SMB Cybersecurity & Good Governance
SMBs were generally ignored by cybersecurity criminals. Not anymore. We’re suddenly prime targets for the bad guys and we’re all struggling to keep up. This eBook is a primer for conversations between C-suites, boards of directors and investors. It’s also a “how to guide” for driving cybersecurity changes in the face of budget challenges and expertise shortages.
The Perfect Storm?
This may be the golden age for SMB cyber crime as criminals target this unsuspecting and underprepared sector. Cyber crime skill requirement is decreasing as cyber crime tool power is increasing. The number of cyber criminals and the variety of attack vectors are all on the rise. Expectations and preparations must shift from “if” to “when”. It is worse than you think.
Cybersecurity Business Case Ambiguity
Cybercrime is a global growth industry estimated at $7 trillion. $7 trillion! This innovative marketplace includes rental hacks, time shares, pay-per-intrusion schemes and others. Cyber criminal collaboration is driven by clear business cases and proven outcomes. Unfortunately, SMB cybersecurity business cases are ambiguous. Return on investment cannot be measured in the traditional sense. The statistics showing the massive impact of cyber crime on SMBs are clear, but it still takes an enormous amount of vision to properly protect your business.
Collaboration is Mandatory
Collaboration is not native to traditional IT culture. The cyber crime world is too vast, changing too fast and requires such specialized training, that it’s impossible for a lone SMB to keep up. Collaboration between security tool suppliers, service providers and SMB staff is mandatory. This is a behavioral challenge as much as anything else. The cybersecurity challenge for many SMBs is change management. This book provides insights for business leaders to drive organizational change. It contends that modern cybersecurity programs require collaboration between tool developers, service suppliers, internal staff and management. Modern cybersecurity programs address this challenge in an affordable and comprehensive way.
Cybercrime Target: SMBs
Cybercrime used to be difficult. Hackers had to build their own tools and vertically integrate their operations, from gathering information on targets to spoofing websites, to collecting funds the old fashioned way.
Now hackers use robust tools that are readily available on the Dark Web, the part of the Internet that can’t be found using regular browsers and Google searches. Only 4% of the Internet is readily accessible; an incredible 96% is untraceable and accessible via special browsers.
These days, you don’t need to be a techie to carry out cybercrime exploits. Dark Web actors sell lists of email addresses and credit card numbers as well as complete personal profiles. They also provide the means to exploit them, such as plug-and-play crimeware, exploit kits and ransomware. Pay for what you need in Bitcoin, and you have the means of executing cybercrime.
Cyber exploits are not difficult to execute. It just takes one click on a nefarious email: a simple phishing campaign locked down the computer systems in the Town of Wasaga Beach, Ontario in early 2018, incurring $35,000 in ransom, $50,000+ in consulting fees and hundreds of thousands in lost productivity.
Why SMBs?
Faced with ever more sophisticated enterprise defenses, cybercriminals are targeting the low-hanging fruit: SMBs. The size of the prize may not be as big, but getting it is far easier. Not only are there more hackers out there, but the cost of launching a cyberattack has decreased dramatically.
Simply put, large enterprises have huge resources; smaller companies have few. Canadian banks are known for having world class security, and no wonder: the stakes are sky high, so they allocate the resources. Banks have well-developed, well-funded cybersecurity departments and a full complement of security consultants. They each spend millions of dollars each year on cyber defense.
The spend is justified because—and this is important—the precautions that the Big Five take are commensurate with the potential consequences of a breach
Your Biggest Cyber Attack Vector: Employees
A robust firewall and endpoint security used to be the mainstays of corporate cybersecurity. They are still necessary, but there are dozens of ways to penetrate your organization other than frontal network security or malware attacks. The common denominator among these is they target your employees, specifically our core human weakness: between 80% and 90% of data breaches are caused by errors in judgment. Your employees aren’t stupid. But they are human.
Don’t Be an Easy Cybercrime Target
Spear Phishing
Phishing is when you are encouraged, typically within a fraudulent email, to click on a link or to open an attachment that takes you to an infected website or downloads malware onto your computer. We all get them: a message supposedly from a beautiful Russian, or your bank. Such emails range from laughably amateur to chillingly convincing. According to Verizon, phishing represents 98% of social incidents and 93% of breaches. On average, 4% of the targets in any given phishing campaign will take the bait.
Spear phishing is a more precise version of phishing: it targets a specific company or even a specific employee. Spear phishing is not uncommon—it has happened right here at Quartet. When our President & CEO Rob Bracey traveled for work, senior staff started getting spear phished. They received emails, supposedly from Rob, asking them to wire sums of money overseas. We identified several possible attack vectors and upgraded the security on all of them, which put an end to it. Our staff didn’t fall for any of the ruses, but spear phishing is prevalent because it works so well
Ransomware
Ransomware is the top category of malicious software, accounting for 39% of identified malware. It freezes computers, accounts and software until a ransom is paid, typically in bitcoin. Ransomware is overwhelmingly installed during successful phishing attacks and exploits a software vulnerability. SMBs in Canada and the U.S. have the highest recovery cost, at U.S. $149,000 on average, up 21% over 2018. A new trend in ransomware is to punch a hole in corporate defenses, then close the door and auction off back door access to the highest bidder. Rather than seeing the whole ransom process through to its conclusion, which can take days or weeks, ransomware experts move on and exploit the same weakness in other organizations.
In 2018, WannaCry ransomware infected close to a quarter million computers around the world in a single day, demanding U.S. $300 in bitcoin to unfreeze infected computers. It took advantage of an unpatched software vulnerability in an older Windows operating system.
Mobile Devices
In the wrong hands, lost smart phones are a real problem for businesses because the applications on these small computers provide an easy backdoor into the corporate environment.
Most lock screen passcodes are easily cracked, so unless you have the ability to remotely freeze or wipe a lost or stolen phone, it’s a big worry. Poor password policies combined with more mobile-targeted attacks and poor or non-existent mobile device management (MDM) is a recipe for disaster.
Any way you slice it, your employees are almost always your biggest security weakness. The solution is to shape employee behaviour with training, but also to test the results of that training, and to retrain pretty much constantly. That said, firewalls, endpoint protection and employee training are only part of the solution.
Thanks to growing reliance on IT, the day-to-day operations involved in cybersecurity maintenance have become fundamental to good business management. Virtually all businesses have to embrace technology in order to remain competitive, which increases their exposure to cyber threats.
Your Cybersecurity Ops
True cybersecurity is a mindset: it’s not about setting up a perimeter defense to protect servers; it’s about safeguarding your entire organization from cyber risks of all kinds. When you adopt that mindset, it becomes less about the employees, or the tools, and more about your overall cyber strategy and cybersecurity operations.
The Cybersecurity Arms Race
The right tools are an indispensable part of security operations. Today’s tools are awesome. They are also changing all the time. You still need endpoint security, but you also need artificial intelligence (AI), heuristic behaviour monitoring and machine learning. Very broadly speaking, this new generation of tools finds trends in billions of data points and identifies nefarious activity before it does serious damage.
The right tools may be critical, but simply having them is missing the point. You have to pick the right tools, learn how to use them properly, and then parse the data. There are some fantastic tools out there, and they are multifaceted. Most are easy to operate at a basic level but quite difficult to master. And most of them give you mountains of data. Confronted with data overload, most people do nothing. But you need to prioritize actions based on what your 15 tools are telling you. Unfortunately, there are no shortcuts—and yet you have to do it all the time.
Cybersecurity Operations Process Steps
Evaluate and choose the tools, learn to use the tools efficiently, interpret the data, prioritize & carry out actions, train your staff, monitor staff use of tools, repeat.
At Quartet, we constantly evaluate tools and adopt several new ones per year. For example, we adopted 25 new security tools in 2018. We sandbox each tool implementation, then deploy it internally, and then to customers. We train our employees on the effective use of each new tool. Since the cyber world is essentially a fast arms race, we go through the same multi-step process month after month: evaluate tools, adopt tools, master the tools, train our people, and prioritize actions.
In addition to spending time selecting, learning and training on new tools, the upgrade path also involves constant synchronizing of systems. As soon as you update one component of your IT infrastructure, some other part inevitably stops working and needs fixing. Think about that for a minute. Where does the buck stop?
If you’re maintaining IT security infrastructure, when you upgrade something, something else is liable to break. No one is accountable but you. You can’t hold the tool vendors to account, nor your CRM, ERP or other system vendors. Each points a finger in the other direction. What this boils down to is that the most difficult part of security is the actual operations. It’s tough to keep up: with the tools, with the learning, the training, and the ongoing work.
One thing you can count on, though: a cybersecurity event is going to happen
Cybercrime: From ‘If’ to ‘When’
If your organization hasn’t experienced a security breach yet, count yourself lucky, or you might just not know it yet. Our best advice is to be humble: realize that it’s no longer a question of ‘if’ you have a breach, but ‘when’. It’s getting dark out there.
Quantify Your Risk Exposure
How many hours or days can your business survive if it grinds to a halt? How much will your reputation suffer? Your fallback plan for rapid recovery in the event of a breach will depend on its impact on your business. While spending millions might make sense for the banks, it almost certainly won’t work for you. Average SMB security budgets have grown by 18% from the year previous to U.S. $246,000 in 2018. Very small businesses spent an average of U.S. $3,900 in 2018, an increase of 38% over the year previous.
But averages won’t tell you much—your investment needs to be commensurate with the risk you run. If your business is connected to the Internet and relies on data to keep functioning, whether your operations rely on data or information is what you sell, think about the numbers above.
Preventing Cybercrime Attacks
Step 1: Back Up Data
You can back up to tape, or move your data in an encrypted fashion into secure cloud storage. Cloud keeps getting cheaper, so it’s a viable, redundant alternative to tape. Assuming that you already back up your data, do you test your backups? To make sure that backups are going to work in the event of a disaster, you need to restore your data on a regular basis. Every three or six months could be sufficient, but if you measure acceptable downtime in hours and not days, you will need to restore on a weekly or bi-weekly basis.
Step 2: Implement Security Policies
Implement an IT security policy that’s clear and easy to understand. It should include how to use, transfer and store corporate data, protocols for treating email requests
(for example to wire funds or send sensitive information, etc.), how to keep smartphones safe and what to do when a security breach is suspected. Spell out clearly what employees
should do and also what they shouldn’t. Test cibc and update your policies yearly. You must fight security policy entropy. This is a company-wide discipline, not just an IT department
responsibility.
Step 3: Get the Tools
Correctly using the right tools is a big part of staying safe. Add to your firewalls and endpoint software with cyber defence tools that leverage AI and machine learning to monitor your environment. Include mobile device management (MDM) if your workers are mobile. Once you have found the right tools, learn to use them to make prioritized decisions and change security posture as required.
Step 4: Train
Employees This step circles back to Step 2. Train employees on IT security according to the policies you have developed. This should include the correct use of programs and tools, but also
best practices in their day-to-day interaction with the digital world: what constitutes a phishing email, what to do if phishing is suspected, workstation password-protection parameters, acceptable use of flash drives, and more. Do the training, repeat the training, and test the training. One of the testing techniques that we use at Quartet is an ongoing phishing program. We build phishing emails and try to get customer employees to click. We think of this as inoculating with skepticism. It’s something you have to do on a regular basis, or else people let their guard down.
TRAIN FOR INSURANCE
Training is not just a security requirement. It is a cyber insurance requirement and for many industries, a regulatory obligation. Cyber liability insurance payouts are often predicated on adequate employee security training and monitoring. If your employee testing training monitoring program is good, some insurers will give you a discount.
TRAIN FOR COMPLIANCE
Your cybersecurity compliance obligations change regularly and have industry specificity. The Personal Information Protection and Electronic Documents Act (PIPEDA) come into
effect. For example, on November 1st 2018, Canadian organizations subject to PIPEDA are now required to report to the Privacy Commission all personal information security
breaches that pose a real risk of significant harm to individuals. You must notify affected individuals about those breaches, and keep records of all breaches—whether they require
reporting or not. In a lawsuit, breach records are the first thing that the defense team is going to ask for. If your people don’t have the training and the protocols in place, how can you be sure that you will conform with updated PIPEDA requirements? You must be able to prove your due diligence and should be able to provide security logs if required.
Step 5: Business Resiliency Planning and Disaster Recovery Planning
CIOs of even the most well-protected organizations will tell you that a cyber event is inevitable. That’s why they have cyber response
policies and action plans. Think of how you do business—IT and communications mechanisms like email, telephone and information
management, but also your physical infrastructure and the suppliers that you rely on to get business done. Do you have any single points of failure anywhere along your supply chain?
Critical components that are single-sourced? Business Resiliency Planning (BRP) identifies ways to carry on with business in the event of a supplier failure, a cyberattack, or an Act of God. Disaster Recovery Planning (DRP) is more focused on what to do when individual systems go down. It involves a hierarchical checklist of scenarios and responses that will be your playbook, should disaster strike. Broadly speaking, the steps you should take follow this framework: stop the bleeding, patch the wound, assess the damage and take remedial action.
Step 6: Run Your Cybersecurity Program
The last step is the one that never ends: running your new security program, without pause, while updating tools, training staff and modifying your BRP and DRP plans as the cyber landscape evolves. Day to day operations is the most difficult of a cybersecurity program. Patience, stamina, discipline and humility are the prerequisites.
Cybersecurity: Can You Keep Up
The RCMP is Struggline to Keep Up. Think You Can?
In September, 2018 the RCMP revealed that it is having trouble keeping up with cybercrime because of the prevalence of online encryption and because of sheer volume. If the RCMP can’t keep up, how can you expect to?
Luckily, sheer volume and encryption of information are not factors that most businesses have to deal with. Many large organizations are doing a great job of repelling attacks, the Big Five and the federal government in particular. Both invest millions of dollars per year on their cybersecurity program.
The Financial Consequences of a Cybersecurity Breach
When organizations reach the point at which they can bring a strong cyber defence program in-house, most have ceased to be SMBs. Keeping up takes deep pockets. But think of it this way: what is it worth to you not to suffer the financial burden of a cyberattack? Again, our best advice is to prepare for a breach according to the impact on your business. Calculating the ROI of a cybersecurity program is not complicated. Add up the cost of downtime + cost of recovering data + the cost to your reputation/competitive position and multiply that figure by the threat you face of a breach, expressed as a percentage.
You Know the ‘What’. Here’s the ‘How’.
Here’s what we’ve covered so far: SMBs are the current bullseye in the cyberattack landscape, that employees are your biggest vulnerability, and the steps you need to take to stay secure.
Now we turn our attention to ‘how’, in the face of dizzying complexity, you can put an achievable plan in place to stay secure. Securing a business is no longer something that one person—or one team—can do alone. But it can be done by organizations of all types and sizes. It’s a three-part solution. Before we get into the mechanics of it, let’s take another look at the nature of the threat landscape and how organizations engage with it.
Cybersecurity: A Business Imperative
What we know:
In the face of mounting threats, organizations need to safeguard business continuity, maintain the high levels of transparency and resilience that good governance requires, while husbanding their legal and fiduciary cybersecurity responsibilities . It’s getting tougher to do these things, in large part because of the rate of change in the security world. It’s astonishing. The growth curve of cyber crime is almost vertical. And given the complexity involved in staying secure, criminals are making a fortune
The Business of Theft
Perhaps even more importantly, cybercriminals now work together in a very synchronized fashion. The cybercrime world has become deeply collaborative, a key element in the power that it wields. It’s time for businesses to return the favour and take a page out of the cybercrime book.
IT Defence Meltdown
How many times have you asked an IT person a question that they couldn’t answer? Perhaps something that they didn’t know, you knew about? It’s becoming commonplace. That’s because the big consulting and accounting firms are teaching Executive Directors and boards the questions that they need to ask. They’re essentially saying “if you’re going to be fully responsible for this organization, you need to stay on top of cybersecurity.” And they’re not wrong.
Still, the poor IT folks who report to Executive Directors and boards don’t have answers at the ready. That’s because the cybersecurity environment that they have built is typically incoherent. It’s often an in-house effort that doesn’t leverage collaboration with an IT security firm—without even an IT security expert18. It’s a jumble of tools, programs and protocols that do a passable job of keeping their company secure. If boards of directors knew how complicated cybersecurity was, they would have some empathy
A Chain Mail of Cybersecurity Tools
The knights of old wore chain mail—mesh garments made of small metal rings linked together. That’s a great analogy for effective modern IT defense: interlocking security tools that keep your organization safe. The tools you need work together to address the different attack vectors that criminals use to compromise companies, and limit your internal vulnerabilities.
We use 31 process and remote management tools within our environment at Quartet. Seven of those are intrinsic to our managed security service. Each group represents a different category of defense:
- Security Configuration
- Firewall
- Anti-Virus and Anti-Malware
- Internet Security
- 3rd Party Patch Management
- Internal Network Defense
- Disk Encryption
- Advanced Threat Detection
Cybersecurity Configuration
This tool ensures that you’ve dotted the ‘I’s and crossed the ‘T’s of security. The one we use checks 130 security items across all users and key infrastructure elements in the corporate environment. If something is misconfigured, this tool detects it—for example, if a Microsoft server is missing a patch. This toolset also detects users who have permissions that they shouldn’t, e.g. access to files without appropriate security clearance. It extends to firewalls, including on-premise mail servers and Office 365. As security exceptions are flagged, we review them and act accordingly.
Firewalls
In theory, firewalls are simple. They keep unwanted traffic out of the corporate network. In practice, a firewall is not just a firewall. They come with things like Real-Time Deep Memory Inspection and Reassembly-Free Deep Packet Inspection that enable them to decrypt and analyze secure (SSL) traffic in real time—without breaking it. Oh, and all while processing up to 10 Gigabits per second.
Modern firewalls leverage networks of millions of sensors worldwide to monitor the Internet. Unrecognized signatures are sandboxed and those that pose a threat are added to firewall defenses in real time. Firewalls extend protection to wireless devices, wherever they may be. And of course they offer centralized management, reporting and experts on the other end of a telephone, 24/7. The trick lies in configuring a firewall solution that’s right for your environment and fine-tuning it as your network environment changes, so that it sends out only meaningful alerts.
Anti-Virus and Anti-Malware
Anti-virus and anti-malware capabilities have grown enormously over the years. But so have viruses and malware. New vectors are detected every day. When something suspect is detected within the network perimeter of a customer organization, it is sandboxed. Our AV provider then uses artificial intelligence to determine if the program is safe.
The weakness inherent in this kind of tool lies in its management. It needs to be configured properly and updated constantly. If it’s not updated, it doesn’t work. Both the virus scanner agent itself and the definitions need to be kept up to date. The tool itself does that most of the time, and we add an extra layer of precaution with our remote monitoring agent that keeps an eye on the antivirus system and forces updates when required. Monitoring these tools is a big part of the service we provide.
Internet Security
How often does John in accounting try to access a counterfeit bank login page? This tool analyzes Internet traffic in real time and blocks the bad stuff. The Internet security program we use also has heuristic analysis built in. In other words, it tracks and analyzes browsing behavior. This insight into employee surfing habits can then be used to block specific sites like Google Mail, Facebook or anything deemed not safe for work.
The team behind the tool has a whole R&D department that finds bad traffic and blocks it automatically. But they need us as a local agent. They occasionally block a valid domain and we need to work with them to get around that
Patch Management
This tool scans servers and workstations for popular 3rd party applications like Google Chrome and GoToMeeting. It checks versions and compares them to the most recent available, then updates if required. As new apps are added to this 3rd party application patching tool, we push them selectively to customer environments. But we have to be careful about automatic updates, because some clients need old versions of applications, like Adobe or a Microsoft OS. An extreme example is one of our customers, an airport. 50 of the 300 applications they use to run the airport broke when we updated the Microsoft OS (in test mode, of course). So we had to figure out an upgrade path, application by application.
Internal Network Defense
Internal network defense detects anything that has gotten through the firewall. It gets a copy of all network traffic and analyzes it against known patterns. That might look like a user going to Dropbox or Ask.com, if those are internally banned sites. Or it could be a user going to the Tor network (the deep Web) or a virus that’s attempting to download something from it. If any of those patterns match, it creates a ticket so the team behind the tool who performs an analysis. If it’s an actual issue, we are immediately notified and take appropriate action with our customer.
Disk Encryption
Disk encryption protects data from physical theft. Without disk encryption, a thief could simply put your hard drive into a different computer and read its contents. With encryption, they can’t get access to the data unless they know your encryption keys. That applies to USB drives as well: to use them in the work environment, they must either be encrypted or read-only. We define encryption configuration and policies within customer environments and enforce encryption, verifying encryption status by means of a remote monitoring agent
Advanced Threat Detection
What traditional anti-virus misses, advanced threat detection will eliminate. However, there is a fine line between an actual threat and an unwanted program. That’s because such programs can lead to horrible things. For example, Google does a good job of winnowing out search results that lead to malicious websites. Some niche search engines, however, don’t. When workstations have certain search engine toolbars downloaded, it’s asking for trouble.
Advanced threat detection also eliminates persistent mechanisms. These are malicious hooks that are hard to get rid of. For example, such a mechanism might download a virus every time the computer starts or a user logs in. The anti-virus program detects and deletes the virus, but the next time the computer restarts it will do the same thing. Advanced threat detection solves that problem.
Phishing Detection and Training
Have you ever received an email from your boss asking to you send iTunes gift cards to a suspicious account? Employees receive many phishing emails a day but they’re getting harder and harder to detect. Cyber criminals are now disguising their phishing attacks as click-bait emails that look so real, you’re compelled to click on it. Some emails are disguised as free pizza coupons, while others can be specific to your industry. Employees are your weakest link, simply because they’re human. That’s why it’s becoming increasingly important to train them on phishing email detection. Phishing detection and training tools help prevent employees from making a small mistake that could potentially cost your company millions
Cybersecurity Tools Help
All of these tools are designed to help you:
- Minimize your attack surface
- Stop bad attacks from completing
- Recover more quickly from attacks
Notice that we don’t say ‘to prevent attacks’. Why? Because attacks happen. They’re happening right now—to your network. The quicker you get used to the idea of hardening and recovering, rather than building a hard shell to protect a soft underbelly, the better you’ll fare.
The tools we just reviewed do a great job of reducing the likelihood of an attack and limiting the damage that an attack may cause. Still, as good as they are, they won’t stand up to employee ignorance and negligence. Human error is still the number one cause of IT security issues, so it’s still very important to train your people. All of them.
Coping With Cybersecurity Complexity
The tools that are available today are nothing short of fantastic. There is so much money being poured into tools right now that they are all good. These are cyber defence tools that your average in-house IT team typically cannot access, either because of price or because they are only provisioned directly to managed service providers. They are a far cry from self-managing. You can’t turn a robust, cutting edge tool on, walk away and expect it to work properly.
To cite a simple example, think of a firewall. The night that a new firewall is set up, a typical company of 50 people will get about 150 alerts, approximately 12 of which are relevant. You got the other 138 because firewall alert parameters are too sensitive, or misconfigured. They need fine-tuning—a process that can take weeks or months. Whoever is responsible for that firewall needs to be trained on it and understand in great detail how it works. And that’s just a firewall, a tool that’s been around for over 20 years.
Complexity Is Your Enemy
Selecting, managing and updating the several tools required for each bucket—as well as organizing and conducting two types of training—is not a one-man job. It’s not even a five-man job: You need time and expertise to evaluate and choose the right tools. You need time…
…to master their use.
…to train other people in their use.
…to formulate and conduct employee training to reduce the human risk factor.
…to manage tool alerts.
Time, time, time. And money.
Think it might be time to bring in some outside help?
The heart of security has gone from building a security apparatus to managing complexity. It’s no surprise that your IT people can’t answer all your questions. They have tools, they have some expertise, but they can’t stay on top of it.
Quartet has systematized complexity management. We put together teams of people who are experts at doing all of this. It begins with tool selection. We base our tool choices on three things:
The function they need to fill
How good they are
Whether they can interface with our security software management solution
“I simply can’t keep up with cybersecurity. AND do my other job. AND answer to Directors armed with great questions but too little IT knowledge.” ~ IT Directors everywhere
Case Study: Keeping Children Safe
“It doesn’t get much more critical than assuring the safety of children.” Quartet goes to bat for an Ontario not-for-profit dedicated to improving the lives of children-at-risk.
Situation
IT security breaches endanger the lives of children every day. When we began working with Alan, the CTO of an Ontario-wide children’s organization in 2008, his network defenses needed help. Alan was constantly putting out fires. What’s worse, smaller regional organizations had experienced serious breaches that put young lives at jeopardy and made the news.
Solution
The security regime that we put in place drastically reduced the threat of an IT security breach. As we beefed up the organization’s defenses, its security environment slowly switched from reactive to proactive.
But getting there took more than tools—it involved something over which Quartet had little control: internal security posture. Alan drove the essential change management effort, educating employees, putting protocols in place and enforcing good behaviour. Together, we achieved what we never could have managed on our own—especially with respect to behavioural change within the organization. Documentation, training, best practices…our work would have been for naught without his help. It’s a classic example of interdependence. In 2018 we got together with Alan and co-presented our program and its results to a council of organizations under the same umbrella. It blew them away. It made them realize that they didn’t have to be victims—that they could take a proactive stance on cybersecurity.
An Unexpected Benefit
Several years ago, as we were busy adding tools to counter threats to Alan’s organization, we began to feel the weight of managing all those tools and alerts. No surprise there: a more sophisticated security environment upped the volume of work for Quartet. Eventually, the challenge morphed from securing Alan’s environment to managing the complexity of the program.
It dawned on us that comprehensive security programming is more about managing complexity than security, or at least more than we had appreciated. The paradigm had shifted. That’s when we adopted one tool to manage that complexity, to consolidate and prioritize alerts and actions
Cybersecurity Tool Complexity
We may see the day when a single tool can deal with the entire universe of cyberthreats. But it won’t come soon. That’s because every attack vector is a small microcosm that’s constantly evolving. Each demands a ton of specialized knowledge and specializes tools with countermeasures for each particular threat.
“The key to effective cybersecurity is managing complexity.”
Keeping up with one tool is difficult, because each of them demands that you do dozens or hundreds of things every day. You have to learn which of those 100 things the tool wants you to do are urgent, important or irrelevant. Multiply that by 38 different tools and the complexity quickly becomes unmanageable.
We are constantly looking for the best tools for each of the different attack vectors. Last year, we adopted 26 new ones. We researched, tested, then integrated them and became expert in their use.
The reason we can do this is that we employ two people who are dedicated to managing tools. Just managing them! What this gives our clients is an easy-to-follow and transparent process for IT defence. The security software management ecosystem that we offer is something that boards of directors can easily understand.
One Tool to Rule Them All
If you don’t have a way of integrating all tool management and notifications within a security software management solution, you can’t handle the complexity. At Quartet, a critical part of our tool selection process is determining whether a new security tool will integrate completely into our consolidation tool and our ever-changing cyber defence ecosystem.
Our consolidation tool centralizes and streamlines the management of the rest of the security tools. It allows us to collect and interpret the data from our defence ecosystem and provides a single location for us and our clients to identify issues, assign tasks, manage changes and track progress. Without this, any security program will be crushed by the weight of its own complexity.
Specialty Tools
- Anti-virus
- Firewalls
- Phishing
- Mobile device management
- Policy/Behavior Monitoring
- Patch Management
- Traffic Monitoring
- Data Collection
- Best Practices Advice
Quartet
- Security Tools Research & Selection
- Staff Training
- Tools Configuration
- Integration into work flow management system
- Issues Resolution
- Data Collection
- Management Reporting
- Best practice policy coaching
- Process Compliance Certifications
Client
- Independent Acceptable Use Policies
- Security Awareness Training
- When appropriate, resolve onsite issues
- Good governance compliance certifications
- Security Standards Enforcement – Hardware & Software
- Completion of assigned security tasks
A Team of Teams
Do you have great IT people? The world needs more of them. Right now, there are ten jobs for every competent IT security professional. They don’t come cheap. It’s tough to find and afford the right people, and if you’re going to get the tools, you need those people to select them, master them, manage them and use them to secure your ship.
We have the right people at Quartet. We can afford to—we leverage economies of scale. It’s a perfect example of collaborative consumption. But our people aren’t the whole picture. Behind each of the tools that our experts use is a team of experts ready to help us.
Our teams communicate regularly. We make tool development teams aware of cyberattack refinements as they appear on our radar, and they use this knowledge to refine their tools. The result is a team of teams tracking and responding to the threat environment as it evolves.
The Collaborative Imperative
The tools and teams must interact in a coherent way. When we integrate them within our security software management solution, we have a unified interface for managing security.
The implication of this? We need tools as well as the technology to manage them, and we have to work with other people. And if collaboration is imperative for Quartet, guess what that means for your company?
Outside IT service provisioning might once have been a ‘nice to have’. Now it’s an imperative.
The IT industry is playing catch up. How many companies have inhouse legal counsel? Lots. And outside legal representation? Lots. Do companies have financial controllers and outside accounting partners? Of course they do. Any Director who questions that needs his head examined. But for a long time, there was an all-or-nothing mentality: manage with internal resources, or outsource. There was judgment: ‘if Bill and his team can’t take care of everything by themselves, they couldn’t be doing their job. That’s no longer the case. Your in-house IT team simply can’t do what we do, nor can we do what they do.
A 3-Step Cybersecurity Process
The challenges involved in addressing evolving cyberthreats are clear. Collaboration is the new imperative. If you can see the wisdom behind this concept, here is how you can put the new model into place. Staying secure is difficult, but it’s not complicated. It requires just three key actions:
1. Make use of great tools, together with automated engines.
Enterprise-grade IT security tools are fantastic. You have to keep trading up for the latest and greatest, but when you integrate them into your security software management solution, it will automate 50% to 80% of the work depending on the tool.
2: Leverage IT security service provide expertise.
Ideally, choose a service provider with really smart people. Service providers can afford the very best because they can leverage that expertise for profit. We also train them like there’s no tomorrow.
3. Combine points 1 & 2 with your knowledge of company processes & systems.
No one can keep your company secure for you. Not without your collaboration. I can send you a ticket that says ‘You need to reset the firewall by 10 am on Thursday’ or ask you if the timing is right to take down a database. But it’s you who needs to do it or make the call.
These three steps will effectively take care of the security piece of IT. Which gives your team space to concentrate on the functionality and efficiency of business processes.
Meet Your Cybersecurity Governance Requirements
Good governance requirements are onerous. IT security requirements are just as onerous. Meeting them is not optional.
Most business leaders have some idea of how dire the IT security situation has become. If your IT people are screaming for help, there’s probably a reason. Just like outside counsel, managed IT security service providers take care of a critical element of doing business that’s ancillary to your IT team’s core responsibilities of keeping the IT ‘lights on’.
Let’s look again at our firewall example in the context of collaboration. Your IT security service partner helps your IT team choose the right firewall and manages the integration. The night that the new firewall is set up, they receive about 150 alerts, approximately 12 of which are relevant. They alert your IT team of the prioritized local actions that you need to take based on those alerts. Your IT security partner fine-tunes the firewall over the coming weeks. If you have decided that a firewall is something that should be managed in-house, it’s at this point that your team takes control, with full management documentation provided by your partner. Scheduled IT security partner audits will confirm that the firewall is still doing its job.
Quartet Can Help
We Help Strong Toronto Companies Stay Strong.
We’ve been providing managed it services in Toronto and helping our SMB clients maintain efficient, secure IT environments since 1998. We play the long game. As we’ve said before, an effective IT strategy isn’t a one-time deliverable; it’s a constantly evolving execution that’s shaped by the kind of risk your business faces, efficiency and ROI.
In 2017 we became SOC2-compliant, meaning that we conform to strict, audited standards of secure data management that protect customer interests and privacy. That’s just the latest in a long string of investments we make on behalf of our customers. When we acquire new tools or certifications like SOC, all our customers benefit. The same is true for our IT security services and solutions: we conduct the cybersecurity audits that most auditors now require of customers like ours. We also help clients transform their security posture to a robust security information and event management (SIEM) approach. The bottom line is simple. If it’s something we think you need, we’ll make sure you have it.
References
1. 2017 State of Cyber Security in Small &Medium-Sized Businesses (SMB), publication, Ponemon Institure LLC, September 2017, accessed September 2018, https://www.veille.ma/IMG/pdf/2017_state_of_cybersecurity_in_small_medium-sized_businesses.pdf.
2. Dawn Calleja and Steve Brearton, “How to Hack-Proof Your Employees,” The Globe and Mail, September 28, 2018, accessed September 2018, https://www.theglobeandmail.com/business/rob-magazine/article-how-to-hack-proof-your-employees/.
3. Wes Spencer and Eric Foster, “Finding Your Inner MSSP: The Easiest Way to Add Cybersecurity to Your Mix” (IT Nation Connect, Orlando, Florida, November 2018).
4. ibid
5. Dawn Calleja and Steve Brearton, “How to Hack-Proof Your Employees,” The Globe and Mail, September 28, 2018, accessed September 2018, https://www.theglobeandmail.com/business/rob-magazine/article-how-to-hack-proof-your-employees/.
6. Wes Spencer and Eric Foster, “Finding Your Inner MSSP: The Easiest Way to Add Cybersecurity to Your Mix” (IT Nation Connect, Florida, Orlando, November 2018).
7. 2018 Data Breach Investigations Report, report, Verizon, February 2018, accessed September 2018, https://enterprise.verizon.com/resources/reports/dbir/.
8. ibid
9. On the Money: Growing IT Security Budgets to Protect Digital Transformation Initiatives, report, Kaspersky Lab, 2018, accessed September 2018, https://go.kaspersky.com/rs/802-IJN-240/images/2205_kaspersky_ IT Security economy Report_final_2305.compressed_NA.PDF.
10. Dawn Calleja and Steve Brearton, “How to Hack-Proof Your Employees,” The Globe and Mail, September 28, 2018, accessed September 2018, https://www.theglobeandmail.com/business/rob-magazine/article-how-to-hack-proof-your-employees/.
11. On the Money: Growing IT Security Budgets to Protect Digital Transformation Initiatives, report, Kaspersky Lab, 2018, accessed September 2018, https://go.kaspersky.com/rs/802-IJN-240/images/2205_kaspersky_%20IT%20Security%20economy%20Report_final_2305.compressed_NA.PDF
12. ibid
13. Catherine Tunney, “RCMP’s Ability to Police Digital Realm ‘Rapidly Declining,’ Commissioner Warned,” CBC.ca, September 24, 2018, accessed September 2018, https://www.cbc.ca/news/politics/lucki-briefing-binde-cybercrime-1.4831340.
14. Rob Sobers, “60 Must-Know Cybersecurity Statistics for 2018,” Varonis May 18, 2018, accessed November 2018, https://www.varonis.com/blog/cybersecurity-statistics/.
15. ibid
16 “2018 Cybersecurity Survey : Report,” Canadian Internet Registration Authority (CIRA), February 05, 2019, accessed February 24, 2019, https://cira.ca/2018-cybersecurity-survey-report.
17 “2018 Data Breach Investigations Report,” report, Verizon, February 2018, accessed September 2018, https://enterprise.verizon.com/resources/reports/dbir/.
18 “2018 Cybersecurity Survey : Report,” Canadian Internet Registration Authority (CIRA), February 05, 2019, accessed February 24, 2019, https://cira.ca/2018-cybersecurity-survey-report.
19 “How to Hack-proof Your Employees,” The Globe and Mail, September 28, 2018, , accessed February 10, 2019, https://www.theglobeandmail.com/business/rob-magazine/article-how-tohack-proof-your-employees/.
20 “2018 Cybersecurity Survey : Report,” Canadian Internet Registration Authority (CIRA), February 05, 2019, accessed February 24, 2019, https://cira.ca/2018-cybersecurity-survey-report.