Information security is a big, expensive problem, and many IT departments may not have the budgets for all the investments they want to make. But here’s advice from one security expert on where to prioritize when it comes to IT security.
The problem is that while many companies don’t have a lot to spend on security, all of them face security threats in one way or another.
Bottom line: Every organization has some kind of information that’s valuable to someone, and there are cybercriminals out there who know how to find that data and monetize it.
“I don’t think any company is small enough to not be concerned with this type of threat,” says Chris Smoak, Research Scientist at the Georgia Tech Research Institute. “All companies have intellectual property and if you don’t have intellectual property to protect, chances are you have no business having a company or being in business, anyway.”
Cybercriminals have a variety of ways of getting access to that data. While companies in some industries will be specifically targeted, most data breach victims are actually stumbled upon by hackers. For example, Smoak says, a user may take a work laptop home, get infected with a virus, and then infect the corporate network when he comes back into the office. That gives the criminals a chance to look around and find data such as credit card numbers, R&D documents or work proposals, and use their connections to the black market to monetize that information.
Despite the widespread threats, many organizations — especially smaller ones — fail to invest enough time and money into IT security. The problem, typically, is that protections are expensive, and it’s hard to show an ROI for security investments.
What should SMBs do first?
So where should small and mid-sized organizations prioritize the security funds they do have? One important area to focus, according to Smoak: network logging.
One advantage smaller companies have over others is that they’re small. It’s much easier and a lot less expensive to keep track of everything that happens on a network when you don’t have thousands of machines and devices to worry about.
“You can relatively cheaply implement logging in a small organization,” Smoak says. “Because it’s small and because you understand the business, you can easily understand the types of traffic and the types of interactions that machines should have.”
Tracking traffic and identifying what’s suspicious can also be done off-the-shelf with open source tools and a bargain basement entry-level approach. And once IT departments start collecting data about suspicious activity, that gives them a valuable tool they can use to show the company’s higher-ups and try to free up more money for security.
Raise user awareness
In addition to better logging, companies should also focus on making users more aware of security threats. After all, that’s who most often provides the easiest ways for criminals to enter the network.
One big example: email. Cybercriminals have gotten very good at using phishing emails to bypass intrusion prevention systems.
A way to make users better at recognizing suspicious emails, Smoak says, is to have IT security staff members actually conduct their own in-house phishing campaigns periodically and see who falls for them. Those test emails can be of different types — for example, some may be more obvious, while others specifically target an individual in the way a sophisticated criminal might.
“Over time you can tell if, say, John Smith clicked on this link the last eight times, you need to have that person come in and retrain them,” Smoak says. “What we find is that after you employ one of these things over the course of a year or two years, you start really decreasing the number of people that are clicking on links.”