A Security Checklist for SMBs

Posted by on Jun 11, 2013

As SMBs struggle to stay ahead of the game, one of the most popular ways to save money on IT budgets has been to transition from onsite security to cloud-based security solutions. According to Gartner, global spending on data security is expected to reach $86 billion by 2016. Such an increase in security spending makes sense especially given the prevalence of third party attacks that could put businesses under with a single breach. Attackers have recently exfiltrated more than 20 terabytes of protected data from the Department of Defense and several of its contractors, showing that even the government falls victim to these common place attacks. Many of the attacked institutions were unaware of the breaches as data flows were left unmonitored. To guard against such attacks in the future, businesses must monitor physical and electronic network boundaries to reduce exposure to attack.

Cloud Checklist

Image courtesy of Infogressive.com

Once a business falls victim to hacking, it can take weeks to fully recover, putting operations on pause and severely interrupting workflow. Small to midsize businesses looking to leverage technology in their favor can help secure their data by sticking to a checklist to protect data onsite, in transit, and on the cloud. One way to protect data is by sticking to the Twenty Critical Security Controls, which target key steps that are known to block popular attacks. These controls are already in place across wide sectors of the government to avoid the types of security breaches that have plagued everyone from the US Army Corp of Engineers to the Department of Defense. The Twenty Critical Security Controls were developed by the Center for Strategic and International Studies and John Gilligan, former CIO of the US Department of Energy and the US Air Force. Organizations that have already signed on to the controls include leading banking security experts, the NSA, Department of State, DoD Cyber Crime Center, and the Department of Energy Nuclear Laboratories. Through implementing such a checklist, SMBs can improve workflow while reducing IT costs. Under CISO John Streufert, the US State Department has shown a 94% reduction in “measured” security risks through implementing the checklist.

The Twenty Critical Security Controls are:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  4. Continuous Vulnerability Assessment and Remediation
  5. Malware Defenses
  6. Application Software Security
  7. Wireless Device Control
  8. Data Recovery Capability
  9. Security Skills Assessment and Appropriate Training to Fill Gaps
  10. Secure Configurations for Network Devices such a Firewalls, Routers, and Switches
  11. Limitation and Control of Network Ports, Protocols, and Services
  12. Controlled Use of Administrative Privileges
  13. Boundary Defense
  14. Maintenance, Monitoring, and Analysis of Audit Logs
  15. Controlled Access Based on the Need to Know
  16. Account Monitoring and Control
  17. Data Loss Prevention
  18. Incident Response and Management
  19. Secure Network Engineering
  20. Penetration tests and Red Team Exercises
Cloud security spending

Image courtesy of CIOInsight.com

According to the Verizon Business 2013 Data Breach Investigations Report, 78% of initial breaches were easily avoidable with basic controls employed by IT administrators. Some of the standard precautions overlooked by IT teams include weak passwords, outdated software, and non-hardened configurations. IT managers should start the security process onsite before uploading data to a cloud service. Other ways businesses can secure their data include keeping all software up to date, prohibiting web surfing on admin accounts, and using two-factor authentication.

SMBs & the cloud

Image courtesy of GetApp.com

For businesses that have secured their data in house with proper IT precautionary measures, the next step is finding a truly protected cloud. Many SMBs can take advantage of the cost-effective cloud solutions on the market that offer better protections and storage services than onsite options would provide. But finding the right cloud service provider can be a challenge when security is a main concern. When searching for a good cloud service provider, SMBs should look for a provider that offers encryption for data in transit and in storage.

A Private Cloud Solution

Many cloud services on the market have security gaps that leave company and user data wide open to third party attacks and even internal data mining. One service leading the way in transparency is the anonymous cloud storage and sync company, SpiderOak. This private cloud service provider offers the full benefits of the cloud along with 100% data privacy for businesses and the average user looking for trustworthy online storage.

As for just how they protect sensitive data, SpiderOak offers two-factor password authentication and 256-bit AES encryption so that user files and passwords stay private. Two-factor authentication is just like the process used by some banking services that require a PIN to log on in as an extra precaution along with a password. With SpiderOak, users that select two-factor authentication can submit their private code through SMS as well as their individual encrypted password. Users can store and sync with complete privacy, because this cloud service touts its “zero-knowledge” of user data. Plaintext encryption keys are only stored on the user’s chosen devices, so users are put back in full control of their data. SpiderOak’s private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

Leave a Reply