We’re still in January and at least four (4) significant cyber-attacks have made the media circuits. T-Mobile, Yum! Brands, LastPass, and ODIN have all succumbed to breaches leaking millions of user identifies, personally identifying information (PII), and other confidential data. These brands may be able to recover quickly from cyber incidents, but for a small or medium business, these types of events can be disastrous. There are two critical factors you should consider immediately to secure your business:
- Have a documented and practiced incident response plan.
- Have cyber security insurance.
For the sake of relevance, we’re going to flip-flop the subjects and tackle cyber security insurance first. It is a bit more concrete and has well-documented requirements.
CYBER SECURITY INSURANCE
With the bloom of cyber security incidents, insurance providers require businesses to maintain a base-level of counter measures before they provide insurance. To qualify for coverage and maximize the benefits of a policy, at a minimum, you must deploy:
- Multi-factor authentication (MFA) for employee access to web-based email.
- MFA for remote access to the business network to include employees, contractors, and vendors.
- MFA for any user with admin privileges to asset registers like active directory, backup systems, network appliances, and other endpoints.
To satisfy these requirements, IMS promotes the Identity Access and Management (IAM) service. IAM is a set of processes and technologies that help you manage and control user identities and access to your organization’s resources. Learn more about IAM via our prior blog post.
Implementing IAM allows you to:
- Authenticate and authorize user access to your network, applications, and data.
- Monitor and track user activity to detect and prevent potential security threats.
- Control use of and access to sensitive data and resources using permissions and policies.
- Set up multi-factor authentication.
As we see more complex attacks and greater risk associated to stolen data and identities, policy providers are going to align with best practices, not just good-enough practices. In the future, we can expect to see requirements tied to current, relevant practices like random, very long, complex passwords that don’t expire. Fortunately, IAM helps fulfill these requirements Microsoft helps dictate best practices and weaves their administration and use into their products.
In addition to meeting the requirements of your policy, IAM also helps to quickly identify and contain a breach. Your insurance company should recognize this as evidence of your diligence and good faith, and may be more likely to provide coverage and assistance.
Lastly, implementing IAM is not silver bullet protection against a cyber threat. But, having a robust IAM solution in place, you reduce your risk and improve your chances of avoiding or mitigating the consequences of a cyberattack.
DOCUMENT AND PRACTICE INCIDENT RESPONSE PLAN
The details to cover a well-documented incident response plan are very specific to the functionality and information within your business. There are simply too many variables to accurately cover in an article. However, there are four (4) pillars to understand and protect: people, data, systems, and reputation. Inventory all aspects of those four elements in your business, then navigate nightmare scenarios of what happens if you lose any one (1) piece within any pillar.
Above, we already shared how IAM helps you catalog your assets. For this use case, leverage IAM to start your list, then extend that list to external factors like customer and public reputation. You could also consider ‘losing IAM’ as a threat, too. It isn’t enough to know all likely elements, taking the next step to document them and their recovery process is critical to shorten recovery times. Trying to respond under the pressure of an existing threat leads to excess stress and hasty decisions. Doing the leg work before the stress is present allows for clearer minds and better planning to prevail.
Real life example, courtesy of my friend Brian Adams, of a sample threat scenario. During a consultation, all IT members are gathered to build an inventory of assets. Brian identifies the one person in the room who maintains the disaster recovery plan, takes their cell phone and laptop, and sends that person home. The rest of the team is then left to recover the business from a disaster scenario of losing a team member.
This story is a wonderful representation of what businesses don’t think about as a potential incident or threat. This organization had an IT team comprised of many people. What if you have no dedicated IT or a small IT team? Curious or concerned, reach out us and we can help or guide you to a proper consultant. Suffice it to say, navigating a solid Incident Response Plan takes weeks of highly introspective activities. That may seem like a high-cost, but considering that more than 60% of small and medium businesses go out of business within six (6) months of a qualified attack, it is well worth the time and effort.
Persistent attention is required to thwart persistent threat.
We now operate in a world where businesses are under constant cyber threats. To operate effectively in an environment like this, persistent attention is required to thwart persistent threats. Business leaders need to champion a top-down security model that promotes safety for all their assets: people, operations, hardware/assets, and data. IAM allows a business to identify, catalog, and control access to these valuable assets. Don’t rest your laurels on a single system, though. Layer and practice your security periodically – at least once per year. Recognize that this type of practice is already required for cyber security insurance and in the future, will only be more complex.
To close, this brief highlights the common factors for the SMB space as related to cyber security insurance. As your assets scale in value or your business size expands, additional requirements like the oversite of a Security Operations Center (SOC) can be layered in. There are various steps in maturation that can be automated prior to going full-on SOC. We’ll save the security deep dive for another article though. If you don’t know where you fit within this spectrum, or have any questions about the above content, schedule a consultation with IMS and we’ll help you figure it out.