Gone are the days when cybersecurity was a concern only for corporate giants. Over the years, cyberattacks have...
morphed and become more prevalent among smaller businesses. The threats that exist today are different than those of 10 years ago, and they're specifically a new burden for IT service providers dealing with small and medium-sized businesses (SMBs). Cyberattacks are no longer simple, but extremely sophisticated, and some are even funded for a purpose. It is no longer a matter of if your SMB customer will be breached but when. That's a frightening thought, but it is the reality in today's world. So, when was the last time you talked about cybersecurity with your customers?
Perhaps an even better question is, Have you even thought about this? If you haven't, you should.
As of late, we have had front-row seats to massive data breaches resulting from cyberattacks at companies such as Michaels, Home Depot, Anthem Healthcare, Target and Sony. In each of those instances, the economic losses have yet to be fully assessed. In Anthem’s breach, information such as name, birthdate, medical ID number, social security number, home address and salary from 80 million subscribers was stolen. The Michaels data breach compromised 2.6 million credit and debit cards. These breaches have had a major impact on these companies' public image and reputation, and hard costs pile up due to the loss of data. When a breach occurs someone has to take the blame, and it's typically the CIO or CSO.
Our customers also have a public image to protect. Their customers have trusted them with potentially sensitive information. The scale might seem smaller, but the potential damage to an SMB customer as a result of a data breach could be proportionally worse. Another reality: Consumers have a legal right to file suit if their personally identifiable information is compromised as a result of a breach. If your customer suffers a breach that results in a loss of private information and damage to their reputation, you should expect to be fired, like the CIOs and CSOs after the breaches at major corporations.
From a technical standpoint, we often feel that we have done our best to protect our SMB customers. We typically deploy routers, firewalls, intrusion detection systems (IDSes) and intrusion prevention systems (IPSes). And we throw in antivirus and anti-malware products. And with that, we give ourselves a pat on the back and consider our jobs well done. Nowadays, relying on these technologies to do the whole job, absent your technical expertise and skill, is a major mistake. As an example, let’s take a look at how a typical firewall is designed to work.
Firewalls operate on a few levels, with policies as the main mechanism. We implement policies through access control lists (ACLs), which allow or deny traffic based on the policies set. We often set a firewall to deny all traffic and then carefully carve out our ACLs and policies to allow certain traffic through. This usually works well; but not always. Sometimes an attack is carried out over a protocol that a policy has permitted, and that traffic indeed is valid.
The bottom line is that since cyberattacks have changed in nature we have to modify methodology to deal with the attacks that are emerging today, as well as those we already know about.
One approach to take: Learn what is and what is not normal behavior on your network. If your customer's network typically moves 10 GB of data a day but it starts pushing more than 100 GB of data, that is something to be concerned about. Make sure you are monitoring your firewalls and reading your logs for spikes in data.
Another approach, once it's clear an attack has happened: Find patient zero and isolate the systems he has used. This allows you to mitigate the damage that an attack has on the network. It's a medical-style approach but works wonders in the world of IT. If you find the source of the breach and each system that came into contact with the infected system, you can home in on it to rid yourself of the problem.
We have also been utilizing a threat-centric security model. This model has three parts: before, during and after. Before a threat, you discover, enforce and harden. During a threat you detect, block and defend. Lastly, after a threat, you scope, contain and remediate. Until recently we have focused largely on the before-a-threat portion. Adding in these additional layers during and after the threat allows us to provide a more comprehensive solution.
It is equally important to train employees and put acceptable-use policies in place. Phishing scams and phone calls to companies can trick employees into giving an intruder access to the system. These scams have helped to prove that the people within a company represent customers' biggest security risks. Things such as malware, adware and ransomware all make their way onto a network because users let them in. Users are leaving the front door to your SMB customer’s data wide open. As service providers, we have a duty to protect these individuals from themselves through constant education and re-enforcement of best practices.
I mentioned earlier that it isn't a matter of if but when your SMB customer will get breached. You need to discuss this reality with your customers. They need to know that there are many lingering side effects to a data breach, some of which can be immediately quantified and others that cannot. Ask your customers these tough questions:
- Do they have data breach insurance?
- Do they have cyber risk insurance?
- Are they ready for the costs of notifying all parties affected by a breach?
- Can they handle potential litigation?
- Have you instituted formal acceptable computer use policies for your employees?
- Have you provided your employees with computer use training?
The list goes on and on. It's your job to bring these questions to the frontlines. You need to make SMB customers fully aware of the current security issues that exist in their infrastructure. If you choose not to bring these concerns to light, someone else will eventually step forward to provide the value that you're withholding from customers. If you protect the data, you protect the client.
Tips for talking about small business security with your customers