As confirmed by PriceWaterhouseCoopers, attacks against small and midsized businesses (SMBs) between 2013 and 2014 increased by 64 percent. Why? Low price, high reward.
Attackers can break through millions of poorly defended SMBs through automation, gaining access to a treasure trove of data. Small-business vulnerability assessments can identify your weaknesses, but they take time away from daily operations. Is a security vulnerability assessment really worth the resources? These five questions will help you decide.
What Does It Entail?
A vulnerability assessment identifies precious assets as well as how attackers could steal them from you. Not surprisingly, 2014's most common attack vectors were:
- Software exploit (53 percent).
- User interaction, such as opening a malicious email attachment or clicking through an unsafe URL (44 percent).
- Web application vulnerability, like SQL injection, XSS or remote file inclusion (33 percent).
- Use of stolen credentials (33 percent).
- DDoS (10 percent).
It's impossible to patch every vulnerability. "You can scan and patch 24/7, 365 days a year," says Forrester security researcher Kelley Mak, "and still not take out a significant chunk." The key is to identify vulnerabilities that will result in the most damage to your bottom line.
How Frequently Should We Assess?
Frequency depends on what kind of data you store and what kind of business you operate. If you can say yes to the following, you should assess more often:
- You've never assessed security vulnerability before, or it's been a while. In either case, establish a baseline with frequent assessments for a year or so. Then dial back the frequency.
- You're subject to regulatory compliance. If you're just checking boxes, you're only getting a limited security picture. Compliance is a baseline, not an effective defensive posture.
- You're a contractor for a government agency or valuable enterprise target. Cybercriminals love to use SMB vendors to break into higher-value targets. If one of your employees' stolen authentication creds cost an enterprise millions of dollars, you'd kiss your contract goodbye.
Can Ops Do It?
Give another sysadmin the SANS 20 recommended list of security controls. If he can understand them, evaluate the business for them and remediate all associated issues, let them handle it.
Already too busy to take on the project? Bring in a specialist. Keep expenses down by getting an initial third-party assessment, drafting an action plan and joining the entire ops team in implementing it.
What Does a Top-Notch Third-Party Assessment Look Like?
Before you hire someone, ask them to explain how they conduct a security vulnerability assessment. According to Robbie Higgins, CISO of AbbVie and author for SearchMidmarketSecurity, their services should include:
- Information and infrastructure evaluation. The consultant should look at your information systems, stored data, hardware and software. Critical systems like billing, HR, CRM, legal and IP repositories are vital, but you should also focus on minor systems accessible by your own vendors.
- Current threat landscape. In addition to knowing today's common exploits and malware trends, your consultant should tell you what types of data attackers are after as of late and what kinds of organizations they're currently targeting.
- Awareness of internal soft spots. Attacks don't always happen because employees are disgruntled. Simple incorrect data entry can expose you to an SQL injection.
- Estimated impact. Your vendor should explain the degree to which each security vulnerability would affect data integrity, confidentiality and availability of your network resources.
- Risk assessment. A good vendor combines weaknesses, threat landscape and potential impact to extrapolate your risks in priority order.
- An action plan. Again, save on security consultation by letting your team execute this roadmap.
Is It Worth It?
Assessments and remediation could cost you in short-term payroll or a third-party consultant's fee. But if they prevent a data breach that could shut down your business, almost any price is worthwhile.