Small Business Cyber-security - It is possible and affordable.

Information security has been in the fore front of news outlets lately, major banks, retail stores, financial companies, and government agencies have become victim of cyber-criminal and cyber espionage. Security incidents are not new in the IT world, however having the spot light on few major events have made it look as if all of a sudden a new army of cyber criminals rose up to go after major corporations.

As it turns out information security has been around as long as computers became mainstream, with the need to protect systems from hackers who broke into computers and servers to gain bragging right among their peers and to show that that it could be done. That utopian era is gone, now online crimes are committed with the sole intent of financial gain, to steal intellectual property, and as a weapon for many nations.

Let's focus on what is more tangible and applicable to us, that is cyber-security for the small business.

The truth is that cyber attackers have shifted from targeting large enterprises to small businesses. Symantec research shows that 31% of cyber-attacks we targeting businesses with fewer than 250 employees, another study from the National Cyber Security Alliance shows that 1 in 5 small businesses fall victim of cyber criminals. Those numbers are believe to higher due to the fact that not all small businesses report the incidents as they occurred. Another study from the National Cyber-Security Alliance shows that 90% of SMB organizations did not have professional IT managers on staff, much less cyber security specialists.

With all that said and done most small businesses still believe that they are in the 80% of businesses not being attacked each year or the 71% that will not be targeted. Although the numbers vary per industry it won't be long before businesses without a proactive information security plan will become another statistic by falling prey of cyber criminals, the underlying questions is at what cost. According to an August 2013 story in PCWorld, of those small businesses whose systems were breached, roughly 60 percent go out of business within six month of the attack.

So what's holding SMB organizations from achieving a hiegher level of protections? After years of experience dealing with SMB organizations of various sizes and industries in NYC and NJ i have narrowed it down to two excuses:

They are too small to be a target.
Cyber Security is too complex and expensive.

To Address the first point, I would say that It is statically proven that small businesses are a target. If you are small business with no security plan and you have not been a victim of a cyber-attack you can consider yourself an exception, or you systems were compromised and you didn't notice it, or there's a good chance it will happen to you in the near future if you don't act proactively. Sometime hackers may not be going after you but they are going after your clients and that in itself makes you a target.

Now the second excuse, Cyber Security is too complex and expensive, had a valid point years ago when all security solutions and products were designed for the enterprise leaving SMB organizations in a technical limbo where they were no solutions designed to suit their needs or they had to be forced to spend substantial amounts of money is enterprise solutions that went underutilized.

The cyber security field has been leveled with the introduction of Cloud based security services or Security as a Service (SaaS) solutions. Now Small Businesses can take advantage of highly sophisticated cyber security solutions to protect their systems and have the same level of protection their enterprise cousins have benefited from for many years. After all, hackers use the tools to attack small and large busineses.

Here at PrecisTek we work to bridge the gap between SMB organizations and information security solutions. We not only provide the technical solutions such as McAfee Security as a Service, Managed Endpoint protection, Endpoint Encryption but also provide the expertise to properly apply the solutions in a way that is cohesive to the rest of the organization. We incorporate all security services as part of our technical services solutions offering SMB organizations the cyber security expertise needed ensure the confidentiality, integrity, and availability of their data and services.

Every business, no matter its size or industry needs an information security plan for their organization. The depth of the plan might varies depending on the nature of the business, government mandates, industry standard and the such. For instance, healthcare provider must comply with HIPAA and HITECH technical standards where they take specific measures to protect the data privacy. Even though those standard are good in nature across the board they might not satisfy PCI/DDS standards online vendors must comply with. Even complying with regulatory standards may not be enough to protect your systems against current threats.

So what's business owner to do? Some through their hands in the air and simple say "Cyber Security is too complex and expensive" but that does not have to be the case anymore. We have helped many businesses bring their IT configuration to a manageable level and developed customized cyber security solutions that align with the business' goals. Our approach helps organization achieve a desirable security level that is able to stop most threats on its onset. Yes, i said most, no solution can guarantee you 100% security, it just doesn't exists unless you are completely disconnected from any network. No one can predict and have patches for zero day attacks.

What we do as a technical services and security Services Company is Midtown NY and NJ is to implement a layered security approach that measures the risks and develop solutions to mitigate the likelihood of a breach and provide proactive monotoring of the systems.

Let me run you through some examples of what we've done for businesses. I'll keep myself from revealing their names for confidentially and security reasons but i can mention general information.

A small 9 employees marketing office in Downtown NY was looking for a company to assist them with their technical issues, mostly general network maintenance, new setups, vendor management, etc. They figured that since most of them use Mac laptops this person or company would come every now and then jus to do simple housekeeping and assist the two Windows users. They did not care about thier systems security, after all they were too small to be a target, so they thought.

Little did they know that three of their systems, two Mac and a Windows computer had been comprised for quite some time. The cyber criminals were using their computers as Zombies to launch DDOS attacks and they had full access to their NAS where they stored all client information and projects they were currently working on. One of the projects they were working on was a campaign for a pharmaceutical company, in this specific client folder there was sensitive information about a new product about to launch along with the marketing campaign and key players within the Pharmaceutical Company. The information was compromised

Needless to say that even when they wanted to hide security breach and keep them under the rug it finally caught up with them, the key players for the new product at the pharmaceutical company were contacted via email by spammers with information that should have kept private between the markerting company and the project leads at the pharmaceutical company, after an investigation from the incident response team they were able to trace the breach to the marketing company, and confronted with facts they admitted their sytems had been comproised. That alone was enough to lose a sizeable contract, unfortunately for them we came onboard after the fact, and the damaged was already done. We implemented a layered security solution to protect the perimeter, endpoints, and the data. The most surprising thing for us was when they told us that they ignored the issue because they thought it was going to cost them much more than what they actually paid for, and compared to the size of the contract they lost the investment was just a small fraction.

I can proudly say that our technical solutions and implementations have stop most networks attacks, only 1 computer had been infected with malware in the past 7 month, we took care of right away and remediated with application's vulnerability, no data was compromised. We offered them a technical support plan that includes the security services and backup, they are as happy as they can be knowing that they don't have to think about technical issues but rather concentrate on what they do best.

Another company in Midtown NY contacted us because they needed a reliable technical support to help them with server and desktop issues as they arrive. They have thirty seven employees, 3 Windows Server, four printers, a wireless network and a NAS.

Our first assignment was to find out why the internet connection has been so slow for the past few month, they had contacted the ISP in the past and according to them everything is working as stated in the SLA.

We noticed that internet access was slow from the internal network but when we bypass the network it worked fine. We decided to do a network traffic analysis by mirroring the trunk port and inspecting the traffic with Wireshark. As someone once said: bits don’t lie, we were able to find the root cause of the problem and to their surprise it was more than they thought.

As it turned out 5 computers were active in P2P network and hosted Gigabytes worth of illegal songs and movies. The users of these computers claimed that noticed performance degradation after they installed a trial version of a pdf creator software downloaded from a what they thought was a legitimate but never thought their systems were being used to host such material. The other finding was that their online backup was running a full back up during business hours, it takes some time and a lot of bandwidth to backup over 300 GB of data every day, and lastly ten computers were infected with different viruses.

No wonder the internet was slow, the office manager said to me. We immediately started on deploying a security layered approach for this NYC Company to address the security issues by implementing a Stonesoft NG firewall with IPS, AV, and web content filtering engines and developed proactive maintenance plan for their technical support and backup.

Their IT cost are less now than what they have paid in the past years, they have seen productivity increase, and now we are working on a high availability solutions in case the one of the ISP goes down.

As you could see there seems to be a pattern, small businesses usually have information security in the background but many issues arise or are based on the lack of proper security solutions. Once cybersecurity is given the attention it deserves it complements the rest of the business operations.

The last example I want to show you is from a mid-sized company in Northern NJ, they have about 300 users across 5 states with the majority of them housed in Secaucus, NJ. With a company of this size and a hefty annual revenue in the millions of dollars anyone would think their IT is under control. Well, not in this case.

This time we worked with the company’s IT department (which consisted of a senior guy and two techs), they were really stretched thin and security was not at the forefront of their daily activities. We assisted them in developing an Endpoint protection for the company servers and computers, deploying an endpoint encryption for their laptops and mobile devices, and we will be working on revamping their wireless solution.

We deliver results. We possess strategic technical vision that allows us to implement technical solutions that align with the business’ goals. We have been helping companies in NYC and NJ with their technical needs and we can help yours too.

We would love to meet with you to how you how our our solutions and expertise can help your business with all technical issues.