Thursday, April 16, 2015

Cyber Security for Small Businesses

Image result for Information security
I was thinking the other day that the majority of my current clients fit into the Small-Medium sized business category. One thing I have truly noticed is there are not many people out there helping these businesses out when it comes to security. I am doing all I can but I have such a small fraction of those businesses so that is where this blog comes in. Hopefully this will help those business owners understand what security is all about and take actions to protect themselves and their business.

Let's start out with some terminology (yes, I heard the sighs out there). As a business owner you probably have some techy person already doing some of your work as needed or on a schedule. The first thing I hear out of business owners mouth is "Tell me in simple terms". Not so easy for many in the tech industry but through my long career I have learned that most people do not want to really know the detail. Just the what, why and how much in most cases. I know I am talking your language so this blog will follow that protocol.

Cybersecurity. I just read an article yesterday from a guy who tired of hearing the word Cyber and it is not even being used properly. I agree but it does indeed instantly give people an image of what this is about. It's that Internet, technology, computer, wires and all that stuff that goes with it word. It is kind of the catch all today for anything technology or hooked to the Internet. I equate it to Kleenex (I actually used to work for the folks who make the actual Kleenex brand). You can grab a box of Puffs and people still call it Kleenex. Same here. Technically there are all kinds of things that fit into Cyber including Info Sec (Information Security) but for our purposes lets just keep it Cyber. Fair enough?

So you own a business. Where in the bloody heck to you begin with security?  Truly there is a very wide range of topics we could cover here but I want to give you a visual so we have a model to work with and we will use it going forward. Equate your data to money. Without it you can not operate. If it gets stolen it could be used for bad things. You need a place to store it and then a plan to protect it. Then if anything should happen with it how do you react?

So give that visual all of your data is stored in what is equivalent to a bank vault (this typically will be your server). There are many layers in a bank before you get to the vault or even the money. You have to get through the door, avoid detection (software or hardware with alarms), make your way to the vault (network), get to the door of the vault and put in the code to open it (passwords). There are many variables in that route but if you make it simple for the bad guy to get in the door (no router), walk unopposed and unseen in the network (log files and detection software) and do not even put a password on the vault (your getting me) then all they really have to do is find your door to get in (be wide open to the internet with no protection).

Now that being said if you keep all of you money in one place and have nothing in reserve (data backups) you can call it a night and your done! The figure is somewhere around 60% of businesses breached will not survive 6 months. If it is a true data loss (flood ruins your server, tornado or angry employee) that number goes to about 94% depending where you get your stats from. So one thing we need to included is a data backup and recovery plan. Many do not think of that as a security issue but it is.

So that is a pretty wide view of what will be in this blog. I will break up and tackle things subject by subject and try not to bore you with detail like I promised.

So back to the data is money analogy. It truly actually is. You can put a price on your data pretty easily actually. Just think if all of your client information including pricing etc fell into your biggest competitors hands? How much would that cost you. I am thinking a lot.

So I will leave you with this. There is so much noise out there about data breaches and identity theft that it gets numbing. What do you listen to? Who do you believe? Hard to say these days with all of the NSA stuff etc going on. The good news is I do have a certification in Information Security (ready??  Last one till next time. CISSP Certified Information Systems Security Specialist). Now you know why they say CISSP. That Certification was built on a standard (if you must know it is ISO27000. Your welcome) which is where much of my information comes from. Its a standard because it works if applied properly.  It at the very least gets you a fighting chance to stay sane.  So until my next blog where we will find that starting point and start getting you secure!

No comments:

Post a Comment