As someone who has worked in the Managed Network Services space for over a decade, there are certain behaviors I notice when it comes to security planning. Every so often, a major security incident occurs that makes headlines, and the media cycle begins. Decision makers at organizations, who are typically business experts and not technology experts, often react with questions about what they are doing to fight this specific threat. Are they doing the right thing? What else could they be doing? How exposed are they?This kind of reactionary impulse does not necessarily bear out when it comes to other areas where we manage risk. Consider investing. Most people who are investing for the long term develop a strategy and stick to it; they do not allow some kind of external factor to force them to change their fundamental strategy even if they make minor adjustments along the way with the advice of an expert.While not completely the same as investing, you want to create a good fundamental approach to managing the risks associated with your SMB’s security. By developing strong habits, you will be managing security risks by “tweaking” your approach rather than tearing your whole approach down and rebuilding from scratch.Let’s go over a few fundamental ways to approach security risk that any decision maker who has been tasked with managing this process should consider:Establish An Acceptable Use PolicyDuring assessments, I often find that organizations, especially those with a dozen or so employees, lack basic rules on Acceptable Use. It is almost as if they expect users to know what the rules are and what responsible behavior means when using company-owned devices and data without formally explaining it to them. It is important that your Acceptable Use policy be extensive, direct, clear, and communicated to staff so that there is no room for misinterpretation. While we want users to have flexibility with how they use the tools available to them, they need to be aware of what pitfalls to avoid. Simply defining Acceptable Use rules leads to better outcomes, and users begin to feel they have a responsibility in protecting the organization’s technology assets. Having users bought into company policy about usage reduces security risks dramatically.Have A Structured Approach to MaintenanceIf you have technology assets of any volume, then a comprehensive plan to proactively support and maintain the system is necessary. Even in 2017, there are still organizations with significant amounts of sensitive data, major investments in servers, and sophisticated network equipment that approach management and support reactively, or not at all. It’s almost as if support is a cost they wish to avoid. However, organizations that are not performing any kind of proactive management will often have high severity vulnerabilities. A security incident due to this lack of management costs them much more money and stress than an actively managed system, which has far fewer risks of a major incident occurring. Many companies that experience downtime and failures from ransomware often could have avoided the incident if the vulnerability had been patched out through proactive managed support.Provide Regular Security Awareness Training To StaffWhile having an Acceptable Use Policy is essential, it is also a good exercise to provide some kind of basic education to end users about Security Awareness. The goal here isn’t to create a team of network security experts on your staff but rather to give staff some information to identify what incidents they could experience, how to report to management, current trends and how it applies to the organization, and so on. We want people to avoid incidents but to also minimize the damage from potential incidents by recognizing them and responding accordingly.Perform Regular Vulnerability/Risk AssessmentsEven well maintained systems have flaws. There are so many potential vulnerabilities, both on the PC/Server level as well as from the outside, that it is virtually impossible to patch them all proactively. New vulnerabilities are discovered regularly, and even diligent maintenance could lead to an important patch being missed due to a variety of reasons. Regular vulnerability/risk assessments should be in place so that security issues can be fixed and adjustments can be made.Make Security/Risk Management A Part of the Discussion During TransitionsIn the rush to execute a new change, like replacing an end-of-life server or implementing a new application, some organizations fail to make security a part of the discussion. I recommend focusing on the workflow first. What is it about this particular change to technology that enhances or supports the current workflow? Once that is identified, the next step is to not necessarily change the way people work but to put security tools and policies around that workflow to improve risk management. In order to achieve that, we need to determine what sensitive data this new system handles and how we want to mitigate the risks associated with it before making big picture changes.ConclusionWhile this is not an exclusive list of ideas and practices to minimize security risks, my hope is that this provides you with a line of thinking that you can apply not just to the security risk ‘du jour’ but also to other risks that haven’t necessarily been realized yet by your organization and the ever-changing landscape of security.
About the Author: Ben Schmerler is a vCIO Consultant at DP Solutions, one of the most reputable IT managed service providers (MSP) in the Mid-Atlantic region. Ben works with his clients to develop a consistent strategy not only for technical security, but also policy/compliance management, system design, integration planning, and other business level technology concerns. You can follow DP Solutions updates on LinkedIn or their website: www.dpsolutions.com.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.