Security Maturity Model, Part 1

Security posture:

Potentially losing ALL your data, including customer data, might seriously damage your business if not compromise it completely. While larger corporations might be able to pay requested ransoms, even if not openly acknowledging it, smaller business would not be able to do so. Make you sure you balance the cost of a cyber insurance policy that covers ransomware attacks as opposed not having one. 

Ensure corporate data, including customer data, is safely stored, both locally on your desktop computer (using OS and/or disk encryption) and online at your cloud service provider (enabled by default). Also make sure your data is backed up/synced to an online cloud storage so you can recover it at any time if needed. Finally, use a password storage software, preferably an online service, to store and manage all the credentials you must use daily; this will also help to avoid reusing the same credentials for different account and/or weak, easy-to-guess ones.

Have an antivirus software of any kind installed on your desktop computer to protect from known threats. If budget is an issue for now, there a couple of free consumer solutions available that would deliver basic protection. Take care of maintenance tasks like installing OS and software security updates regularly to keep your computer and its data as safe as possible from possible exploits.

Level 2 of the security maturity model is primarily for Small and Medium-sized Businesses (SMB); the number of employees increases significantly from a dozen up to hundred employees and is usually located in one central office location, plus some employees working permanently or occasionally from their home office. There is usually one “Jack of all trades” employee (or two max) dedicated to managing IT using online collaboration tools (e.g., Google Workspace) and a mix of management corporate-owned and personal-owned devices (desktop and mobile). In some cases, some companies might even have a small, local datacenter to host a separate IT infrastructure for specific business-related tasks, such as a software development company building and testing their software in real-life conditions.

Traditional antivirus software, using a reactive posture to protect only from known threats, is no longer enough. It is time to allocate a budget for it and move into a next-generation antivirus solution, adopting a proactive, predictive approach to prevent cybersecurity threats, like a Mobile Threat Defense (MTD) software.

As the employee base keeps growing, so does the number of endpoints, from desktop computers to smartphones or tablets, as most employees tend to have more than one for both work and private usage. Unified Endpoint Management (UEM) solutions become a must to manage all these endpoints, either desktop or mobile, personal-owned or corporate-owned, and provide them with what your users need in term of work apps. This is transparent but controlled access to corporate networks (Wi-Fi, VPN), but also enforced security on them (change password, install OS updates) to ensure they are always compliant with your internal requirements.

When allowing remote access to your local network, for example to roaming or home-based employees, you will need to protect access to your network. One common option most customers use is Virtual Private Network (VPN) software, usually for desktop computers as it will allow them to connect to most internal resources as if they physically were in the office. For mobile devices, the best option is usually to use the solution offered by your UEM software vendor, which would either use their own global private data network (e.g., BlackBerry UEM) or an alternative based on VPN but specific to mobile apps (e.g., per-app VPN), so security does not interfere with end-user experience.

Understanding your business and the operational needs of your cybersecurity solution is paramount in providing the right solution to address your specific vulnerabilities. There are solutions available that are cost-neutral, however, they may not provide adequate protection or do not address ALL of the vulnerability within your organization. The immediate benefits would be recognized as cost saving, however, if there is an attack, that cost saving is immediately lost. The team at ISEC7 can provide an objective assessment of what can address the needs of your organization and/or risk mitigation needed to enhance your current solution.

(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group