7 WAYS TO AVOID SECURITY BREACHES—Part 1, Consistency

SolarWinds® MSP recently released the results of its survey into the cybersecurity preparedness and experiences of 400 SMBs and enterprises across the US and the UK—read the blog post here for the full story. 

In this post and the following ones in the series, we’ll unpack some of the most significant findings from the report. 

Companies aren’t progressing fast enough in cyber security

The results make for anxiety level-raising reading, particularly as the requirement for solid internet security has never been higher. It appears that companies and their IT service providers aren’t keeping up with best practices for securing networks.

The timing of these findings could not have been more appropriate—and worrying—coming hot on the heels of a weekend of cyber carnage, with WannaCry ransomware attacks crippling businesses and organizations around the globe.

One minute we think our networks are secure, then the next, a new attack breaks out and we’re caught unawares. It’s easy to think there is nothing, but else to be done the reality is there are quite a few steps we can take. 

The SMB myths fueling cybersecurity apathy

The survey uncovered that businesses are frighteningly underprepared for cyber attacks. SMBs in particular don’t do well when it comes to cyber security. They are not concerned by, nor prepared for, cyber threats—and this apathy is founded on three false beliefs:   

1. They are too small to be appealing. Not so. Many SMBs are exploited by cybercriminals to gain access to bigger organizations that the SMBs support, and by automated attacks looking for specific weaknesses.
2. They don’t have anything worth stealing. It’s more likely that they underestimate the value of their assets (such as intellectual property or sensitive customer data like credit card or social security numbers).
3. They have nothing to lose. Nothing, except their reputation. For SMBs, reputation is the foundation of securing new and ongoing business.

To help companies and managed service providers (MSPs) and other IT professionals get a handle on growing security threats, we’ve highlighted seven areas from our survey that businesses need to improve to boost their chances of not getting struck down or caught out. Over the next few weeks we’ll publish a look at each of these areas in detail.  

Consistency is the key with security policies

The first thing we’re going to highlight is “Inconsistency.”

One key area where companies fail badly is creating security policies, and then ensuring those policies are consistently applied or enforced. A security policy is clearly worthless unless it is correctly enforced and its suitability is regularly checked. 

Surprisingly, only 32% of respondents could claim their security policies are reliably applied and regularly audited. Less than half (43%) enforce them only occasionally, 17% fail to audit their suitability, and 7% don’t even have policies.

The need to apply and audit security policies

This highlights a key problem: there are endemic issues in many businesses’ security policies. While most of the respondents to our survey said they had security policies in place, very few had any way to enforce or audit those policies. 

This is hugely disappointing as enforcing security policies could really help organizations be clear about how they approach security. For instance, a great security policy would be to prevent unauthorized USB devices from being attached to computers within the company environment. 

The problem is that unless you either lock down a system and take away the ability to connect external devices—or at the very least monitor for when one is attached to the network—then chances are that malware can be delivered that way or intellectual property can be removed. Suddenly you find yourself in a data breach situation. This is a crucial area where MSPs can help their customers: providing the technology and support to effectively monitor systems. 

Ensure clarity when setting security policies

On top of this, companies need to be clear about the types of policies they set. Businesses that need to have one or two machines exposed—such as point-of-sale (POS) machines—might need to have those machines locked down and have separate policies when it comes to vulnerability management, patching, or additional layers of security within the business. Again, this is a core area where MSPs can help their customers: using their skills and insight to set and monitor security policies effectively and consistently throughout the organization.

When organizations want to shore up the protection of their data, one powerful starting point is to improve their consistency. Strong security comes from good habits; so make enforcing your security policies priority number one.  

In the next article we will look at “Negligence.”

We've tailored the report to reflect your side of the industry:

• If you're a managed services provider, click here to download the full report 
• If you're an in-house IT professional, you should download this version 

Click here to find out more about how SolarWinds MSP can help you protect your customers.