What are you trying to protect?

Article Summary

The first thing to reflect upon when think about cybersecurity is “What are you trying to protect?”  In most businesses, what you are trying to protect is data, not machines.  So, when thinking about what data you need to protect rather than the machines you need to protect.

____________________________________________________________________________________________________________

When you ask the small business owner about what they want to do about cybersecurity, you would probably get an answer like “I want to protect my computers.”  There is an old saying in the IT business that the only secure computer is unplugged, has nothing connected to it – even power, and is surrounded by armed guards.  Even then, it would probably not be safe from the Ocean’s 11 crew.  Nor would that physical machine be useful for very much.

OK, maybe that might be a good place to put your cryptocurrency wallet, but you lose that security when you connect that computer to the Internet in order to use that currency.  Besides, most small businesses don’t deal in cryptocurrency.  But even then, what you are trying to protect is the data stored on that computer rather than the computer itself.  What I am going to be talking about here is to help you define what you need to protect and what is just not worth the bother.

I’m going to start out by talking about small businesses with 5 or more people.  I will comment about smaller businesses later in this post.  Typically, when an organization gets to about 5 people, information needs to be stored where more than one person can readily access it.  Traditionally, this information has been stored on an in-house device called a server.  Physically speaking, this device can be what hardware companies call a server machine, what network storage companies call a NAS unit, or even someplace in the cloud.  If you have one of these devices, which I am going to generically call a server, then that is where the information that you need to run your business should be stored.  If you are running some software that only one person uses and it is key to running the organization, for example Quickbooks, that data file should be stored on the server.  I know that some of you will be saying that if I put my Quickbooks file on the server, anyone can get to it.  If your server is properly configured, that is not true.  That is why the CIS Controls has hundreds of settings on how to protect your data on multiple platforms.  But if your key data is not on the server, I highly recommend you get it there.

For smaller businesses, your key data my reside on one or more workstations.  You will need to determine what workstations have what key data and follow the recommendations made for servers for each of those workstations.  

Now that you have determined what needs to be protected, now we need to talk about how to protect it.  The only way to truly protect against loss of your key data is to back it up and back it up frequently.  In today’s environment, your backups need to be inaccessible from your day-to-day operating environment.  Why you ask?  Ransomware, the biggest scourge of any business, has been getting smarter and smarter.  It now not only typically encrypts the data on your computer, but the data on folders it can access from your computer that may be on other machines.  If you have access rights to your backups, it will encrypt them also making them useless.  That is why a good backup system keeps some backups offline.

Earlier I mentioned that backups should be done frequently.  When I first started in this business, I was taught that backups should be done at least daily.  Daily backups should be kept for at least 2 weeks.  A weekly roll-up backup of the daily backups should be kept for two months.  Monthly roll-ups of the weekly backups should be kept for a year.  And the monthly backups should be rolled-up to a yearly backup.  Yearly backups are kept forever.  All these years later, that is still the gold standard for backups.  But that maybe too extensive for the small business.  Each business should evaluate what would be a good rotation for them, but there should be a rotation.  I would also recommend that older backups should be kept off site.  This would allow for business recovery should some event make your business location unusable.

I’ll be talking more about types of backups and recommendations in a future post.