Security Best Practices for Small Business

SecurityBestPracticesforSmallBusiness
2
Georg
Dauterman
Georg Dauterman is the President of Valiant Technology, a New York-based Managed IT
Service Provider specializing in solutions for creative industries. Valiant provides expert
managed services and consulting designed to ensure stability, security, scalability, and
business growth.
Learn more at: thevaliantway.com
President, Valiant Technology

3
Justin
Penchina
Justin has been with Valiant Technology since 2010 and is a member of our Leadership
Team. His extensive hands-on experience with technology, particularly Microsoft-based
ones, can be seen in every solution we implement for clients.
Chief Information Officer

4
Maryann
Dobrowolski
Maryann is Valiant’s Training Manager, in charge of building and implementing educational
solutions for our clients to help them best utilize their technology while remaining safe from
online threats and other risks – including Valiant’s security best practices training.
Training Manager

Security
Best Practices
Security best practices are practices that
have proven effective when used by one
or more businesses, and as a result are
likely to be effective when adopted by
other businesses.
Perimeter
Security
Policies &
Documentation
Password
Best Practices
Staff
Training
Data Protection
& Backups
Multi-factor
Authentication
Anti-virus
Anti-malware
Mail filtering
Anti-phishing
Mobile Device
Management
5

Small Businesses are
not Immune to Attacks
43%
of cyberattacks target
small business to a
lack of security.
source: smallbiztrends.com
60%
of small businesses
attacked cease
operations within 6
months
source: denverpost.com
75%
of small businesses don’t
have staff to address
security concerns
source: securityintelligence.com
424%
Increase in attacks
and security breaches
on small businesses
since 2019
source: thesslstore.com
6

52% of breaches featured hacking, 28% involved malware, and 33% included
phishing or social engineering in 2019.
Source: Verizon
52%
Hacking
28%
Malware
33%
Phishing
7

Hackers attack every 39 seconds, or an
average of 2,444 times a day:
 Not a matter of if, but when
 Hackers target opportunity
 Hackers target information and
resources
39sec
Source: University of Maryland
8

The CIA Triad
 Information security model that
guides a business’s efforts and
policies aimed at keeping data
secure
 Each concept is linked to help make
effective decisions around security
strategies
9

The CIA Triad
 Defines and enforces access levels
for information
 May separate information into
groups that are organized by who
needs access or sensitivity
 Includes disk and file encryption, user
access permissions, etc.
10

The CIA Triad
 Ensures that access is granted to the
correct users
 Protects data from deletion or
modification from an unauthorized
party
 Ensures unintentional changed by
authorized user may be reverted
11

CIA Triad
 Refers to the ability for data and
systems to be accessed
 Requires that authentication
mechanisms and related systems
are working properly
 High availability approaches address
concerns such as hardware, network,
and power failures
12

CIA Triad
vs. Available IT Resources
 SMBs typically don’t have enterprise-
level resources to address issues but
do carry the same responsibility
 SMBs don’t have time to invest in
necessary areas vs. business growth
 Principles must be applied in a way
that can be managed by an SMB
13

Valiant’s
Best Practices
 The CIA triad is an effective
standardized methodology but can
be intimidating to SMBs
 Valiant’s Security Best Practices
aligns CIA concepts with small
business technology and security
concerns
14

Valiant’s
Best Practices
 Limit common points of exposure
 Maintain software updates and
patches
 Deploy layers of standard security
 Regular staff security trainings
 Attack simulations and response
reviews
15

Valiant’s
Best Practices
 Security Information and Event
Management to analyze logs and
identify anomalies
 Activity detection and automated
response policies
16

Valiant’s
Best Practices
 Creation and maintenance of
response procedures
 Security events take priority over
other needs
 Lessons learned: modification of
approaches to prevent future
security events
17

Improper usage and lax
security practices accounted
for 90.5% of the increase.
NASA Hit By 366% Rise In Cybersecurity
Incidents After Budget Cuts
Source: Forbes
18

Source: Forbes
180
1329
76 108
23 1530 35 71 6
315
1468
0
200
400
600
800
1000
1200
1400
1600
FY 2018 FY 2019
NASA cybersecurity incidents in 2018 and 2019
Improper Usage Other Loss or Theft Web Email Multiple Attack Vectors Total
NASA Hit By 366% Rise In Cybersecurity
Incidents After Budget Cuts
19

Top Threats
20

Social
Engineering
62% of businesses experienced phishing
and social engineering attacks in 2018.
Social engineering is the use of deception
to manipulate individuals into divulging
confidential or personal information that
may be used for fraudulent purposes.
62%
Source: Varonis
21

Phishing
Phishing attacks account for more than
80% of reported security incidents:
 306.4bn emails sent daily, 55% is
spam
 $17,700 is lost every minute due to
phishing attacks
 BEC (business email compromise)
poses a major risk
80%
Source: csoonline.com
22

Malware
 Detections of malware across
businesses increased 13% between
2018 and 2019
 400% increase in Mac-based threats
since 2018
 Many malware threats take place on
the Web via downloaded software
and rogue advertisements
+13%
Source: Malwarebytes
23

Unpatched
Systems & Devices
 One in three breaches are caused by
unpatched vulnerabilities
 Missed patch Tuesday leads to
exploit Wednesday
 90% of companies admit to patching
known problems within 30 days, and
that’s a recipe for trouble
33%
Source: ZDNet
24

Human Error
One in four breaches are caused by human
error:
 Overly complex systems
 Lost or stolen devices
 Compliance failures
 Lack of documented business procedures
25%
Source: threatpost.com
25

Protecting Your Business
26

Prevent
 Perimeter security: firewalls, content filtering
 Traditional anti-virus and anti-malware
 Anti-phishing and mail filtering systems
 Systems management including
automated patching and reporting
 Mobile Device Management
 Identity management and multi-factor
authentication
27

Identify
 Establish separation of duties
 Security Information and Event
Management to identify and analyze
observed events
 Security Operations Center and 24/7
eyes-on-glass monitoring
28

Respond
 Quickly remediate the issue
 Restore data from backups if
necessary
 Engage pre-defined response plan
 Identify actual or potential data leak
 Notify relevant parties ASAP
29

The Importance of
Security Awareness Training
30

Human Error
48% of malicious email attachments
are Microsoft Office files:
 Commonly used file formats are
often trusted
 Users are less likely to question the
sender, leading to infections
48%
Source: Symantec
31

Human Error
Mistakes happen, and understanding the
most common types help avoid
incidents:
 Requests to wire funds
 Requests to purchase gift cards as
payments
 Malicious software downloads
 Password and service sharing
32

Staff Training
 Training is only effective when it’s
performed on a regular basis – at
least once per year
 All staff, particularly executives, must
participate in trainings
 Training must be tailored to your
business’s technology, challenges,
and goals
33

Security
Awareness Training
 Training focused on how to identify
and avoid online threats that target
your business
 Simulated attacks are used to gauge
effectiveness and areas for
improvement
 Trainings also improve
communications with IT staff
34

Establishing IT Governance
35

IT Governance:
Shared Responsibility
 IT Governance are the processes that
ensure the effective and efficient use
of IT in enabling an organization to
achieve its goals
 Responsibility of business
management that is executed by
your IT staff or partner
36

IT Governance:
On average, only 5% of folders
containing business data are properly
protected:
 This is a shared responsibility
between your Management and IT
 Data protection is a joint effort across
your entire business
5%
Source: Cybint Solutions
37

IT Governance:
60% of small businesses attacked cease
operations within 6 months:
 Business leaders aren’t exposed to the
information they need to make the right
decisions
 Ignoring security will lead to major
problems in the future
60%
Source: denverpost.com
38

IT Governance:
 This is an opportunity to manage
situations and reduce fear around
small business security
 Small businesses benefit from an IT
partner with the expertise to
implement systems and train staff on
proper usage
39

Conclusion
 SMBs face the same threats as the enterprise, but don’t always have the
resources to combat them
 One security event can cause irreversible damage to a business
 Establishing and following best practices will reduce the likelihood of a security
event from taking place
 Training is a crucial component to any security strategy and comes with many
other operational benefits
 Cooperation and clear lines of communication between IT staff or a partner
and management is key
40

Resources
Valiant Online Resources: Guides & Downloads:
41
8 Ways to Protect Your Business from Hackers
Password Best Practices Checklist
Shadow IT Checklist
NIST Small Business Planning Guide
Blog
Live Streams
Knowledge Base
Remote Work Center
Cybersecurity Resources:
Email Security Awareness Whitepaper

Have a question for our team?
Submit it at bit.ly/vt-qa
Download this presentation:
bit.ly/sbp-presentation
Next Webinar:
The Modern Workplace
Thursday July 9th,2020
Join us as we review technologies designed
to facilitate collaboration, enhance security,
and improve experiences for remote
workforces.
Today’s attendees will receive an invite via
email.
Visit us at thevaliantway.com
and watch our live streams at
bit.ly/vt-livestreams

Security Best Practices for Small Business

More Related Content

What's hot

Similar to Security Best Practices for Small Business

Recently uploaded

Security Best Practices for Small Business

Editor's Notes