Deploying Mobile Devices Securely For The SMB

Deploying Mobile Devices Securely For The SMB

Secure Mobile Device Deployments

As we all know, mobile devices have become not an integral part of the workplace, but even in society. Therefore, the safe deployment of these devices is of paramount importance not just for individuals, but businesses and corporations, government agencies, as well as other entities.

For example:

Mobile devices have indeed become an integral part of any corporate network, as many employees these days now login from their Smartphone to access shared files and other types of resources.
In fact, mobile devices have become the prime target for the Cyber attacker today. Thus, an understanding of the risks and threats that are out there and how to combat them in a proactive fashion is a must.

Read More

Cybersecurity For The SMB’s

The sobering statistics of SMB cyber security.

The sobering statistics of SMB cyber security.

In 2020, the Cyber attacker is not going to be going after the quantity of hacks, but rather, for the “quality” of attacks. In other words, they simply just won’t launch a specific threat vector en masse, but instead, they will pick a very select number of victims.

The sobering statistics of SMB cyber security.

From there, they take their own sweet time to study them, and trying to learn as much as they can in terms of the assets they possess as well as their weaknesses and vulnerabilities. Once the Cyber attacker feels comfortable in achieving this task, he or she will then make their grand entrance into the system, without anyone even knowing about it.

From this point forward, the Cyber attacker will then “live” inside of the target for extended periods of time, in a covert manner. The goal now is to steal as many IT Assets as possible, but little by little, so that the target is totally unaware of it, until it is too late.

But apart from this, 2020 will also usher in a newer trend: Rather than trying to break into the walls of defenses of the Fortune 500, the SMB will now be the new target.

Why Don’t SMBs Take Cybersecurity Seriously?

So, why doesn’t the SMB take their own Cybersecurity seriously? It comes down to two primary reasons:

  • Since it has been primarily the much larger businesses that have been broken into, many SMBs simply think that they won’t be the next target;
  • Many SMBs are on a very tight budget, and because of that, they simply cannot afford to have all the sophisticated technologies and tools that a much larger company can have. But, with hosted security offerings making a huge splash now, this should no longer be an issue.

There are other reasons as well, which are as follows:

  1. Because many SMBs tend to be quite small (say, perhaps 20 employees or less), a family like culture over time starts to evolve. Because of this, great levels of trust are often created, and from within this, a very lax and relaxed atmosphere soon starts to precipitate. In this regard, many passwords and login credentials are shared amongst one another. But an SMB owner just never knows when an employee can turn on them and launch an Insider Attack.
  2. As just described, the lax atmosphere also transcends down into the overall IT security practices as well. For example, many SMB owners are aware of the fact that installing and deploying the latest software patches and updates onto their devices is very important, but this seems to take a very low priority until it is too late to do anything about it.
  3. Because many of the SMBs have very tight cash flows, they cannot afford to pay elaborate perks or bonuses to their employees. Because of this, an SMB owner will usually offer some other sort of incentives, such as working from home, or telecommuting. But keep in mind that with this scenario, it is highly unlikely that the SMB has actually implemented deep layers of encrypted protection for remote access into their IT and Network environments. Because of this, an SMB employee will typically use an unsecured Wi-Fi connection (such as the ones found at Starbucks or Panera Bread) in order to login. This scenario is a huge honeypot for the Cyber attacker to tap into.
  4. In a further effort to keep costs down, many SMBs do not issue company owned devices. Rather, they let their employees use their own devices to conduct their daily job functions, especially their own Smartphones (which is also known specifically as “Bring Your Own Device”, or “BYOD”). This, of course, is a huge recipe for a disaster to happen, as the employee’s own computer may not even have an ounce of security software installed onto them (such as Anti-malware and Antivirus applications).
  5. A lot of SMB owners are very often lured into getting and using free services wherever and whenever possible. This is especially true when it comes to using Cloud based services. A typical example of this is the continued use of Yahoo and Gmail for business purposes. While they may be fine to a certain extent for personal use, these services do not offer enterprise grade level security for an SMB, especially when confidential documents or the Personal Identifiable Information (PII) of customers have to be transmitted over the Internet. Just remember this old proverb: You get what you pay for.
  6. Apart from procuring hardware (such as servers and other wireless devices), one of the biggest expenses for an SMB is that of software application purchases. Because of this, many SMB owners, are tempted to find business application software packages from online stores such as those of eBay or Amazon. But keep in mind, the licensing that has been associated with them may have already been used (and thus cannot be renewed again) or have even expired. Many of the software providers such as those of Adobe and Microsoft have started to really come down hard software piracy and can even impose large fines and even criminal prosecution. Many of these software applications are now available on the Cloud, for a fixed and affordable monthly price for the SMB. A perfect example of this is the Office 365 from Microsoft, in which an SMB can deploy multiple, legal licenses for as little as $15-$20 per month.

Why An SMB Needs To Take Cybersecurity Seriously

Now that we have provided some details as to why an SMB does not take Cybersecurity seriously, the following statistics illustrate WHY one should take it seriously:

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Want to learn more?

Download our company brochure.

Preliminary Draft of NIST Privacy Framework Released

The NIST Privacy Framework will complement the popular NIST CSF

The NIST Privacy Framework will complement the popular NIST CSF

Data privacy and cyber security have a symbiotic and sometimes conflicting relationship. Without robust cyber security, it is impossible to ensure data privacy, as evidenced by the Equifax hack. However, it’s fully possible for an organization to seriously violate users’ data privacy despite practicing robust cyber security. To help government agencies and private-sector organizations better manage the risks of collecting and storing user data and bring privacy risk into parity with their broader enterprise risk portfolio, NIST has released a preliminary draft of the new NIST Privacy Framework, with plans to publish an initial completed version by the end of 2019.

The NIST Privacy Framework will complement the popular NIST CSF

The structure of the NIST Privacy Framework closely mirrors that of the popular NIST CSF so that organizations can use the frameworks together. “While managing cybersecurity risk contributes to managing privacy risk,” NIST writes, “it is not sufficient, as privacy risks can also arise outside the scope of cybersecurity risks.” The Cambridge Analytica scandal – which came to light when a former employee blew the whistle, not in the aftermath of a data breach – illustrated this in stark relief.

What’s in the NIST Privacy Framework?

Like the NIST CSF, the NIST Privacy Framework has three components, or tiers, which seek to reinforce privacy risk management by helping organizations connect business and mission drivers with privacy protection activities.

The Core component of the Privacy Framework is a set of increasingly granular activities and outcomes to encourage organizational dialogue about managing privacy risks. It contains five main functions; Identify-P, Govern-P, Control-P, and Communicate-P, are for managing privacy risks related to data processing, and Protect-P relates to managing privacy risks associated with privacy breaches.

Organizations will use the Profiles component of the Privacy Framework to self-assess their current privacy risk management activities or desired outcomes and identify opportunities for improvement by comparing them with a desired target profile. Finally, the Implementation component will help organizations determine whether they have sufficient resources and processes in place to achieve their target profile.

The Privacy Framework is technology-agnostic and “flexible enough to address diverse privacy needs, enable more innovative and effective solutions that can lead to better outcomes for individuals and enterprises, and stay current with technology trends.”

The need for a separate privacy framework

Mobility and connected everything have fundamentally altered the way we live and do business, and consumers now enjoy many conveniences from these technologies. Unfortunately, as the NIST Privacy Framework points out, these conveniences are made possible by data collection on a massive scale, and consumers “may not be able to understand the potential consequences for their privacy as they interact with systems, products, and services.” NIST goes on to say that organizations may not fully understand the consequences, either, and this could have severely negative effects on them in the long run.

Although no federal data privacy law is currently in sight, the California Consumer Privacy Act takes effect on January 1, 2020, and other states are passing privacy legislation modeled on the CCPA. While the NIST Privacy Framework will be voluntary, it seeks to implement some method to the madness and standardize the language around data privacy and privacy risk management.

Public comment on the NIST Privacy Framework draft will be open through October 24, 2019.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.