This is part 2 of my last post “size doesn’t matter to a hacker”. Previously I pointed out why both large enterprise and SMBs are at risk of cyber-attack for different reasons, in today’s blog I will shed some light on what I believe both sizes can do to help reduce the probability of attack.
Let’s start with enterprise.
In a large organization communication breakdown is common. As mentioned in part 1, there are many reasons for this. A lack of good communication can have ill effects on all departments within a large organization, especially when it comes to IT security.
The most important element of good security in a large organization is communication. This communication should focus on bringing together all departments, divisions, staff members and their leaders regardless of geographic region or area of focus. There should be one unified order or direction pertaining to security that is given from the top that all leaders in all divisions and regions follow.
The best way to tighten up communication in a large organization is to provide information security awareness training to the staff members. This training must be unified and should not differ from one division or region from another. It should not exclude executives. It shouldn’t contain influence from one or more leaders that do not see the “value” in such training. It shouldn’t contain different messages or rules and guidelines for one country or culture over another. It must be consistent. It must be mandatory, and staff should be assessed on their understanding afterwards. Security training is “never” a one and done solution.
By making this training mandatory, you will create a heightened awareness about security and the role your staff play in protecting the corporation from an attack. Through regular and routine training, you will start to create a corporate culture that places security in a critical category. This is the single most effective step an organization can take to strengthen communication and bring together the entire organization in terms of security.
In a large organization, there are many subjects a hacker could use to craft a phishing email for an attack. Remember, there is much more public information available on a larger company then on a smaller one. In other words, the hacker has more options. Due to the sheer size of the organization a hacker can choose from any number of divisions, languages, or regions. They could choose one of your customers, suppliers, or vendors to spoof. With some reconnaissance they may even know what software applications your company uses and choose to leverage those for a spear phishing attack. They may focus on executives or department heads, as most often these folks, their current responsibilities and experience is proudly displayed on the corporate website.
In addition to training, conducting regular simulated phishing campaigns is also an effective way of testing the knowledge your staff has gained through training. In a large organization, the goal of a phishing campaign is to test the user actions to a phishing email. You need to know who is failing these tests, as those persons are the ones that will likely open a phishing email and place your organization in jeopardy.
Infosec Training and simulated phishing campaigns are only a couple of suggestions to protect your organization. I will share more in my next post.
Now let’s talk about SMB. Small Medium Businesses.
Unlike a larger organization communication is likely not your problem, but budget may be.
SMB leaders or company owners need to take security seriously. Seriously enough that they will set aside a budget, no matter the size, to address the security basics.
Statistically speaking an SMB is targeted 46% of the time… let that one sink in for just a moment. This means that you are running a much higher risk than larger organizations. It could also mean that if you are targeted and the hacker is successful, your company may be brought to a screeching halt.
The good news is basic security doesn’t have to cost as much as you may think, and yes, it starts with training and phishing as noted above! In many cases security can be thought of as layers on an onion. The more layers, the more protection. The first layer at a bare minimum should be training and phishing.
Have a discussion with your IT guy and choose a platform that will work. Make sure that you are providing training and conducting phishing campaigns on a regular ongoing basis.
If your IT Guy is suggesting outsourcing your security, I recommend listening to him or her and not shutting them down. It may be a conversation that is difficult to have but trust me when I say it will be the most rewarding if you choose to implement additional security measures that end up saving your company. We see this ALL the time. SMB gets hit, and suddenly a budget is made available, but is it too little too late?
Next up - additional steps a SMB can take to reduce their exposure in my next blog.