Failure is not an option

Drive Your Business

Failure Is Not an Option Protecting a mid-sized company from IT security threats

2 ©2015 WGroup. ThinkWGroup.com

Executive summaryToday, all organizations must contend with the possibility that they could become the targets of

a malicious cyber-attack. The threat of breach to mid-sized companies grows with each passing

year as more valuable information and mission-critical applications are handled by IT and stored

on public-facing servers. Medium-sized businesses struggle to meet the challenges presented

by these risks as they may lack the security budget of larger organizations but still be a valuable

target for attack. This can put them in a uniquely dangerous position. In order to reduce their

risk and contend with the possibility of attack, mid-sized companies must learn to stretch their

budget and implement procedures that give them the greatest security benefit-to-cost ratio.

Mid-sized companies are at risk

In order to properly prepare for the possibility of breach,

companies must understand the repercussions of a failure

to do so. Cybercrime is reaching all-time highs, and many

attackers are targeting smaller organizations that may not

have the same defensive abilities as larger targets. Attackers

can steal sensitive information, cause downtime, and destroy

systems. This can lead to losses ranging up into the millions.

No company that relies on IT for any mission-critical function

can afford to ignore the risk posed by these threats.

Managing risk with a limited budget

Even if an organization recognizes that they must

take steps to reduce the risk of a breach, they

may not know where to begin doing so. Mid-sized

companies must have a structured plan in place to

ensure that they are maximizing the effectiveness

of their budgets and taking action to protect their

assets with the greatest efficiency. These plans

should be built using a five-pronged approach:

• Identifying threats

• Identifying security needs

• Updating enterprise-

security architecture

• Creating a breach detection

and response plan

• Deploying your strategy

3 ©2015 WGroup. ThinkWGroup.com

For many businesses, IT security might be relatively low on the priority list. Most organizations

are more concerned with growing and deploying their products and services than with protecting

their IT infrastructure from malicious attack. This mentality is driven by a belief that most

attackers are only interested in high-profile targets and that the company doesn’t actually have

anything valuable to steal. There is growing evidence, however, that organizations of practically

every size are routinely targeted for attack. The repercussions of those attacks can be great.

What is at stake?

Attackers are targeting mid-sized businessesToday, more mid-sized businesses are being targeted

for IT attacks than ever before. Attacks on firms with

2,500 employees or less rose 61% in 2013 alone,

while attacks on larger firms slightly decreased

in the same time period.1 Clearly cybercriminals

are singling out smaller businesses, but why?

One of the likely reasons that attacks on mid-sized companies are increasing is that the

use of IT for a wide range of applications and services has grown exponentially. More

smaller businesses than ever before are using IT services to store and share data,

communicate, automate systems, and perform basic business tasks. Today, practically

every company uses IT in some capacity, and its role in the workplace is constantly

expanding. This growth increases the range of targets that attackers can exploit. In the

past, many mid-sized company may not have kept sensitive electronic data; now nearly

all do. As more new functionality and applications trickle their way down from the largest

firms to smaller firms, medium-sized business become significant targets of cyberattack.

More businesses use vulnerable technology

4 ©2015 WGroup. ThinkWGroup.com

Of course cybercriminals aren’t only attacking mid-sized businesses. They also routinely target

individuals, government agencies, small businesses, and multinational conglomerates. As

annual losses to organizations from computer hacker theft approach $445 billion, cybercrime is

increasing by almost any metric.2 Stealing financial information, intellectual property, and other

data can be very good business for attackers, and many have joined their ranks seeking profit.

The attackers are also becoming more sophisticated. Some security experts estimate that as

many as 80% of attackers are affiliated with organized crime.3 Malware and other attack tools

are becoming much more readily available. The much publicized shutdown of Darkode, an online

marketplace for stolen information and malicious software, showed the extent of the cybercrime

industry, and the site likely will be replaced quickly by similar sites. Despite the best efforts

of law enforcement worldwide, cybercrime is unlikely to dissipate in the foreseeable future.

Cybercrime is growing

Perhaps the most important reason why attacks on mid-sized companies are growing is that

many remain relatively easy targets compared to larger corporations. Most mid-sized businesses

have much smaller InfoSec budgets than large companies. Most do not employ a range of

specialized personnel or invest in technology to ensure that their data, applications and systems

are protected. This leads to inadequate defenses and can cause serious financial losses. One

recent analysis of data breaches found that two-thirds of breaches remain undiscovered for

months or more.4 This clearly indicates serious security deficiencies in many companies.

Mid-sized companies are easier targets

5 ©2015 WGroup. ThinkWGroup.com

Mid-sized companies need to do more to protect themselves from IT

security threats, but how can they increase the effectiveness of their

defense strategies without drastically increasing their budget?

Better security begins with effective strategy. Businesses working on a

limited budget must put forth extra effort planning for their needs and

identifying ways to make their resources do more to protect them.

Secure strategy with a limited budget

Identify potential threats1Before drafting a comprehensive security strategy for a mid-sized business, it is important

to start by identifying potential threats. This helps your company focus on the most

likely targets and attack scenarios, giving the greatest possible protection for invested

resources. Talking to other enterprises, consultants, the IT department, and outside

groups can help provide information about what kinds of threats might affect your

company and what can be done to address those risks. Questions to ask include:

Companies in certain industries are much more likely to be subject to some form of

attacks than others. For example, those in the financial industry are likely to have

customers’ private information or other financial data stolen. Similarly, those developing

new intellectual property are likely to have that information targeted. Identifying the most

valuable assets of your business can help create a priority list for security measures.

What threats affect my sector?

6 ©2015 WGroup. ThinkWGroup.com

Understanding what kind of attacks are threats is a critical first step in identifying ways to make IT more secure.

Although ingenious breaches involving multiple stages, password decryption and various

attack vectors can happen, the most common forms of attack are much simpler, relying

primarily on victim inexperience. Most malware is deliberately installed by unaware users

led to believe that it is anti-virus software or a necessary

update. Most passwords are collected through

simple phishing scams in which users unwittingly

give away their information to those in the

guise of authority.5 Understanding what kind

of attacks are a threat to your business is a

critical first step in identifying ways to make IT more secure.

What attacks are most common?

7 ©2015 WGroup. ThinkWGroup.com

Identify security needs2

With information garnered from analyzing potential threats to your business, you can

begin formulating a list of necessary requirements to protect against those threats and

secure the company. This helps your business further prioritize the agenda and build

a roadmap for action. Questions that businesses should ask themselves include:

Some data, services, systems, and applications are more important to your business

than others. Losing access to an in-house messaging application may be inconvenient

and cause some loss in productivity, but it is not likely to have as much impact as an

e-commerce website going down or customers’ private data being stolen. With this

in mind, it is critical for the budget-minded organization to treat each item separately,

with more effort and resources going to protect those that are most valuable.

What is mission-critical?

Some data, services, systems, and applications are more important to your business

than others. Losing access to an in-house messaging application may be inconvenient

and cause some loss in productivity, but it is not likely to have as much impact as an

e-commerce website going down or customers’ private data being stolen. With this

in mind, it is critical for the budget-minded organization to treat each item separately,

with more effort and resources going to protect those that are most valuable.

What are our compliance needs?

Every business has different risk tolerances and

different policies in place to secure information and

protect against attack. Any information security

plan must be aligned with broader business goals

in order to gain support from other areas of the

company and to ensure that it is effective.

What are corporate policies and goals?

8 ©2015 WGroup. ThinkWGroup.com

Security can be better enforced by strictly regulating the connections between zones and grouping devices.

Update enterprise-security architecture

3

Policies form the basis for strong enterprise-security architecture. They give guidance to

employees and form a roadmap for building and maintaining systems. For these reasons, it

is absolutely critical that policies be comprehensive, modern, and effective in the real world.

What network-security policies are in place?

At the foundation of an effective security strategy is solid enterprise-security

architecture. It is important to carefully evaluate your architecture and identify ways

to make it more robust in order to ensure that the network, servers, applications,

and services in your business are safe. Key topics to consider include:

Organizations must analyze their network topology,

their use of wireless APs, and other foundational

building blocks of the network and identify areas in

which it could be made more secure. For example,

companies need to build in separations by creating

trusted areas, semi-trusted areas, and untrusted areas.

By strictly regulating the connections between these zones and grouping devices into related

groups, you can better enforce security policy and prevent unauthorized access to data.

Is the network built securely?

Third-party vendors are a greater part of IT than ever before. With the range of cloud-

based services available, many companies use outside solutions for storage, computing,

infrastructure, disaster recovery, and a wide selection of other activities traditionally performed

in-house. This can greatly complicate the security architecture of a company. Integrations and

access between the vendor and the core network must be made secure and IT must make

sure that the vendor’s own security practices are aligned with business security needs.

What role do third parties play?

9 ©2015 WGroup. ThinkWGroup.com

Create a breach detection and response plan

4

In the event of a breach, it is extremely important that companies act quickly to prevent

damage to systems or loss of information. However, many businesses have an extremely

limited ability to address breaches if they do occur. In order to mitigate risk and create a

more secure IT organization, companies must have systems and personnel in place to stop

breaches, identify APTs, prevent further attacks, and repair any damage that has been done.

In the event of a breach, many parties must be notified. IT management must first be

notified so they can address the breach and ensure that its damage is limited, other

business leaders must be informed so they can determine how the breach will affect their

activities, and the public may have to be informed if the breach involves a loss of personal

information. Companies should have systems in place to control the prompt and accurate

distribution of these notifications to limit the potential negative impact of the incident.

Prepare notifications

Many mid-sized companies struggle to respond to breaches effectively, or even detect that they

occurred. In 2013, as many as 71% of companies that experienced a breach did not detect the

incident themselves.6 A lack of large budgets restricts IT’s ability to hire personnel specialized

in responding to cyber-attacks. For this reason, many organizations choose to use a third-party

security service that can help them detect and respond to incidents. These companies employ

highly trained individuals who can quickly put a stop to a breach and often identify the attackers.

This can be an invaluable addition for companies lacking the budget for a full-time security team.

Consider third-party help

Hackers may destroy systems, take services offline, or cause general havoc with IT systems.

In order to ensure that this does not lead to disastrous losses in productivity or data, it is

important that companies have an effective recovery plan in place. This should include

provisions for data recovery, server redundancy, and forensics to help identify the attackers.

Have a disaster recovery plan in place

10 ©2015 WGroup. ThinkWGroup.com

Deploy your strategy5

Once an effective strategy has been developed, the company must take

action to deploy it. This will be an extended process, including the initial

changes and the ongoing maintenance and operations that it requires.

If the information security strategy was

properly developed, it should take into

account the needs of the entire organization,

not just the IT department. This should

make it relatively simple to make the

case to other business leaders that the

provisions required by the strategy are

absolutely necessary. Getting support

across the company can help ensure that

the necessary resources can be allocated

and that the organization will adhere to

the defined procedures and objectives.

Make a case to business leaders

Most corporate security breaches can be

traced back to an attacker exploiting an

uninformed employee. That’s why employee

education is one of the most important

steps in deploying effective security

measures. Everyone in the company must

be made aware of proper protocols and

understand the importance of protecting

passwords and other sensitive information.

Educate employees

Security strategies should not be static

documents. They must be constantly

evaluated and revised based on their

performance. Companies should keep

detailed records of the types and frequency

of attacks they experience, how effective their

defenses were, where attacks originated,

and other related data to refine their

strategies and make them more efficient.

Evaluate and revise

11 ©2015 WGroup. ThinkWGroup.com

Effective security is a critical component of the IT organization at any mid-sized company.

However, taking steps to build robust security into the organization can be challenging

for those on a relatively limited budget. In order to meet these challenges, companies

must implement the right strategies to minimize risk in a cost-effective way.

Summary

Key thoughts:

• Mid-sized companies face an ever-growing threat of breach.

• The cost of ignoring security threats can be devastating.

• Many smaller companies struggle to take the steps necessary to

properly protect themselves.

• Budget-minded companies must take a thought-out approach to

security that emphasizes key objectives and prioritizes actions that

will be the most effective.

• Most security breaches are caused by an employee mistake. Education

and training are critical parts of security.

• Any security strategy should be regularly

evaluated to ensure it is cost-effective and

that it addresses the latest threats.

If you would like to learn more about this and other issues facing the modern CIO, visit thinkwgroup.com/insights

12 ©2015 WGroup. ThinkWGroup.com

References[1] http://www.informationweek.com/government/cybersecurity/cyber-

attackers-target-small-midsized-businesses/d/d-id/1278632

[2] http://www.bloomberg.com/news/articles/2014-06-09/cybercrime-

remains-growth-industry-with-445-billion-lost

[3] http://deloitte.wsj.com/cio/2015/05/12/security-expert-marc-goodman-on-cyber-crime/

[4] http://www.verizonenterprise.com/resources/reports/rp_data-

breach-investigations-report-2013_en_xg.pdf

[5] http://www.infoworld.com/article/2616316/security/the-5-

cyber-attacks-you-re-most-likely-to-face.html

[6] https://www.trustwave.com/Resources/Global-Security-Report-Archive/

Drive Your Business

Founded in 1995, WGroup is a boutique management consulting firm that provides Strategy,

Management and Execution Services to optimize business performance, minimize cost and create

value. Our consultants have years of experience both as industry executives and trusted advisors

to help clients think through complicated and pressing challenges to drive their business forward.

Visit us at www.thinkwgroup.com or give us a call at (610) 854-2700 to learn how we can help you.

150 N Radnor Chester Road Radnor, PA 19087

610-854-2700

ThinkWGroup.com