(Post 3 of the Small Business Threats blog series)
The vast majority of effort put into standardizing security best practices is focused on large organizations with what is commonly referred to as “enterprise” network architecture. In other words, corporations and government entities with the financial resources to implement networks with all the bells and whistles, so to speak.
Whether or not they are required to do so, many organizations attempt to adhere to security principles such as those laid out in NIST special publications, the ISO 2700 series standards, requirements in HIPAA, PCIDSS, and many others. With respect to smaller organizations, the problem with this is that their organizations and networks are nothing like those mentioned in these standards.
Security professionals and small organization leadership do not have a standard model for security that they can simply apply to non-enterprise environments. This leads to many security professionals recommending solutions or changes to networks that the organization is not well equipped to manage. Security solutions that the organization cannot maintain either results in added recurring expenses associated with having a vendor maintain it for them or simply neglect of the solution itself, leaving the organization virtually as vulnerable as if they had never implemented it in the first place.
Small organizations are simply different
Enterprise security standards scale very well, but only as long as an enterprise approach is used in the organization. Smaller organizations tend to utilized a completely different model for their business practices and technology. For example, where enterprise organizations most often utilize directory services and have all their systems joined to a network domain, small businesses tend to operate in a work group environment and simply share resources. Also, large organizations often create and maintain formalized policies, standards, and procedures. Small organizations, on the other hand, frequently only have a simply employee handbook that lightly touches on the company’s positions on several topics.
Rethinking security for the small-time
Small business and small-to-medium non-profit organizations frequently do not have the financial and human resources required to employ many of the same business practices and technologies that their larger counterparts have. Suggesting that they utilize the same security solutions often times just doesn’t work. For this reason, it is important that security practitioners and organizational leadership understand how to adapt security fundamentals to these types of companies.
Operations are the inner-workings of the organization’s business practices. These include the company’s plans, its policies, and how it intends to function on a daily and on-going basis. Small organizations may not have an executive or human resources staff, but it is still possible for them to produce and implement variations of several fundamental operational security measures such as:
- Business continuity plan
- Disaster recovery plan
- Incident response plan
- Security policies
- Acceptable use policies
Keeping in mind that, for smaller organizations, these documents may be fairly simplistic and might not contain some elements commonly included in larger organizations. They still have value in helping to protect small companies.
Protection of physical assets is something that many smaller organizations actually get right. The use of commercial-grade locks, intrusion alarms, security cameras, exterior lighting, and even night security guards are common. Simply working to identify physical security “blind spots”, such as entry points that are not covered by a security camera, can help that ensure even the smallest organizations have sufficient physical security.
This is where most small businesses simply fail to implement strong security. A desire to use technology that encourages productivity and collaboration but a lack of expertise in how to securely implement them leads to organizations having severe and dangerous vulnerabilities. Secondly, a lack of solid security policies leaves organizations with little-to-no idea about what measures should be taken when new technologies are adopted. The result is organizations that do not restrict access to sensitive information, cannot enforce a standard configuration on their systems, cannot control what people do with their systems, and that leave themselves vulnerable to significant risk.
Smaller organizations can adapt several technical security principles to work to their benefit. Many of these would be best implemented based on the existence of a well-defined security policy. Nonetheless, the following are several technical measures organizations can implement in the absence of an enterprise environment:
- Ensure all computers are configured with an administrative account (for administration) and non-administrative accounts for daily use. The administrator should tightly control administrative access to systems and not allow standard users to make changes to systems.
- Minimize the use of Wi-Fi. Wireless networking is convenient, but inherently less secure than a wired network connection. If your organization insists on the use of Wi-Fi, ensure that you are using WPA2 wireless security and have chosen a strong password and change the SSID to something other than the default, at a minimum. (the SSID provided by your ISP can provide a clue as to who your provider is and what type of equipment you use and default passwords can frequently be found on the Internet)
- Implement local Group Policy on all Windows-based systems to enforce standards, such as password complexity requirements.
- Create access controls for shared file storage (whether local network, DropBox, etc.) to explicitly grant access to information only for those who require it. Your front desk staff normally should not have access to your financial and payroll records, for example.
- Create regular backups of important information. Network storage, websites, and databases are all single points of failure that can cause serious headaches if something goes wrong. Having a recent backup of this data can make getting back to business relatively painless. (backups can come in especially handy and save you from paying a ransom if you fall victim to ransomware)
- Firewalls are great at both restricting where your employees can reach outside your organization and protecting your local network from outside threats. They are not the best solution for managing access to websites. A firewall that is not regularly updated and managed might as well not exist.
- Web proxies, on are explicitly designed to provide control over web content that is accessible from inside your network. They allow for categorical filtering of websites as well as individual site authorization and restriction. Like firewalls, these must be maintained and updated, but can be relatively simple to manage.
- Anti-malware (anti-virus) software should be kept up to date. Because malware is constantly being produced and modified to take advantage of the latest and greatest vulnerabilities, outdated anti-malware software may be entirely unable to detect the presence of malware which can result in significant loss of information or even entire systems.
- File integrity systems (formerly called host-based intrusion detection) runs as locally installed software on desktops and server systems. It monitors the local system for unauthorized changes or attempted changes to critical system files and can add a degree of protection against intruders and some forms of malware.
The financial constraints of small organizations do not have to limit their ability to implement good security practices. Similarly, the lack of enterprise network architectures in small organizations does not mean security principles do not apply or cannot be adapted to their environment.