Let’s face the reality: When it comes to cloud security most organizations don’t have a set strategy. At least not a cybersecurity strategy that they stick to. This is especially so for small and mid-sized organizations. In my discussions with many different types of organizations over the years, it’s clear that those in regulated industries, like healthcare and banking/finance tend to have more of a strategy.
Without a comprehensive security strategy, that is executed against with discipline, security decisions naturally get pushed to the side. There’s good reason for this: security isn’t why businesses are in business and security considerations, while important, are secondary to whatever the core function of an enterprise happens to be. Unfortunately, when security considerations aren’t taken into account the risk of compromise rises.
This is especially so for small and mid-sized businesses. And it shows. A recent study conducted by the Ponemon Institute found that more than 50% of SMBs had been breached in the 12 months prior to the survey. And a scant 14% self-rated their security posture as highly effective.
It doesn’t have to be this way, and there are straightforward steps SMBs can start to take today to improve their cybersecurity posture. While these steps aren’t comprehensive – they are a good start.
Step 1: Get a grasp of the situation
Take the time to classify your important data. This could be customer data, that if exposed would cause negative consequences for them. And come to understand what systems store and manage the data that is essential for your business to run: is the data stored locally, or in a cloud system? Be sure to do the same exercise to identify how where regulated data is stored and what systems are used to manage it.
And be certain to take inventory of the systems in use in your organization: apps, servers on premises and in the cloud, notebooks, PCs, as well as any infrastructure on which your business depends.
Step 2: Evaluate security controls
How are data and IT resources protected? Are good identity and access controls in place to limit data and application access to only those who are authorized? Are systems and apps kept up to date with the latest patches? Are local networks protected with firewalls and those access rulesets kept up-to-date? Is there a security awareness program in place that keeps security on the top of mind among employees?
If you practice agile development methods and have an automated process with a continuous deployment pipeline, then also make sure all of the right automated tests are in place. This way as new services are deployed, they are tested for security related defects.
If you’re just getting started in defining your security controls, take a look at the CIS AWS Foundations Benchmark. It is a set of controls that will help you measure for best practices to keep your infrastructure and data secure.
Step 3: Update policies based on threats and risk
As new applications and services are deployed, and new types of data are created and need to be managed the threat posture of the organization changes. And as the threat posture changes, security policy and controls need to be updated.
It’s important to consider the value of data and services to your business. For instance, how disruptive would be it should data be compromised, or services disrupted, such as in a denial of service attack? What data do you hold that could be targeted by criminals and why? This will help to inform how to best protect that data. When you understand the value of data, apps, and systems to the business and to criminals – it makes it much easier to decide how to secure them.
Step 4: The boss needs to be on-board
In order for security to function properly, it has to work in lockstep with what is happening with the business. As new services, or apps are being planned, for example it’s important that business leaders take cybersecurity seriously and support the processes that need to be in place necessary for this to happen.
Step 5: Automate what can be automated
A good way to make sure all of your security efforts are humming along according to policy is to automate what can be automated. This can and should include: scanning for patch levels and the network perimeter for weaknesses. As virtual machines and workloads are deployed, they need to be vetted that their configurations meet policy. Anything within the security processes that can be automated to enforce policy: automate.