.
They can act as the focal point for raising awareness and instilling positive behavior among remote or office staff, which combined with strong defensive solutions will help keep any business safe.
Further reading:
Access the latest business knowledge in IT
Get Access
Tech Insights for Professionals
Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals.
Comments
Join the conversation...