We hear it all the time from small business owners: They know they should be doing more to protect their networks, but they don’t know what.
It’s not that they haven’t done plenty already. They installed a recommended firewall and anti-virus software, and try to practice good data hygiene. They implemented an appropriate password policy and ensured employees are trained to avoid phishing attacks and other common scams of modern hackers.
Yet they live with a gnawing sense there’s more they should be doing — that hackers are working right now to penetrate unknown network vulnerabilities.
I wish I could say these worries are unwarranted, but they’re not. In fact, they’re spot on: While hackers relentlessly seek to break into thinly protected networks, the fact is, weeks or even months often go by before many network intruders are detected. Breaches are depressingly common: According to “The Cybersecurity Insight Report” by CDW, 46 percent of organizations experienced a serious security breach in the past 12 months and another 22 percent discovered a near breach.
That’s the bad news. The good news is business owners can do more, and it’s easy to get started. An independent security assessment is an excellent way for businesses to gain insight into exactly what their vulnerabilities are and how to address them.
And here’s some more good news: While few companies are given entirely clean bills of health during an assessment, many find the changes they need to make are minor, inexpensive and related mainly to policy rather than hardware or software.
An Array of Security Assessments to Choose From
There are different types of security assessments from which a business might choose. Many begin with a vulnerability scan, which is typically performed using an automated testing tool that probes a business’s network to identify vulnerabilities. As explained by Tech Target, “a vulnerability scan detects and classifies system weaknesses in computers, networks and communications equipment.”
That’s a great place to start, but hackers often go to extreme lengths to access networks. So we recommend companies go beyond mere scanning to include gap analysis and penetration testing.
A gap analysis involves extensive interviews with a business’s IT team, executives and employees to gain an understanding of the organization’s current security controls and policies. The assessor then identifies the gaps between what the company is doing and what the latest best practices are and provides recommendations for closing those gaps.
Penetration testing includes trained white-hat hackers who deploy their skills to gain access to a network in the same ways real hackers do. Among the most common types of penetration tests are:
- Red teaming, in which testers attempt to access the network undetected
- Purple teaming, which pairs testers with clients during an attack to review logs and discuss defense strategies
- Social engineering, which includes deploying tactics real hackers use when trying to deceive employees, including phishing emails
- Physical social engineering, in which in-person testers try to access restricted buildings or areas
There are other kinds of penetration tests, as well, and the terminology can be confusing. The important thing is to work with a qualified security assessor who can recommend the particular type of tests that make the most sense. It’s often wise to conduct both a gap analysis and penetration testing, since certain vulnerabilities are conducted by one but not the other.
How Small Businesses Can Start with Security Assessments
One simple place to get started on an independent assessment is CDW’s Threat Check, a complimentary service that provides businesses with an assessment device, loaded with tools from leading providers such as Cisco and Carbon Black, already configured and ready to go. Once the assessment is complete, businesses are paired with a Threat Check engineer to review the results and discuss next steps.
It’s a simple and comprehensive way for a small business to get started on the process of understanding what’s really happening on its network and where its vulnerabilities are — and it’s free.
There’s nothing more important to an organization than protecting its data. Most business owners are doing all they can but lack the expertise that hackers possess when it comes to discovering network vulnerabilities. An independent security assessment, conducted by a qualified independent expert, is a great way to level the playing field.