Ransomware is a threat on the radar of just about every security professional today. New FBI data shows that nearly 2,500 ransomware incidents were reported last year, with victims paying more than $24 million to retrieve their data from hackers.
Faced with numbers like these, small business managers may be tempted to shift their security efforts to focus on this growing threat, but knee-jerk reactions won’t necessarily make you safer. You may also end up siphoning funds away from other important areas that leave you vulnerable to other exploits.
A better approach is to create a comprehensive, multiyear spending plan that carefully evaluates all risks and targets new investments based on your company’s unique circumstances. I advise my clients to keep these six key considerations in mind to ensure they’re getting the most from their security budgets.
Take a Wide-Ranging Approach
Perform an in-depth gap analysis. CDW security experts use these investigations to uncover security weak spots in client infrastructures, which is the first step in determining how to get the most impact from new investments. In addition to partnering with CDW, small businesses should consider buying and regularly running security scanning software for ongoing insights into how changes in their current operations affect their defenses. My recommendation: Nessus scanning software from Tenable.
Use data from a baseline assessment to create a long-term investment plan. Small firms should rank the vulnerabilities they discover — and the associated remediation costs — according to what deserves the highest priority. Controls that address today’s most prevalent attacks move to the top of the list for current-year spending. For example, small companies may need to invest in modern next-generation firewalls to replace more traditional models. The spending plan would then outline less critical investments slated for the next two or three years.
Don’t overlook technology and policies that aren’t directly related to security. Ransomware is a good example. It’s not enough to install antivirus applications and hope you’ll keep out all thieves. Small companies also need a solid data backup plan, which will make ransomware essentially a non-issue. If thieves strike, victims simply wipe their servers and end-point devices clean of the infection and reload their data from a backup, without paying a cent to cybercriminals .
Look beyond technology. User training is a big issue for small businesses because it’s often an area that doesn’t get enough attention. Firms should spend some dollars to teach users how to recognize malicious email and what to do if something suspicious arrives. Security can also be enhanced with new policies and procedures, such as more stringently limiting administrative access rights to only workers who absolutely need them.
Combine compliance and security planning. Rules for safe credit-card processing are a concern for small businesses, many of which have struggled to understand and interpret the card-processing industry’s regulations. To help, CDW experts will sit down with IT and finance directors, walk them through the details and identify areas for improvements in their businesses. We take a similar approach for other relevant laws, such as the Health Insurance Portability and Accountability Act for healthcare organizations.
Consider managed security solutions and cloud-based security-as-a-service offerings. A big advantage with either option is ready access to high-end security expertise from outside experts who see the latest exploits happening to others. They can apply prevention and remediation lessons to all their clients to limit new outbreaks.
Stay on Target
Cybersecurity requires constant diligence and sharp focus. Achieve both with a comprehensive strategy and the right security partners.