Weighing Security Requirements vs. Business Needs

TSP • @myTSPnet


Security used to be simple — lock the filing cabinets and the doors at night before you leave. Today, there are so many security options that if you ran them all, it might feel like you were operating your business with both hands tied behind your back.

Sometimes this or that security measure seems right, but if you add enough of them up in the wrong combination, it can make daily operations a real hassle for you and your employees (not to mention clients). Instead of being sold on security software or practices that might not fit well together and could actually end up compromising your business instead of protecting it, get educated on what’s available and choose the solutions that will create a more custom fit for your needs, goals and operations.

Security can be confusing, especially for small businesses, which have specific needs but don’t always have the budget to hire a full time, in-house expert. To ensure your business is not only protected but optimally functional, find a technology partner who specializes in small businesses. They can help choose the best practices for your individual needs, streamline the adaptation and training process and make sure you have exactly what you require to be both safe and streamlined.

For now, start with this quick security primer. Never heard of a BCP or the Principle of Least Privilege? Not to worry. Here follows a succinct, in-plain-English glossary of some key security terms and techniques that are out there now. It’s by no means comprehensive but think of it as a sampler platter for current security problems, issues, solutions and conundrums.

Phish: Not just the key ingredient in Ben and Jerry’s chocolate ice cream. Phishing is when cyber criminals send out a legitimate-looking email with an attachment (i.e., a malware installer) or hyperlink (i.e., a website pretending to be something else). The email seems to come from a known source, but once anyone in your organization clicks the link or opens the attachment, the damage is done. The FBI’s Internet Crime Complaint Center published a report in 2017 that found people lost $29.7 million to phishing scams in just one year, but phishing also seeks to steal personal, customer and company information.

There is great security software on the market, but ultimately, the biggest vulnerability is human beings. Train everyone in your organization to create some personal firewall habits. The Federal Trade Commission has published consumer information that goes more in depth, but the quick tips are to never click on a link or attachment — ever — unless you’re absolutely sure it’s from a reliable source.

Any emails that ask for updated payment information, warn of data breaches, want you to confirm personal information or offer coupons or free stuff should be considered suspect. Remember that phishing emails look real, with logos from known companies, and can even appear to come from your personal contacts, since a friend getting hacked means the hacker now has your email, too, and can pretend to be that friend.

If you’ve never heard of BCP, chances are you need to build a strategy for one. BCP stands for Business Continuity Planning, and it’s a system of prevention and recovery from potential threats to a business. A good BCP identifies and defines all potential risks that could hinder operations, then details a management strategy to illustrate which specific safeguards should be in place, outlines recovery procedures and tests those procedures in advance. A good BCP is always evolving, and while some only include items such as natural disaster preparedness, today a BCP should involve cyber-attacks as well.

Developing a BCP for technology and cyber security issues is best done with a solid technology partner, since risk will vary from business to business. Does your data need to be backed up more regularly, and which cloud provider is best for your procedures? Should you add an extra layer of authentication for logins or require password changes more often? Are thumb drives allowed or should there be additional physical security measures in place? The BCP is not only your disaster preparedness handbook, it’s a playbook for keeping procedures in place that will protect your business.

Let’s say a security-focused business doesn’t allow every employee to be an administrator on their own computer. The advantage is that the employee can’t install malicious software (knowingly or unknowingly), so they can therefore do less damage. The downside is that if the employee needs access to information when an administrator isn’t available, say if something needs a fix at 2:00am, the employee can’t get to what they need to do his or her job.

This conundrum, known as the Principle of Least Privilege, is one of the biggest back-and-forth issues in security today. Companies want to protect their assets, but too much protection can restrict functionality, just as a castle with too many tall walls and barricades eventually becomes less usable to its inhabitants. When employees are only allowed the minimum access to do their jobs, risk from attackers or accidental employee mistakes is reduced and breaches are more easily contained, but those restrictive processes can limit functionality. One basic guideline to follow is restricting access by department — sales doesn’t need access to engineering and vice versa.

Many companies have started blacklisting and whitelisting websites and downloads, with the goals of protecting the business from malware as well as restricting how much time on the clock might be spent goofing off. As employers see it, employees are the number one source of risk for security breaches; Shred-it's 2018 State of the Industry: Information Security report shows 84% of C-level executives and 51% of small business owners believe employee negligence is one of the biggest information security risks to U.S. businesses.

However, when an employee needs to access a client website for legitimate reasons or download an app for work and they’re blocked, functionality is limited, and the employee feels frustrated. The difficult thing is finding a healthy balance between blocking risk and creating barriers for legitimate tasks.

No one can be expected to know everything about cyber security or best practices — security alone is now an entire industry, with multitudes of people not only creating solutions, but arguing about which ones are ideal. The best strategy for any small business is to find a technology partner who will understand their business needs and functionality, explain options in plain language and work with you to create a suite of solutions that protect what you’ve worked so hard to build.