Do you have anti-virus software to protect your business’s data? Maybe you also have firewalls and encryption technology, so you think you can just sit back and let technology protect you from a malicious cyberattack.

Sorry—but you’re wrong.

If your IT security strategy relies solely on installing an anti-virus software with no further checks or training, you are vulnerable to an attack.

It’s only a matter of time before you fall victim to a data breach that puts your customers at risk for identity theft and your business left to pick up the pieces, just as in these examples:

  • In 2017, Equifax became a victim of one of the costliest data breaches of all time (estimated at over $400 million). Hackers preyed on vulnerabilities in its web application framework to gain access to the confidential data of more than 143 million customers in the U.S.
  • In 2013, hackers infiltrated Target’s networks by sending a third-party vendor a phishing email, which ultimately compromised 110 million credit and debit card user details. The mega-retailer estimates the total cost of the breach at $292 million.

If large firms such as Equifax and Target that spend millions of dollars on IT security can fall victim to cyberattacks, is your small business really safe?

Small businesses are the most vulnerable—and have the most to lose

If you believe that small businesses are immune from cyberattacks, or that hackers only target big companies, you’re putting yourself at risk.

Here’s what happened to a fast-growing startup when a hacker spotted a vulnerability in a single employee:

Carl and Alex Woerndle founded Distribute.IT in 2002. The firm offered cloud-based web server hosting, SSL certificate distribution, and SMS services. By 2011, it controlled 10 percent of the market for Australian domain names and hosted over 30,000 clients.

In June 2011, a hacker bypassed Distribute.IT’s security protocol, got behind its firewall, and gained access to master data. The hacker targeted web servers, backup systems, and the primary trading and hosting systems.

Though the infiltration lasted just half an hour, it wiped out the files and websites of more than 4,800 client accounts. The attack cost the company millions of dollars, but more importantly, Distribute.IT lost its clients’ trust and brand equity.

Consequently, the business had to shut down its operations the same year.

 
The Distribute.IT incident proves why periodically testing for vulnerabilities is so important. It also calls for strong incident response plans, data backup measures, and security awareness training for employees.

If you’re thinking the case of Distribute.IT is an exception, consider the following:

  • Sixty-two percent of cyberattacks target small businesses because their systems are easier to infiltrate.
  • One in 3 small businesses have no controls in place to prevent hacks.
  • Sixteen percent of small businesses conducted a security assessment only after a breach.

The average costs of a data breach for SMBs is between $36,000 and $50,000, but the total costs could be more when factoring in related costs such as fines, forensic examination charges, loss of clientele, etc.

You may have the best security software installed in your organization, but a determined hacker or a careless employee is all it takes to bring the whole system down.

In the aftermath of the cyberattack on Target, cybersecurity expert, Shawn Henry pointed out: “Technology is a piece of the solution, but it’s not the sole solution.”

So, how can you safeguard your business?

To mitigate the risk of a cyberattack, you must build a culture of information security in your organization by regularly monitoring your security posture through security assessments.

What is a security assessment?

Security assessments are periodic exercises that test your organization’s security preparedness. They include checks for vulnerabilities in your IT systems and business processes, as well as recommending steps to lower the risk of future attacks. Security assessments are also useful for keeping your systems and policies up to date.

You can conduct security assessments internally with help from your IT team, or through a third-party assessor. Third-party security assessments, though more costly, are useful if an internal preliminary assessment reveals grave security gaps, or if you don’t have a dedicated team of IT professionals with expertise in this area.

Why regular security assessments are a must for small businesses

Security breaches are extremely costly, and installing a security solution alone is not enough to stop them.

One of the main reasons for this? People are the weakest link in your information security chain, according to Gartner’s “Three Critical Factors in Building a Comprehensive Security Awareness Program” (full content available to Gartner clients). Gartner’s report reveals the following finding:

More than 90 percent of the breaches that happened in 2016 were the result of human error.

A security assessment will help you identify risky behavior of employees and take actions to better train them, in addition to testing your IT systems for vulnerabilities.

Here are a few more important reasons you should be conducting regular security assessments:

  • You’re on the cloud. By 2020, 78 percent of small businesses will have fully adopted
    cloud computing . While most major cloud providers follow standard security procedures, you still need to remain vigilant. Gartner research predicts that over the next four years, at least 95 percent of
    cloud security failures will be the fault of the user, not the provider. However, adopting cloud visibility and control tools, such as dashboards for monitoring cloud usage, will reduce occurrences of security failures by a third.
  • To ensure compliance. HIPAA, FISMA, GDPR, PCI DSS—the regulations that you need to remain compliant with can feel endless. Many of these require regular security assessments. Regular internal security assessments will help to ensure you pass the third-party audits that are necessary for compliance certifications.
  • To keep up with new threats. Today, technology changes happen rapidly. According to Gartner’s report, “A Comparison of Vulnerability and Security Configuration Assessment Solutions” (full content available to Gartner clients), different approaches to security assessments are necessary because of IoT (internet of things), virtualization, consumerization, Bring Your Own Device (BYOD), big data, and the mobile revolution.
  • To detect security breaches. Often, companies are not aware of a security breach until the hacker demands ransom or confidential data starts circulating in the public domain. Security assessments help you identify breaches more quickly. The faster you identify and contain a data breach, the lower your costs will be.

How to conduct a security assessment thoroughly and effectively

Many small businesses do not conduct security assessments, either because they believe it to be costly, or because they are not familiar with the process for carrying an assessment out.

To minimize costs, businesses can conduct security assessments internally using in-house resources. Even then, bringing in a third party specialist to assess your security posture on a less frequent basis is still a good practice. This will not only enable you to capture gaps that you missed, it will also help you stay compliant with regulations such as HIPAA and PCI DSS that require third-party assessments.

Your security assessment should broadly include two components:

  • Security review: A collaborative process that includes identifying security issues and their level of risk, as well as preparing a plan to mitigate these risks.
  • Security testing: The process of finding vulnerabilities in software applications or processes.

 Security review

Conducting regular security assessments is the first step to building a culture of security and constant vigilance.

Here are the seven steps to preparing for and conducting an internal security review:

1. Create a core assessment team. Create a task force of professionals from within your organization that includes the owner/CEO, the IT manager, and heads of different teams or functional areas, if necessary. This core team will lead the assessment, prepare the report, and suggest recommendations.

2. Review existing security policies. Your business may or may not have a security policy in place already. If you don’t have one, now is the best time to create it. If you do have one, now is the time to review it to make sure it’s still relevant with any recent market changes. Your security policy should cover your security strategies, data backup plans, password management policies, security update/patch timelines, and other related details.

3. Create a database of IT assets. Prepare a comprehensive list of all software and hardware assets that your company owns. This includes the networks, servers, desktops, laptops, software applications, websites, POS devices, the personal devices that your employees use to check emails, external drives, etc.

4. Understand threats and vulnerabilities. Prepare a list of all potential threats that your business could face based on past experiences, experiences of your peers, news reports, etc. Identify gaps in your system that these threats could potentially exploit. You can use IT security software that offers features such as vulnerability scanning and vulnerability alerts to identify weak points in your applications and networks. There are also dedicated vulnerability assessment service providers that offer vulnerability management services, which could help your business identify weaknesses.

5. Estimate the impact. For example, what impact would a credit card data breach have on your business? The impact could be in monetary terms, loss of clients, or loss of brand value or credibility. Categorize the impact of a cyberattack as “high, “medium,” or “low” based on its severity and estimated cost.

6. Determine the likelihood. Categorize the likelihood that each potential risk would happen as “high,” “medium,” or “low.” The risk level increases if the likelihood is high.

7. Plan the controls. List the existing control systems in place and outline further actions that can help mitigate the identified risks. These controls can include a change in policies or procedures, application procurement, training content and configurations, or implementation of new applications and/or hardware.

Try creating a risk matrix like the example below to assess your security posture.

Example Security Risk Matrix

Potential risk Likelihood Impact Existing controls Gaps in the system Action needed from management
Accidental email to a third party with customer names and addresses from the CRM database MEDIUM HIGH Training program for employees on how to handle customer data No means of identifying outflow of customer information via email Implement a network data loss prevention solution. Use email flow rules and email delivery restrictions to allow only authorized employees to send emails to external parties.
Customer service workstations experience extended system downtime due to malware attack HIGH HIGH Desktop and network anti-malware software installed No early warning system for malware Implement sandboxing technology to better identify and contain malware that has evaded traditional endpoint and gateway protection mechanisms.
Rumors on social media about financial troubles for the company LOW MEDIUM None in place No tools to monitor social media mentions Install social media monitoring tools. Prepare media statements for different use cases.
An employee unknowingly opens a phishing email HIGH HIGH Spam filter in the anti-virus software At least 2 percent of all unwanted emails, potentially malicious, do not get detected Improve security training for employees using phishing simulation software.

The above matrix is a simplified version of the Sample IT Risk Register offered in Gartner’s Toolkit: Sample IT Risk Register (full content available to Gartner clients)

Once you complete your risk matrix, your next steps should be:

  • Prepare a report that summarizes your findings
  • Take steps to implement the needed actions

If you’re a small business, you may face challenges addressing some of these risks if you don’t have a dedicated IT or cybersecurity team. Identify the areas you can comfortably address first. For the others, seek third-party help.

 Security testing

Security testing helps you evaluate and test the security strength of your hardware, software, networks, and other IT systems. You can conduct a security test along with your security review process, or independently.

Let’s look at a few steps you can take to test the security posture of your IT organization:

  • Cyberattack simulation tests. Authorized simulation attacks on your computer system help identify the weaknesses as well as the strengths of your existing system. For example, a phishing simulation tool can help identify risky employee behavior while training them to spot scam emails.
  • Security scanning. Use security software to run a complete scan of applications, networks, and devices at least once a month to identify threats and risks. Most security software provides real-time and automatic scanning features. If you don’t have security software in place, implementing such a system should be a priority.
  • Vulnerability scanning. It is often difficult to spot gaps or vulnerabilities in a system that you created or that you have been using for a long time. A vulnerability assessment is a set of processes that help you identify vulnerabilities and rate them based on the severity of issue they can potentially cause. Some ways you can identify vulnerabilities include:
  • Check whether you are using outdated versions of software.
  • Use an Active Directory management tool to identify users with weak domain passwords. Eighty-one percent of security breaches leveraged stolen or weak passwords in 2017.
  • Use vulnerability management software to automatically scan your systems and detect weaknesses.
  • Survey employees to identify weaknesses. As discussed in an earlier section, human error is a major cause of cyber attacks. Interviewing employees helps to identify risky behavior and correct bad practices.
     
    Here are some sample questions you can ask when conducting your security assessment, as well as some potential responses to look out for and recommended actions you can take to mitigate risk:
Question Potential employee response Why it’s a threat Action needed from management
Do you know your friend’s system password, just in case of an emergency? Yes, for sure! It’s not a good practice to share passwords. This makes your system more vulnerable to data theft. Reinforce the importance of password confidentiality through regular training. Enforce strict password policies that require employees to change passwords on a regular basis.
How many times do you postpone an automatic security update? Maybe three or four times, or until I complete my work and shut down the system. The system will be vulnerable to attacks from newer viruses or malware, since it continues to run on an older version of the security software. Add controls to ensure nobody can postpone the update for more than 24 hours.
Do you write down your system passwords? No, I don’t. But I often end up forgetting them and have to call up the IT team. No threat. Best practice followed, but productivity impacted. Install a password management tool to help employees store all passwords in a secure vault.
Are you aware of any confidential data that you may have access to? Hmm … maybe some client names, deal details … I’m not really sure. Not knowing what qualifies as confidential data can lead to data misuse, data theft, or data loss, which may result in erosion of trust and brand value of your business. Train employees and sensitize them to what is confidential data and the potential revenue loss if it gets leaked. Reiterate the training sessions every six months.
  • Ensure supplier compliance. While you must ensure security compliance within your organization, you should also verify the credentials of your vendors and other business partners. Electronics company Acer suffered a breach because of a security issue at one of its third-party payment processing companies. The data of over 34,000 customers was reported stolen. As we saw above, the breach at Target was also engineered when hackers targeted a third-party vendor. Routinely check with your suppliers and business partners through surveys and questionnaires to ensure that they are
    compliant with all industry regulations.

Keep in mind that many regulations, such as HIPAA, require regular security assessments by outside entities. Regular internal security assessments will help your business be prepared to successfully complete an external audit for the renewal of compliance certifications without any issues or surprises.

You can also check out GetApp’s list of security audit software to streamline your audit and assessment process.

Cost of protection must be weighed against cost of a breach

Many small businesses will enlist the services of a third party to conduct a security assessment because they do not have the necessary experience or knowledge of IT security.

Though it can be a significant expense, receiving an assessment by a firm that specializes in this field gives businesses peace of mind knowing that all security controls are in place, risks are minimized, and vulnerabilities are patched.

The cost of a security assessment can range from $1,000 for simple tests to over $50,000, depending on the size of your business, complexity of operations, and scope of the assessment.

Assessors and examiners from large auditing firms may charge up to $500 per hour for reviewing your network for vulnerabilities and noncompliance.

You may opt to conduct an internal security assessment first. Then, based on the results, you can decide whether to do a more thorough checkup of your security posture using a third-party security assessor—especially if you identify several weaknesses or areas of vulnerability.

Businesses also use the help of third-party assessors when they have to complete compliance certifications. Third party assessments and audits are often compulsory to maintaining certifications.

Small business case stories: Seeking outside security help

Here are couple of examples of how small businesses have used third-party firms to identify and mitigate cyber risks threatening their business.

The Barking Coyote learns of its cyber risks through a third-party risk assessment

Started in July 2016, The Barking Coyote is a small family business that provides fresh farm food, baked goods, and ready-to-eat dinners.

  • IT structure: Before the assessment, The Barking Coyote had a simple IT structure. It used the point-of-sale app, Square to process customer debit and credit cards on a tablet only. All data was transferred live to Square’s server, and no information was saved at the store. The company relied on the Town of Elkin’s free Wi-Fi to access the internet.
  • Security assessment and results: The Barking Coyote used the services of Threat Sketch to do a risk assessment, since the business owners did not have much knowledge of what a strong security structure looked like. The assessment revealed:
  • Cyber espionage was the highest priority risk faced by The Barking Coyote.
  • Though using the free Wi-Fi helped reduce costs, it made the business vulnerable to spying by hackers, who could easily scan through credit card numbers as they were sent to Square.
  • Other threats included a vulnerability to point-of-sale hacking and malware, crimeware attacks, website attacks, and denial of service.
  • Control plan: Based on Threat Sketch’s recommendations, The Barking Coyote installed a dedicated internet connection in the store to transmit data securely. They also reached out to the Square team to verify their cybersecurity protocols.

Before this assessment, I had no idea there were security issues with using the town’s free Wi-Fi. Now I’ve been able to ask the questions I should have been asking from the beginning to fully protect my customers and our reputation.” – Rich Wooldredge, Founder, The Barking Coyote

Qualpay validates its security structure and completes PCI DSS compliance

Founded in 2014, Qualpay is an integrated payment solutions provider. The company wanted to conduct a security assessment of its cloud-based platform as well as get accredited for PCI DSS compliance.

  • IT structure: Qualpay offers a cloud-based multichannel processing platform. It has network devices and servers hosted on Amazon Web Services (AWS) located within its production facility. Employees use desktop computers and laptops.
  • Security assessment and results: Coalfire, a Qualified Security Assessor, led the risk assessment and compliance efforts. It reviewed Qualpay’s system and business information as well as cardholder data environment. The team also conducted configuration checks on the firm’s network devices and servers.
  • Control plan: Coalfire prepared a remediation action item list (RAIL) that identified areas that needed resolution for successful revalidation of PCI DSS compliance.

“The assessors not only know the requirements in detail but can readily speak to how implementation of particular processes and methodologies in our cloud-based environment satisfy those requirements.” – CIO, Qualpay

Additional resources

Now that you have a better understanding of how to conduct a security assessment, check out GetApp’s directory of IT security audit software for tools that can help review your IT security posture.

For more help, stay tuned for a checklist in our next edition, which will provide a ready-made template for security assessments.

In the meantime:

  • Find more tips on how to improve your security and compliance by reading related articles on GetApp’s Security Lab.
  • If you have already conducted a security assessment, share your experience in the comments section below.