This is a question that stems from a central point – recognition that your business has threats. If we don’t start at that point then we cannot get to understanding the threats and how to protect against it. Threats come in various sizes and now, because of the beauty of our interconnected world, can come from anywhere and for relatively low cost.
First, let’s dispense of the thought that the threat has to be an evil syndicate that is designed to take over the world and will crush you in its path. It’s possible those threats exists in some form or fashion, especially if you watch James Bond, read various spy or political thrillers, or even watch “Miracle on 34th Street”. However, we want to pull it back to the very basics. A threat is “an intention to inflict pain, injury, damage, or other hostile action on someone in retribution for something done or not done” (www.google.com). In it’s simplest form, threats are dangers to your business and your viability in the marketplace.
Threats will be different things to different businesses; they will manifest themselves accordingly and likely not in the way you expect. By way of example, a threat could be a competitor trying to gain an advantage over you and they would greatly benefit from your client list. They may want to know your sales projections or new clients; your operating and advertising budget; and what your proposals look like. All of these actions are designed to gain a competitive advantage over you. Other threats can be large; a corporation or a nation-state that is actively looking to steal your intellectual property or proprietary information and reverse engineer it and use or sell for their benefit; others may seek to save research and development cost by stealing yours. They may employ phishing campaigns to gain access to your network, employ infiltration agents to become a trusted member of your company, or actively target your network through cyber-attacks. The range of actions are tremendous, but the recognition that there is a threat is the first step.
The next step is understanding your business to know what critical information you have that others would benefit from. That doesn’t mean that they are actively trying to steal that information from you, but it does mean understanding what separates you from your competitors. What gives you a competitive advantage. Kinney Strategy is a marketing consulting firm that specializes in developing growth strategies for healthcare, B2B, and financial service businesses. They teach that for businesses to be successful they need to be able to answer why a consumer would choose you over anyone else including the option of not doing anything at all. Effectively, what separates you from the rest? And the answer to the above question could be the very reason you might be the target of a security related matter.
We then need to identify your gaps and vulnerabilities. Where are you protected and where aren’t you? Do you need to be protected there? Is your software up to date? Do you have the most recent patches? Is your software so out of date that they don’t make patches for the security issues? Do you have open access to your critical information? How do you do password management? These are the tip of the iceberg but do get you on the path to critically thinking where you might be attacked.
After you understand your critical information, what makes you special, and some of your gaps and vulnerabilities, you need to assess your potential threats. This is not an easy process, but if we have already established that threats exist, that they want what makes you special, and you have gaps and vulnerabilities, it’s not a hard leap. This assessment includes both internal and external threats. Let’s discuss both:
Internal Threat, or the Insider Threat. If you are a small business or a sole proprietorship, this might not be as big of an issue, but you should not ignore the issue. You likely have someone you work with in an official or unofficial capacity so it’s an imperative to evaluate. It is important to consider the following:
- Do you know your employees, or the vendor/other small business you outsource a critical function to? Do you do background screening? Is this part of your on-boarding? Do you do annual performance evaluations?
- Do you have security awareness and education training? If so, how often, and what do you train on?
- How do you protect your intellectual property? Do you have a policy to communicate that to your employees?
- Do you have established internal security policies?
- Do you allow your employees ability to work from home? Are they able to download files to work at home? See policies above.
- Do you network solutions to monitor employee activity as well as scan for external threats?
- Do you have a non-attribution reporting process for employees to identify potential security threats?
These are not all, but just some of the options that you need to consider when you evaluate the internal threats. It’s a great start to get where you need to be.
External Threats. Who are your competitors? What organizations or entities are interested in your product? Who is developing a similar product and would benefit from your R&D? What information supports your assessments?
And this is where the internal and external blend. When you identify external threats, then you can review the ways they can obtain that information and integrate your internal threat information. Do you have the tools and policies in place to protect yourself?
Finally, you need to determine sources of information. How do you know what your threats are and from whom if you aren’t actively reading and gathering information. Are you aware of the threats against your critical information, your networks or your employees? Do you have a person in charge of that – your threat intelligence officer?
This sounds like a lot, and it is time consuming the first time you do this, but that cannot be an obstacle. It’s hard work but it is necessary work. The truth is that by organizing a working session with your employees or key leaders in your organization, providing a clear purpose and read ahead material, you can come away at the end of the day with some established goals and a way ahead for improving your security posture.
And it’s important to point this out, just because you are a small business, does not make you susceptible to threats. They may be different then big business encounters, but your business and your livelihood depend on understanding your threats and protecting yourself.
And we can help. Contact us for additional information and ways we can help provide full spectrum security solutions.