Cybersecurity for the SMECybersecurity for the Small and Medium
Enterprise (SME) LYNN TERWOERDS
[email protected]
Introduction
Oracle
Objectives
Make actionable recommendations
Ugly Numbers
A 2019 report by APWG found phishing attacks against SMEs had risen
to a three-year high since 2016.
In the 2021 Ponemon study, the average total cost of a data breach
increased by nearly 10% to $4.24 million, the highest ever
recorded. Moreover, costs were even higher when remote working was
presumed to be a factor in causing the breach, increasing to $4.96
million.
Due to the rise in remote work prompted by the pandemic, ransomware
attacks are up 148%.
SME’s limited budget
Lack of cyber expertise
Understanding the regulatory landscape
Moving online (digital transformation)
Lack of management support
Holistic and balanced
People
Area Description Responsible role Who has responsibility for
cybersecurity? PoC Buy-in Management support, training, policy sign
off Employee awareness Awareness, ability to respond to an incident
Cybersecurity training Are employees trained to know about
and
handle cybersecurity issues & incidents? Cybersecurity policies
Signed off policies and procedures, supported by
management 3rd party risk How well do 3rd parties protect your
data, IP and
systems?
Your Turn to Pick
Process
Area Description Audits Who checks for compliance (software
updates,
test for vulnerabilities) Incident response Is there a plan in
place with defines roles &
responsibilities? Passwords Policy? Password keepers? 2-factor?
Remove all
default passwords? Software updates Is there a mechanism to apply
critical security
patches? How about remote workers and personal devices?
Data protection How do you protect customer data, IP? Do you fall
under laws for reporting a data breach?
FBI reports cybercrime up 69.4% in 2020
Technology
firewalls Anti-virus All systems, automatically up-to-date
Encryption Disks, VPNs Monitoring Monitoring important systems
& regular log
reviews Physical security Office access and physical access to
critical
systems or employee devices Secure backups Regular backups? Regular
restores? Not all data is
created equal, do you have different procedures for mission
critical data?
33% of folders are not protected in any way. 2021 Global Data Risk
Report
Recommendations - People
Name a cybersecurity PoC – look within, don’t assume you have to
hire. Consider an email from the CEO stating that protecting the
company
from cyber risks is everyone’s job. Management must show up.
Employees need to buy-in and have their questions/concerns
addressed. There is great leverage when employees are aware – take
the time to
train them on an ongoing basis. Have clear policies. Review on an
annual basis. Third party risk management is critical, especially
vendors who handle
your IT, data and IP (intellectual property). Have a vendor vetting
process in place.
Recommendations - Process
Assess and audit on a regular basis. Use incidents you hear about
as a reason to review an internal control.
Have an incident response plan. Practice.
Passwords – complex, 2-factor, out-of-band, keepers.
Proper joiner-mover-leaver (JML) process.
Update software, enforce automatic anti-virus & client OS
updates.
Know the laws that govern data breaches, put thresholds in place
for security review of critical and/or personal data (e.g.,
customer, HR, IP).
Recommendation – Technology
Use network firewalls, understand all endpoints that connect to the
Internet and make sure wireless networks are authorized &
secure.
Anti-virus software applies to all endpoints and is useless unless
kept updated. Employees need to understand why this is important on
their personal devices.
Use email & web protection tools to combat phishing &
malware. Use encryption to protect data, especially mobile data on
laptops & phones. Have a monitoring plan and a manageable way
to review log reports. Secure your backups and tell the ransomware
attackers to take a hike. Physical security – first immutable law
of security – if I have physical access,
you don’t own the computer or device anymore.
Scenario Focused Approach
Strategic investments
Think like a hacker or bad actor
Let’s Practice THINKING RANSOMWARE ATTACKS END-TO-END
Prevent, Detect, Respond
Data backups are important (vet 3rd party vendors if they handle
this)
Patch management
Prevent, Detect, Respond
Threat intelligence – paid subscription and free avenues
Audit – are employees compliant with security policies? Patching?
Anti- virus, anti-malware installed and up-to-date?
News – is your industry or region a current target? Has there been
a data breach that might make attacking you easier?
Prevent, Detect, Respond
Do you have an incident response process? Did you ever
practice?
Can someone be reached after hours?
Who would contact law enforcement if needed?
If your business is down, do you have a business continuity &
disaster recovery plan?
Who decides whether to pay nor not to pay a ransom?
Call to Action
Re-use or modify this presentation for use within your
organizations
Digital Resilience LLC
Security reviews and assessments (including NIST 800-151, HIPAA,
PCI, ISO 27001)
Custom cybersecurity awareness training (delivered via Zoom during
COVID)
Security incident response plans and tabletop exercises
Digital transformation consulting (moving workloads to the
cloud)
[email protected]
Introduction
Objectives
People