RISK MANAGEMENT FOR SMALL BUSINESS OWNERS Written By Joe Danaher, Vice President and Chief Information Security Officer, Integrity IT
When you think about threats to your business do you think about Information Technology?
R I SK M AN A G E M E N T F O R S MA L L B U S INES S OWNERS
IT risk management is a key component for all business owners. Risk Management can be an involved process, especially depending on the size and complexity of a business. Threats differ and they change daily. They can range from a new competitor in town to a new investment required to keep up with your service delivery. Risks may involve changing laws or new regulations. Especially important are risks associated with the ever-increasing threats to Information Systems and Data that are vital components to running your business. A Business Impact Analysis is a key component and starting point when considering risk for your business and Information Systems and Data may be more critical than you realize.
Here are the questions and threats you need to consider. There are key questions to ask and scenarios to consider when considering risk management for your Information Systems and Data. What would you do to keep your business functioning in the event of losing access to key information systems or data? How long could your business operate when faced with that loss? Do you have a Disaster Recovery plan to help you prioritize the order in which systems need to come back on line? Do you have current backups? Have you documented and tested your plan? It’s not just a natural disaster or fire that could cause a disastrous shutdown. It could be the
INTEGRITYKY.COM | 859.253.4284
result of malicious activity on your network from an outside source, perhaps a team of hackers or even a disgruntled employee. In today’s environment, threats to IT systems and data are growing exponentially and daily. There are well-funded crime syndicates that have learned that ransomware pays. There are state actors * whose exploits are being shared openly and often involve “zero day” vulnerabilities unpatched by the software and hardware vendors.
It is common knowlege today that the path of least resistance to compromise an organization lies in the end users themselves. It only takes one person, usually a new and inexperienced employee, to accidentally click a malicious link to inadvertently open a malicious attachment or to browse a malicious website to compromise an entire organization.
The discipline of Risk Management offers structures to consider threat scenarios that realistically apply to your specific business and act as a guide for performing a Business Impact Analysis (BIA). However, when assessing Information Systems and Data, it is useful to have an experienced IT Security Professional guiding you through the Risk Assessment and providing input in prioritizing controls that are available to help mitigate the risks that are identified. HIPAA and PCI compliance programs can offer excellent starting points for performing risk assessments, however they are less comprehensive in their prescriptive nature for specifying controls that help mitigate identified risks.
PAGE 2
R I SK M AN A G E M E N T F O R S MA L L B U S INES S OWNERS
Threats Likely, your IT Systems and Data already have some layers of controls to help mitigate threats. Most small businesses have a firewall of some type to help prevent intrusion at the network perimeter. And most workstations and servers have antivirus protection to protect devices on your network. Most even have some level of backup in case of data loss.
So what can be done to improve my IT security posture? An experienced IT Provider can be engaged or perhaps you may have the expertise in your staff today. The layered approach to security is still a valuable strategy but there are more layers to consider. Anyone performing a Risk Assessment will take the list of validated threats to your company and identify what IT Systems and Data controls you have in place compared to what is available and help identify any gap that exists. They will also assist with prioritizing those risks and then you begin to get a clear picture of where an investment in additional IT security controls makes sense.
One guiding principle is that the control cost should not exceed the cost of the asset being protected and should not interfere with the conduct of your business to the point it jeopardizes that business.
INTEGRITYKY.COM | 859.253.4284
There are other mitigation strategies that can be considered like transferring the risk by obtaining insurance, or by avoiding the risk by exiting the practice. Often there is an affordable control that can be applied to help bring the risk under an acceptable range since no risk can be eliminated unless you exit the business associated with the risk. This is also a key part of the Risk Management process and that is identifying the Risk Appetite of the business owners.
It is best to employ an unbiased and trusted IT consultant. There are many controls available that you may not be taking advantage of and that an experienced IT provider, like Integrity IT, can offer. There are products to help control and eliminate spam, a primary entry point for Ransomware. There are products to prevent staff access to nefarious websites where malware lurks. The latest firewalls have intrusion prevention systems (IPS) built-in to help block outsider attempts at compromising your network. There are many staff education programs that are web-based and selfpaced that can educate and alert your employees to the tricks that hackers use. There are also tools that can be utilized to help validate your network and systems are hardened to intrusion and are patched to the latest vulnerabilities. In some cases, it may even warrant considering a tool called a SIEM (Security Information and Event Management) that has artificial intelligence built-in that monitors patterns on your network and acts as an intrusion detection and early warning system.
PAGE 3
R I SK M AN A G E M E N T F O R S MA L L B U S INES S OWNERS
Your business may have its own IT department but it is beneficial to have a third party assess your security controls to help validate their implementation and efficiency.
An incident response plan is also useful if a breach or malware is identified in your environment and an experienced provider can help provide guidance and calmness when the worst happens. Back-up validation and Disaster Recovery plan testing are also invaluable steps to take if your business is reliant on information systems or access to data.
This may be the most consideration you have given to the topic of Risk Management, because as business owners and managers you face risk every day from competition; an unexpected employee absence; an unhappy customer; or an unreliable vendor. Integrity IT understands this and that is why we began offering a more robust Managed Security Service in 2015 to help shoulder this increasing threat to small businesses across Kentucky. We have grown our expertise and tools and we have continued our training and certifications to keep up with the rapidly changing IT threat landscape. We offer many affordable solutions and the consulting expertise to help you identify and prioritize where to budget your expense.
If this has piqued your interest, we invite you to contact us and we can begin the discovery on what Integrity IT Managed Security Services can do to help secure your valuable Information Systems and Data.
Written By Joe Danaher, Vice President and Chief Information Security Officer, Integrity IT *A
state actor is a person who is acting on behalf of a governmental body, and is therefore subject to regulation under the United States Bill of Rights, including the First, Fifth, and Fourteenth Amendments, which prohibit the federal and state governments from violating certain rights and freedoms.
INTEGRITYKY.COM | 859.253.4284
PAGE 4
R I SK M AN A G E M E N T F O R S MA L L B U S INES S OWNERS
CONSULTATION SERVICES
SECURITY CONTROLS
Risk Assessment
Managed IPS/IDS
•
Asset Identification
•
Intrusion Prevention System and Intrusion
•
Threat Identification
•
Detection System
•
Vulnerability Scans: Internal and External
•
Controls Assessment: Physical, Technical, Administrative
Managed SIEM/USM
•
Gap Assessment, Prioritization for Remediation
Business Continuity and Disaster Recovery Planning •
Business Impact Assessment
•
Recovery Point Objective: Backup Strategy
•
Recovery Time Objective
•
Security Information and Event Management System
Vulnerability Scans •
Quarterly and Ad-Hoc Internal and External Scans
•
Reporting
•
Mitigation Recommendations
Phishing Campaign
HIPAA Compliance
•
Periodic Validation of Employee Training
•
Annual SRA Completion
•
Policies and Procedures
Penetration Testing
•
BAA Templates
•
Executive Summary and Technical Report
•
Single or Recurring Engagement
Employee Security Awareness Training
PII PR TECT
•
Speaker Program
•
HIPAA Assurance Web Portal
•
PII-Protect Web Portal (non-HIPAA)
•
Phishing Campaign (PII-Protect or DUO)
VCISO (Virtual Chief Information Security Office) •
Establish your Security Vision
•
Determine and Prioritize Security Initiatives
•
Reduce Risk with Ongoing Security Improvements
Incident Response and Breach Investigations •
Response and Remediation plans
•
Communications and Management
•
Lessons Learned
INTEGRITYKY.COM | 859.253.4284
Encrypted Email •
PII and PHI Requirement
Internet Content Filtering •
Block Malicious Sites
•
Help Control Your Internet Bandwidth Use
Multi-Factor Authentication •
Add a Second Layer Of Security to Strengthen Access to Vital Systems
Custom GPO’s (Group Policy Object) •
Security Focused GPO’s: Account Hardening, Ransomware, Pass the Hash Mitigation
PAGE 5
R I SK M AN A G E M E N T F O R S MA L L B U S INES S OWNERS
“Integrity’s audit uncovered things we had never considered. Now, when potential clients now ask about security, we can not only answer easily, but also provide tangible evidence that our security is near the level required for banking.” – Heather Taylor, Benefit Insurance Marketing
TRUSTED TECHNOLOGY. STRONGER SECURITY. BETTER BUSINES S.
INTEGRITYKY.COM | 859.253.4284 3080 HARRODSBURG ROAD, SUITE 104 LEXINGTON, KY 40503
PAGE 6