Enterprise and Small Business Cybersecurity

Recently, in a conversation with a colleague, he suggested information technology consultants need to be careful they do not scare clients through cybersecurity talk. My response, why would any client hire anyone for a digital solution, let alone IT backbone or infrastructure work, who does not acknowledge cybersecurity?

After a head nod, I was told I had a point. But do I? What does a small business, or enterprise corporation need to know about cybersecurity? Should they care? How secure can you be as either a small, or scaled corporation?

THE REALITY

This same colleague said something truly brilliant. "The greatest strength of computers is their greatest weakness, they are made to talk to each other." He is a little too young to remember when computers were made to just crunch data (using little punch cards like a rocket ship abacus). In this digital era, he is correct. Everything is made to connect. Computers. Phones. Ovens. Light Switches.

THE CONSEQUENCE

We are all vulnerable. I have a mantra, "If someone wants to get your info, they will." Does that sound too cavalier? Has any of your software crashed lately? Did it ask you, "Can we send this error report to Microsoft anonymously?" Your software is made to communicate to the mother ship. That is, after all, how we won our battle with the aliens on Independence Day!

THE EXAMPLES

Let's consider Stuxnet. Do you remember that space aged worm that reportedly ruined 1/5th of Iran's nuclear centrifuges? How about Northrop Grumman, Lockhead, and L-3 being hacked with snatched tokens? The Google SSL certificates stolen from DigiNotar? The US government's personnel office, OPM? I am by no means singling these groups out, I am simply saying, if they were hacked, anyone can be hacked. Certainly Iran didn't want its centrifuges failing, government contractors don't want to lose face when they provide cybersecurity services to the USG, and the personnel office for the US government is probably on their top 5 list of places they would not like to see hacked.

WHY SHOULD A SMALL BUSINESS CARE?

Let us imagine for a moment that you own a toy store in Arkansas. What do you think happens to your business when you are not securely sending your credit card transactions and all of your customer data is stolen? Will your community band together to support you when it hits the newspaper, or will that be the end to your retail business? Unfortunately, the reality is that these problems have a compounded impact on small businesses. Home Depot's customer data was hacked, and Sony are still around to be hacked again after this major breach years before.

SMALL BUSINESS EXPLOITATION

Beyond the client-facing side, there is the business and its interests. One small business client had their VOIP hijacked and one dark corner of Russia was making long distance calls on their dime for a few weeks. They also had a backdoor installed in their network that they suspect may have been loaded by an unscrupulous IT partner - although it was just a possible a scorned ex was to blame. True story. Small businesses need to be careful lest they become someone's telephone switch, bot, or have their network exploited by those that may be just snooping, or could mean them harm.

THE SOLUTION-ISH

Let me highlight just a few things that every business should do. I'm keeping it simple, but reach out for more detailed info.

1. Plan: Each company should have a Cybersecurity Plan and what I would consider a Cyber Threat Mitigation Strategy. Those might sound like big words, but in other words, have a plan, which is in part comprised of a strategy to do your best based on your budget (or lack thereof).

2. Act: Each company should act on their plan. It's not enough to strategize, you must DO so you can protect your interests. Lift where you stand, or in other words, everyone should just do what they can and keep pushing the ball further down the way.

3. Train: If you have a staff, you need to make sure they are trained on the strategy and enacting it. Standards need to be maintained, and you need to have some basic failsafes in place to ensure compliance. Make sure people know what's going on, and they are doing what they should.

4. Best Practices: Always, always incorporate best practices into your plan and action. Stay current, or pay someone to stay current. Little changes can make a big difference. Take WEP vs WPA vs WPA2. This is a check box for most modern routers and devices, but the security difference is massive to the average small business.

5. Improve: You should learn as you go, and do better. There will be a day when a class action so massive hits a bank, credit card processor, or major retail company that it will completely change the game. Don't be that guy (company)!

Well, what do you think? Is cybersecurity a bunch of hooey? Does the government control everything? Do you, like me, wear tin foil hats? Let me know in the comments below and watch out for this future troublemaker...

-----------------------------------

Joe Nehila is a Principal at Nosoco, a business solutions company focused on small and medium-sized businesses. Nosoco has helped numerous small and large companies compete internationally through using pragmatic, iterative, novel solutions. He's also worked on one or two cybersecurity projects in his day. For more information, visit Nosoco at their website or on their new LinkedIn profile.