We recently completed a four part video series with the former Director of Cybersecurity Policy at the White House, Rob Knake, on enhancing and simplifying cybersecurity for small businesses. In this video series, Knake addresses four subjects: avoiding security gaps after change, the cost and impact of a cyber breach, preparing for customer or vendor scorecards, and modernizing your data security.
Rob Knake is a Senior Fellow for Cyber Policy at the Council on Foreign Relations and co-author of Cyber War and The Fifth Domain. During his time as Director of Cybersecurity Policy at the National Security Council, Knake led the development of presidential policy on cybersecurity, and built federal procedures for cyber-incident responses.
Avoiding Security Gaps After Change
The world is constantly changing, and your business operations are no exception. In this video, Rob Knake discusses how to easily avoid security gaps after changes to people, technologies, and processes.
Securing your personal computer requires a different mindset and course of action than securing a company owned computer. According to Knake, “thinking about securing [an employee-owned device] is an entirely different problem than securing a device that a company owns, they control the physical location of, they can control all the data that goes in and out of it, all the access, and all the information flows.” Employee-owned devices are a different playing field — they aren’t controlled or tracked at the same level as a company-owned device. Now, companies are trying to switch to a work-from-home (WFH) model due to the advent of the Coronavirus (COVID-19) pandemic and are trying to develop their Bring Your Own Device (BYOD) policy.
Thankfully, switching to the cloud and activating proper cybersecurity that covers all your homebound employees doesn’t have to be difficult, Knake insists.
The Moat and Castle
Until recently, cybersecurity was practiced using, as Knake describes, the “moat and castle” model. Your company is the castle, and you’re cyber-protected by a moat encasing the perimeter. By design, there is limited access to your castle; built in choke points and security measures ensure your protection. Once you exit the security of the castle, however, you are left vulnerable.
According to Knake, This model was already on its way out, but the transition to a work-from-home (WFH) model sparked by the Coronavirus (COVID-19) pandemic has made it almost obsolete. Now, there is a rapid movement to the cloud. Companies who previously shied away from fully embracing an online platform are trying to quickly convert.
Knake points out that this shift poses new challenges and new opportunities for small businesses. On one hand, a cloud-based model leaves companies vulnerable to cyber-risk that they’ve never considered before, such as a BYOD policy. Yet, switching to the cloud also allows small businesses to strength their cybersecurity to a level that once was only accessible to large businesses.
The Cost and Impact of a Cyber Breach
Many people underestimate the cost and impact a cyber breach has on their business. In this video, Rob Knake uses ransomeware as an example to illustrate the long-term impact of a cyber breach.
Myth: “A cyber breach will cost me less than adding more cybersecurity”
The cost of a cyber incident often spans far beyond your first assessment of the breach. This is especially apparent in the case of ransomeware, a type of software installed by hackers that leaves your computer inaccessible until the ransom they demand is paid, after which they reinstate your access.
“It’s not instantaneous.”
At first glance, you might assume the only cost to your company is the ransom demand. However, the scope of this breach spans far beyond a simple transfer of cash.
“There are any number of costs in addition to that,” insists Knake “It’s not instantaneous.”
From ensuring the hacker can unlock your computer to simply processing the transfer, the whole affair can take days, halting your business and leaving your customers waiting. Unsatisfied customers coupled with the news that you are negotiating with cyberhackers can quickly destroy your reputation.
In addition to locking your system, hackers may also download sensitive company and customer data. This could result in hackers threatening to leak this information, further damaging your credibility.
To further his point, Knake references a recent incident he worked on. In this instance, a company was hit with ransomware. They had a cyber-insurance policy that paid up to $100,000, which was used to reinstate the company’s access to their system. Ultimately, the company incurred an additional $500,000 in estimated costs because of this one attack, none of which was cover by insurance.
The ransomeware example shows how important it is to thoroughly cyber-protect your company before you experience any potential threats. Proper cybersecurity protects you from the hidden costs that come with a breach, and it doesn’t need to be complicated or expensive. For tips on protecting your company from ransomeware check out our article, Ransomware: Much More Than The King’s Ransom.
Preparing for Customer or Vendor Scorecard
Small businesses with relationships with large enterprises are key targets for cyber-attacks. Often, hackers will target and compromise small businesses so they can use them as a gateway to larger companies. Many small and mid-sized businesses are unaware of their own cyber risk and if they can meet customer or vendor security assessments, which are becoming more common. While this may sound elaborate, figuring out what you’re doing right and what needs to be changed doesn’t need to be challenging. In this video, Knake goes through several preliminary steps you can take to figure out where you stand:
Step 1: Be aware of and follow your legal obligations.
It’s important to be aware of the laws you must comply with, both federal and/or international depending on where you conduct business.
Step 2: Identify your customers’ cybersecurity requirements.
In addition to widespread legal obligations, customers may require their own unique cybersecurity regulations in order to do business with them.
Step 3: Assess your own company’s cyber-risk and budget out how much you can spend on cybersecurity.
Beyond the security measures that may be required by vendors or customers, it is important to determine what additional risks and threats you need to address to protect your company and how much it costs to eliminate these. Often, the cost of a cyber breach is higher than the cost of creating an effective cybersecurity posture.
Meeting Security Compliance
Traditionally, you might receive several audits and questionnaires from different companies to determine the strength of your cybersecurity, which can be time consuming and cumbersome. At Defendify, we provide a full suite of easy-to-use cybersecurity tools that assess all aspects of your company, identify your problem areas, and outline steps you can take to better secure your company.
Modernize Data Security Beyond Antivirus & Firewall
While it is important to have basic cyber security measures installed, such as antivirus and firewall, cyber-threats are constantly evolving. Rob Knake outlines five security measures small businesses should take in order to combat these new and developing threats.
“Do you have an intrusion detection system?”
Implementing a system that scans for vulnerabilities works to identify both external and internal weak spots in your system and ranks them according to gravity, allowing you to quickly remediate any findings and feel confident that you are up to date on the status of your security.
Tools to combat Malware
“Do you have the tools to combat modern-day malware?”
Another way to invest in your cybersecurity is to familiarize yourself with and invest in the tools available to combat malware. Knake insists that investing in these tools should be “a top priority” for every company.
Phishing Email Protection
Spear phishing emails guide employees to go to a compromised website, pdf, or word document which then installs malware on their computer. According to Knake, “Most incidents evolve from spear phishing.” There are a wide variety of tools at your disposable to protect your company against these threats and to train your employees to recognize phishy emails.
We hate to break it to you but using some variation of your pet’s name with the same few numbers isn’t a great password. Weak passwords make it easy for hackers to find their way into your system. Knake describes that “what we see time and time again is the reuse of passwords between individuals personal accounts and work accounts, which are easily guessed.” Training your employees and implementing policies on effective password management can protect your company from becoming compromised.
According to Knake, “adversaries need a lot less sophistication to carry out low level attacks than they did in the past.” It’s now easy for them to automate their hacks and send them out more frequently.
Fortunately, it is easy to test and train your employees to recognize these attempted security breaches by emulating hackers. Bait your employees to see if they bite! If they bite, you can easily correct them so that they are prepared to recognize and avoid the real deal.
Check out our four-video series with Rob Knake to hear more on how small businesses can easily enhance their cybersecurity.