Drive Your Business Failure Is Not an Option Protecting a mid-sized company from IT security threats
Drive Your Business
Failure Is Not an Option Protecting a mid-sized company from IT security threats
2 ©2015 WGroup. ThinkWGroup.com
Executive summaryToday, all organizations must contend with the possibility that they could become the targets of
a malicious cyber-attack. The threat of breach to mid-sized companies grows with each passing
year as more valuable information and mission-critical applications are handled by IT and stored
on public-facing servers. Medium-sized businesses struggle to meet the challenges presented
by these risks as they may lack the security budget of larger organizations but still be a valuable
target for attack. This can put them in a uniquely dangerous position. In order to reduce their
risk and contend with the possibility of attack, mid-sized companies must learn to stretch their
budget and implement procedures that give them the greatest security benefit-to-cost ratio.
Mid-sized companies are at risk
In order to properly prepare for the possibility of breach,
companies must understand the repercussions of a failure
to do so. Cybercrime is reaching all-time highs, and many
attackers are targeting smaller organizations that may not
have the same defensive abilities as larger targets. Attackers
can steal sensitive information, cause downtime, and destroy
systems. This can lead to losses ranging up into the millions.
No company that relies on IT for any mission-critical function
can afford to ignore the risk posed by these threats.
Managing risk with a limited budget
Even if an organization recognizes that they must
take steps to reduce the risk of a breach, they
may not know where to begin doing so. Mid-sized
companies must have a structured plan in place to
ensure that they are maximizing the effectiveness
of their budgets and taking action to protect their
assets with the greatest efficiency. These plans
should be built using a five-pronged approach:
• Identifying threats
• Identifying security needs
• Updating enterprise-
security architecture
• Creating a breach detection
and response plan
• Deploying your strategy
3 ©2015 WGroup. ThinkWGroup.com
For many businesses, IT security might be relatively low on the priority list. Most organizations
are more concerned with growing and deploying their products and services than with protecting
their IT infrastructure from malicious attack. This mentality is driven by a belief that most
attackers are only interested in high-profile targets and that the company doesn’t actually have
anything valuable to steal. There is growing evidence, however, that organizations of practically
every size are routinely targeted for attack. The repercussions of those attacks can be great.
What is at stake?
Attackers are targeting mid-sized businessesToday, more mid-sized businesses are being targeted
for IT attacks than ever before. Attacks on firms with
2,500 employees or less rose 61% in 2013 alone,
while attacks on larger firms slightly decreased
in the same time period.1 Clearly cybercriminals
are singling out smaller businesses, but why?
One of the likely reasons that attacks on mid-sized companies are increasing is that the
use of IT for a wide range of applications and services has grown exponentially. More
smaller businesses than ever before are using IT services to store and share data,
communicate, automate systems, and perform basic business tasks. Today, practically
every company uses IT in some capacity, and its role in the workplace is constantly
expanding. This growth increases the range of targets that attackers can exploit. In the
past, many mid-sized company may not have kept sensitive electronic data; now nearly
all do. As more new functionality and applications trickle their way down from the largest
firms to smaller firms, medium-sized business become significant targets of cyberattack.
More businesses use vulnerable technology
4 ©2015 WGroup. ThinkWGroup.com
Of course cybercriminals aren’t only attacking mid-sized businesses. They also routinely target
individuals, government agencies, small businesses, and multinational conglomerates. As
annual losses to organizations from computer hacker theft approach $445 billion, cybercrime is
increasing by almost any metric.2 Stealing financial information, intellectual property, and other
data can be very good business for attackers, and many have joined their ranks seeking profit.
The attackers are also becoming more sophisticated. Some security experts estimate that as
many as 80% of attackers are affiliated with organized crime.3 Malware and other attack tools
are becoming much more readily available. The much publicized shutdown of Darkode, an online
marketplace for stolen information and malicious software, showed the extent of the cybercrime
industry, and the site likely will be replaced quickly by similar sites. Despite the best efforts
of law enforcement worldwide, cybercrime is unlikely to dissipate in the foreseeable future.
Cybercrime is growing
Perhaps the most important reason why attacks on mid-sized companies are growing is that
many remain relatively easy targets compared to larger corporations. Most mid-sized businesses
have much smaller InfoSec budgets than large companies. Most do not employ a range of
specialized personnel or invest in technology to ensure that their data, applications and systems
are protected. This leads to inadequate defenses and can cause serious financial losses. One
recent analysis of data breaches found that two-thirds of breaches remain undiscovered for
months or more.4 This clearly indicates serious security deficiencies in many companies.
Mid-sized companies are easier targets
5 ©2015 WGroup. ThinkWGroup.com
Mid-sized companies need to do more to protect themselves from IT
security threats, but how can they increase the effectiveness of their
defense strategies without drastically increasing their budget?
Better security begins with effective strategy. Businesses working on a
limited budget must put forth extra effort planning for their needs and
identifying ways to make their resources do more to protect them.
Secure strategy with a limited budget
Identify potential threats1Before drafting a comprehensive security strategy for a mid-sized business, it is important
to start by identifying potential threats. This helps your company focus on the most
likely targets and attack scenarios, giving the greatest possible protection for invested
resources. Talking to other enterprises, consultants, the IT department, and outside
groups can help provide information about what kinds of threats might affect your
company and what can be done to address those risks. Questions to ask include:
Companies in certain industries are much more likely to be subject to some form of
attacks than others. For example, those in the financial industry are likely to have
customers’ private information or other financial data stolen. Similarly, those developing
new intellectual property are likely to have that information targeted. Identifying the most
valuable assets of your business can help create a priority list for security measures.
What threats affect my sector?
6 ©2015 WGroup. ThinkWGroup.com
Understanding what kind of attacks are threats is a critical first step in identifying ways to make IT more secure.
Although ingenious breaches involving multiple stages, password decryption and various
attack vectors can happen, the most common forms of attack are much simpler, relying
primarily on victim inexperience. Most malware is deliberately installed by unaware users
led to believe that it is anti-virus software or a necessary
update. Most passwords are collected through
simple phishing scams in which users unwittingly
give away their information to those in the
guise of authority.5 Understanding what kind
of attacks are a threat to your business is a
critical first step in identifying ways to make IT more secure.
What attacks are most common?
7 ©2015 WGroup. ThinkWGroup.com
Identify security needs2
With information garnered from analyzing potential threats to your business, you can
begin formulating a list of necessary requirements to protect against those threats and
secure the company. This helps your business further prioritize the agenda and build
a roadmap for action. Questions that businesses should ask themselves include:
Some data, services, systems, and applications are more important to your business
than others. Losing access to an in-house messaging application may be inconvenient
and cause some loss in productivity, but it is not likely to have as much impact as an
e-commerce website going down or customers’ private data being stolen. With this
in mind, it is critical for the budget-minded organization to treat each item separately,
with more effort and resources going to protect those that are most valuable.
What is mission-critical?
Some data, services, systems, and applications are more important to your business
than others. Losing access to an in-house messaging application may be inconvenient
and cause some loss in productivity, but it is not likely to have as much impact as an
e-commerce website going down or customers’ private data being stolen. With this
in mind, it is critical for the budget-minded organization to treat each item separately,
with more effort and resources going to protect those that are most valuable.
What are our compliance needs?
Every business has different risk tolerances and
different policies in place to secure information and
protect against attack. Any information security
plan must be aligned with broader business goals
in order to gain support from other areas of the
company and to ensure that it is effective.
What are corporate policies and goals?
8 ©2015 WGroup. ThinkWGroup.com
Security can be better enforced by strictly regulating the connections between zones and grouping devices.
Update enterprise-security architecture
3
Policies form the basis for strong enterprise-security architecture. They give guidance to
employees and form a roadmap for building and maintaining systems. For these reasons, it
is absolutely critical that policies be comprehensive, modern, and effective in the real world.
What network-security policies are in place?
At the foundation of an effective security strategy is solid enterprise-security
architecture. It is important to carefully evaluate your architecture and identify ways
to make it more robust in order to ensure that the network, servers, applications,
and services in your business are safe. Key topics to consider include:
Organizations must analyze their network topology,
their use of wireless APs, and other foundational
building blocks of the network and identify areas in
which it could be made more secure. For example,
companies need to build in separations by creating
trusted areas, semi-trusted areas, and untrusted areas.
By strictly regulating the connections between these zones and grouping devices into related
groups, you can better enforce security policy and prevent unauthorized access to data.
Is the network built securely?
Third-party vendors are a greater part of IT than ever before. With the range of cloud-
based services available, many companies use outside solutions for storage, computing,
infrastructure, disaster recovery, and a wide selection of other activities traditionally performed
in-house. This can greatly complicate the security architecture of a company. Integrations and
access between the vendor and the core network must be made secure and IT must make
sure that the vendor’s own security practices are aligned with business security needs.
What role do third parties play?
9 ©2015 WGroup. ThinkWGroup.com
Create a breach detection and response plan
4
In the event of a breach, it is extremely important that companies act quickly to prevent
damage to systems or loss of information. However, many businesses have an extremely
limited ability to address breaches if they do occur. In order to mitigate risk and create a
more secure IT organization, companies must have systems and personnel in place to stop
breaches, identify APTs, prevent further attacks, and repair any damage that has been done.
In the event of a breach, many parties must be notified. IT management must first be
notified so they can address the breach and ensure that its damage is limited, other
business leaders must be informed so they can determine how the breach will affect their
activities, and the public may have to be informed if the breach involves a loss of personal
information. Companies should have systems in place to control the prompt and accurate
distribution of these notifications to limit the potential negative impact of the incident.
Prepare notifications
Many mid-sized companies struggle to respond to breaches effectively, or even detect that they
occurred. In 2013, as many as 71% of companies that experienced a breach did not detect the
incident themselves.6 A lack of large budgets restricts IT’s ability to hire personnel specialized
in responding to cyber-attacks. For this reason, many organizations choose to use a third-party
security service that can help them detect and respond to incidents. These companies employ
highly trained individuals who can quickly put a stop to a breach and often identify the attackers.
This can be an invaluable addition for companies lacking the budget for a full-time security team.
Consider third-party help
Hackers may destroy systems, take services offline, or cause general havoc with IT systems.
In order to ensure that this does not lead to disastrous losses in productivity or data, it is
important that companies have an effective recovery plan in place. This should include
provisions for data recovery, server redundancy, and forensics to help identify the attackers.
Have a disaster recovery plan in place
10 ©2015 WGroup. ThinkWGroup.com
Deploy your strategy5
Once an effective strategy has been developed, the company must take
action to deploy it. This will be an extended process, including the initial
changes and the ongoing maintenance and operations that it requires.
If the information security strategy was
properly developed, it should take into
account the needs of the entire organization,
not just the IT department. This should
make it relatively simple to make the
case to other business leaders that the
provisions required by the strategy are
absolutely necessary. Getting support
across the company can help ensure that
the necessary resources can be allocated
and that the organization will adhere to
the defined procedures and objectives.
Make a case to business leaders
Most corporate security breaches can be
traced back to an attacker exploiting an
uninformed employee. That’s why employee
education is one of the most important
steps in deploying effective security
measures. Everyone in the company must
be made aware of proper protocols and
understand the importance of protecting
passwords and other sensitive information.
Educate employees
Security strategies should not be static
documents. They must be constantly
evaluated and revised based on their
performance. Companies should keep
detailed records of the types and frequency
of attacks they experience, how effective their
defenses were, where attacks originated,
and other related data to refine their
strategies and make them more efficient.
Evaluate and revise
11 ©2015 WGroup. ThinkWGroup.com
Effective security is a critical component of the IT organization at any mid-sized company.
However, taking steps to build robust security into the organization can be challenging
for those on a relatively limited budget. In order to meet these challenges, companies
must implement the right strategies to minimize risk in a cost-effective way.
Summary
Key thoughts:
• Mid-sized companies face an ever-growing threat of breach.
• The cost of ignoring security threats can be devastating.
• Many smaller companies struggle to take the steps necessary to
properly protect themselves.
• Budget-minded companies must take a thought-out approach to
security that emphasizes key objectives and prioritizes actions that
will be the most effective.
• Most security breaches are caused by an employee mistake. Education
and training are critical parts of security.
• Any security strategy should be regularly
evaluated to ensure it is cost-effective and
that it addresses the latest threats.
If you would like to learn more about this and other issues facing the modern CIO, visit thinkwgroup.com/insights
12 ©2015 WGroup. ThinkWGroup.com
References[1] http://www.informationweek.com/government/cybersecurity/cyber-
attackers-target-small-midsized-businesses/d/d-id/1278632
[2] http://www.bloomberg.com/news/articles/2014-06-09/cybercrime-
remains-growth-industry-with-445-billion-lost
[3] http://deloitte.wsj.com/cio/2015/05/12/security-expert-marc-goodman-on-cyber-crime/
[4] http://www.verizonenterprise.com/resources/reports/rp_data-
breach-investigations-report-2013_en_xg.pdf
[5] http://www.infoworld.com/article/2616316/security/the-5-
cyber-attacks-you-re-most-likely-to-face.html
[6] https://www.trustwave.com/Resources/Global-Security-Report-Archive/
Drive Your Business
Founded in 1995, WGroup is a boutique management consulting firm that provides Strategy,
Management and Execution Services to optimize business performance, minimize cost and create
value. Our consultants have years of experience both as industry executives and trusted advisors
to help clients think through complicated and pressing challenges to drive their business forward.
Visit us at www.thinkwgroup.com or give us a call at (610) 854-2700 to learn how we can help you.
150 N Radnor Chester Road Radnor, PA 19087
610-854-2700
ThinkWGroup.com