Pragmatic steps to better security for Irish SMEs
27 November 2019 | 0
Few people would leave a car unlocked in a public place with the engine running. The risk is obvious, and the loss is immediate. But some businesses in Ireland do not think about information security and protecting important data in the same way.
This is starting to change because of General Data Protection Regulation (GDPR): the fines for breaching the regulation are becoming real, although I prefer to focus on how the regulation is forcing businesses to think about data differently because it makes them responsible for protecting it. For some people, it can be hard to think of IT hardware and software as having a business value; they are just tools for the job. But the data on these devices often includes sensitive commercial terms, go-to-market plans, or customer details, that are unique to the company and are the essence of its brand. The regulator is forcing you to protect personal data, but in fact it is the right thing to do.
Many businesses look at IT security from a pragmatic perspective: affordability is key. That is why I take a pragmatic approach. In many cases, security does not need huge investment all in one go. There are real, practical things to do straight away that will make a difference.
Firstly, I recommend an audit of where the business is in security terms, relative to its peers and to best practice. This allows the person responsible for IT and risk, or the business unit owner, to start shaping their planned security investment so it is appropriate to the risks and the exposure. To put it simply: how likely is it that a phishing scam, financial fraud or ransomware infection could end my business?
That audit process guides the follow-on steps to securing and protecting what matters most. Rather than trying to rush in and do everything at once, it is important to have a plan. Mitigate the biggest risks first and accept others. Start with installing anti-malware on all devices, properly configured firewalls, and all data encrypted, especially when it is stored on laptops and mobile devices.
Next, put security policies in place and tell staff and customers that these policies exist. This sends a clear message to the market – and should reassure customers – that the business takes security seriously and does not just treat it as a compliance obligation.
Staff training is essential to any good security effort. One approach is classroom-based training aimed at teaching employees to be “good citizens”, and not to click on suspicious links or leave sensitive information lying around. Another way which I have found useful is continuous assessment. There are tools that simulate real phishing attacks, allowing the business to tell which of its employees recognised an attempt to trick them into clicking on a malicious email. Anyone who clicks on the link during the simulation automatically sees a prompt to take refresher training. Since more than 90% of external security breaches start with emails targeting people, security training is a very effective measure.
After taking these steps, businesses can choose to build layers of security on top. For companies without dedicated internal IT resources, security operations centres are too cost-prohibitive for most SMEs. So, it often makes economic sense to work with an external specialist provider like CommSec that monitors customer networks from our operations centre.
We also provide proactive security services like threat hunting. Unlike reactive security that waits for incidents before alerting and responding, this service identifies malicious activity that deviates from the norm and takes it down. Sometimes this finds residual malware from old infections, and previously we also stopped a ransomware attack in motion. This extra layer of protection moves security from a purely responsive position to a proactive approach that identifies new risks fast.
Returning to our analogy from the start, it helps to think of information security like the safety features in a car. One by itself is useful; when combined, they reduce risk and let you complete your journey safely.
David McNamara is managing director of CommSec