The decision to which information security measures should be used across the company’s IT infrastructure and which ones should be left out may be a tough one for midsized companies. The financial resources of a midsized company cannot allow applying all the existing cybersecurity elements to protect the network. At the same time, midsized businesses are big enough to be targeted by cybercriminals.
In this article, our information security consultants describe cybersecurity measures a midsized business can’t do without if it wants to ensure an appropriate network protection level and show how to implement them and arrange their management.
Basic information security measures
Among the range of existing cybersecurity measures the following ones are essential for all mid sized businesses irrespective of the type of business:
- A firewall is responsible for scanning incoming and outgoing network traffic. If set properly, the firewall prevents malicious traffic from reaching your network and possibly damaging it.
- Antivirus software checks each file your company’s employees download from external resources like the internet or USB flash drives for virus signatures. Regular updates to your antivirus will give an alarm each time ransomware, viruses, Trojan horses, and other types of malware tries to reach your company’s network.
- Network segmentation implies the division of the entire company’s network into separate fragments. As a result, the networks of your company’s departments are separated from each other. In case hackers reach the computer in one segment, they won’t be able to access the computers in the other network segments separated from the infected network. Thus, cyberattacks can’t move between the network segments and damage them, and you significantly reduce the risk of facing corporate data theft or leakage.
- Email security techniques include filtering spam and applying password rotations. An email security solution is designed to make sure that only verified letters reach their addresses in the process of communication between interacting parties. It aims at keeping corporate data secure from malware, spoofing attacks, and other cyberthreats in the communication happening both inside and outside the company’s network.
- Intrusion detection (IDS) and intrusion prevention system (IPS) are responsible for analyzing all the incoming and outgoing network traffic. Using pattern matching or anomaly detection, IDS identifies possible cybersecurity threats, while IPS blocks the identified information security attacks, thus not allowing them to turn into major threats and spread across the entire network.
Advanced information security measures
To strengthen the protection of a midsized company operating in a regulated industry (such as banking, healthcare) and having the need to comply with security regulations and standards like PCI DSS, HIPAA, SOX, GDPR, the following information security measures can’t be omitted:
- Endpoint security is responsible for defending each entry point like desktops or mobile devices connecting to the company’s network from attacks before harmful activities spread all over the network. When installed both on the corporate network management server and end users’ devices, endpoint security software provides your company’s system administrators with transparency over the actions that can potentially damage the network.
- Data loss prevention (DLP) allows to avoid the leakage of confidential data, such as clients’ bank account details. DLP systems scan the data passing through a network to ensure that no sensitive information was leaked and got into the hands of cybercriminals’. DLP is designed to avoid the cases when your employees deliberately or unintentionally send an email with proprietary corporate data outside the corporate network.
- Security information and event management (SIEM) software gathers and aggregates the logs from the servers, domain controllers, and all other sources located in your network to analyze them and provide you with a report highlighting suspicious activities. Thus, you can use these reporting results to know whether your systems need special attention and curative measures.
Implementing and managing information security measures
There are three options to implement and manage information security measures. The choice will depend on the nature of industry you operate in (regulated/non-regulated) and available financial and human resources.
- Arranging your own information security department
This method provides you with transparency of security activities happening within your network. However, it implies large expenses on organizing the work of a skilled security team, as well as buying necessary cybersecurity software. Thus, this option is most suitable for a midsized company that is rapidly expanding.
- Turning to a managed security service provider (MSSP)
Deciding to work with an MSSP may be a more time and cost-effective option than arranging your own information security department. You entrust your company’s information security protection to a third party and stay within your financial capabilities. However, this option is not suitable for companies in regulated industries since they may find it risky to give a third-party security services provider control over all aspects of their corporate network security.
- Joining the efforts of your security department and an MSSP
This option is an apt choice for those midsized companies that have to comply with security regulations and standards. While a reliable MSSP will provide you with a security monitoring service and report on suspicious activities or system errors happening across the network, your information security department can focus on eliminating the detected information security issues that can damage the corporate confidential data and customer personal information.
Ensuring the robustness of information security measures
Regardless of the set of measures applied to protect your IT infrastructure and their management option, your information security strategy should provide for the ongoing assessment of their efficiency.
Vulnerability assessment that is usually followed by penetration testing should be conducted quarterly or annually (depending on the necessity of a company to comply with security regulations and standards). When combined, they not only help you to stay constantly aware of any security gap in your company’s network but also assist in reacting to the detected information security issues promptly.
As a supplementary practice necessary for midsized businesses from regulated industries, threat monitoring must be ensured to check the network for indicators of cyber protection breaches like data exfiltration attempts.
You’ll also need a structured incident response (IR) plan to identify the root causes of the cyber protection incidents that have already happened and remediate them rapidly not to cope with system outages or data losses in the future.
Finally, train your staff regularly to increase their cybersecurity consciousness, and determine the appropriate behavior for your employees, such as an obligatory use of complex passwords and an awareness of how to dodge spamming or phishing attacks.
In a nutshell
Midsized companies can ensure effective cyber protection within their limited budget by employing such cybersecurity measures as antiviruses, firewalls, and email security. In case they need to stay compliant with security standards and regulations, they should also implement such protection measures as network segmentation, install IDS/IPS, SIEM and DLP, and ensure endpoint security. Either the company’s information security department and/or an MSSP can organize these measures in the network.
Last but not least, the CIOs of CISOs of midsized companies must ensure that the security of their networks is monitored and regularly assessed to identify suspicious activities and cybersecurity breaches, and close security gaps.
Uladzislau Murashka is a Certified Ethical Hacker at ScienceSoft with 5+ years of experience in penetration testing. Uladzislau’s spheres of competence include reverse engineering, black box, white box and gray box penetration testing of web and mobile applications, bug hunting and research work in the area of Information Security.