Cybersecurity is a business issue, not an IT issue. Organizations must foster a cybersecurity culture championed by management and supported by technology, governance, and staff awareness.

Who's Going to Come After Me?

Counterintuitively, headline-grabbing cyberattacks like the recent Blackbaud data breach and Twitter hack can make upper management and c-suite executives feel safe and immune to cyber threats. If there are bigger and better targets out there, why will hackers ever pay attention to their organization?

But just like criminals in the physical world, there are various strata of cybercriminal. There are criminals who conduct diamond heists, and there are criminals who snatch handbags. Plainly these are not the same individuals. The cybercriminals who target high-profile high-value victims are unlikely to turn their sights on the average small to medium enterprise (SME).

But that doesn't mean SMEs have nothing to fear. Quite the opposite. The upper echelons of the cybercriminal world might not consider you a potential victim, but every other cybercriminal does. It's like a convenience store feeling safe because the crew from Ocean's 11 are never going to hold them up. Just because that's true, it doesn't mean you can ignore every other hoodlum out there.

In cybercrime, the most common threats---the ones facing SMEs every day---are victim-agnostic and entirely untargeted. If the cyber attacks are automated and they can hit enough SMEs, the cybercriminals will still make a killing.

There are 30 million SMEs in the United States. In the United Kingdom, the figure is 5.9 million, representing over 99 percent of businesses. So, cybercriminals might not pointedly target you, but every SME and SMM is in their sweet spot for victims, and they're hitting as many of those as they can. Whoever they are.

The biggest threat facing SMEs is malware. Malware is software designed to perform some action to the benefit of the cybercriminals, or threat actors. Malware may exfiltrate data, trap keystrokes to steal login credentials or credit card details, or it might be ransomware. Ransomware encrypts your data and demands a payment, usually in Bitcoin, to decrypt it.

The tool of choice to spread malware is email. Tainted email may carry a malicious attachment, or it may contain a link to a fraudulent copy-cat website masquerading as a genuine website. Either one will infect the victim.

An organization needs to view its cybersecurity holistically. It is made up of three pillars. Each one must be as robust as the other two, and they must combine to underpin a business-wide security-minded culture. And the common thread running through everything is people.

First Pillar: Technology

Technology includes the hardware and software measures and systems you deploy to improve your defenses and to close security gaps. But technology also includes generic IT concerns, such as the topology of your network design. Is your network segregated or completely flat? Would malware be able to race through it unrestricted or would the segmentation contain it? Basic solid network engineering is the first element of your technology pillar. The judicious placement of correctly configured routers, switches, and firewalls provides a foundation for the cybersecurity add-ons to sit on.

All operating systems and application software must be within the manufacturers' support periods. They must all be patched up to date, including firmware on devices like routers and firewalls.

Using encryption for email, and encrypting the hard drives of portable and mobile devices is commonsense and, depending on your geographical location, might be mandated by local legislation, such as Europe's General Data Protection Regulations (GDPR). Control of USB devices should be implemented to suit your needs.

Of course, you will have at least one firewall. Modern appliances support security additions, such as gateway security suites. These are designed to trap viruses and malware threats at the entry point to your network. By contrast, end-point protection suites, containing antivirus and anti-malware packages, try to capture threats on the computers in your network. Neither one replaces the other, but if you can only have one, deploy end-point protection.

Email filtering and anti-spam measures will dramatically reduce the chances of email-borne threats getting through, but they are never 100 percent effective. It can be very difficult to detect and trap a well-written scam email, especially if it doesn't carry an attachment. The days when scam emails were badly written and peppered with bad grammar are not entirely behind us, but they are certainly on the way out. Modern examples are slick and very convincing.

Intrusion detection systems (IDS) use techniques like automatically gathering and collating system logs from servers and network devices, and analyzing them for suspicious behavior or anomalies. This can be set to occur periodically or, if the system is sufficiently sophisticated, in near real time. An IDS may also watch key system files within servers, where any modifications would be indicators of compromise.

How do you know if all of these steps are performing optimally? By using penetration tests and vulnerability scans. A penetration test will attempt to probe your defenses from outside of your organization. They can include up to thousands of individual tests, each designed to probe for a specific potential vulnerability. A vulnerability scan is similar, but it runs on your network, inside the firewall. It scans all of the devices connected to your network, seeking vulnerabilities like out of date or unpatched software and operating systems.

Penetration tests and vulnerability scans should be run with a scheduled frequency, and the results used to provide a scope of remedial works that should be attended to. When a threat actor---or one of their automated scanners---detects a vulnerability and they apply an exploit, you have a compromise on your hands. Find them and fix them, before the threat actors do.

And don't forget backups. Backup to a variety of media, and include an off-site backup in your regime. Backing up to on-premise network-attached storage devices allows faster recovery than from off-site backups, but off-site or off-premise backups provide the most robust recovery solutions. So, do both. Fire or flood can render your premises inaccessible. Without an off-site backup, you're rendered inoperable and unable to trade.

Constantly updated, image-based backups of servers allow you to rapidly recover a server because the operating system is backed up, too, not just the data. Some backup software can convert a backup image into a virtual machine, so that the backup can be spun up on other hardware---or as another server instance in the cloud---restoring access to your downed server in minutes not hours.

Server replication maintains an up-to-date cloned server that can provide an almost instantaneous cutover should the lead server die. With a cloud-based infrastructure, this is easy to do.

Whatever type of backup regime you use, test it. Rehearse disaster recovery scenarios.

When IT equipment reaches its end of life, ensure that secure data destruction is performed on the units to prevent information and data loss through oversight.

Second Pillar: IT Governance

IT governance is the overarching set of controls that you establish and enforce to govern the use of all of your IT assets. They take the form of policies and procedures that ensure that your workforce knows about, and adheres to, best business practices regarding IT and security. Additionally, policies and procedures specific to data protection are becoming common---if not mandatory.

Your procedures should document and detail the actions required to maintain, patch, and monitor all of the elements in the technology section. How are you going to ensure that all security patches have been applied? What is the backup test schedule, and when was it last tested? What is your process for opening a port on the firewall? Is there a documented business case for that port being open, and has it been reviewed? Where are those records kept?

All of the activities that surround the components of the technology pillar should be enshrined in procedures, and those procedures must generate an audit trail or records.

The most common form of authentication is still the password. Do you have a password policy with guidelines for creating secure passwords? Does it tell staff not to use family member's names, birthdays, and other personal details that can be obtained through research or social engineering? Is complexity enforced where possible, or two-factor authentication mandatory where it is available?

A Fair Use Policy will list what is, and what is not, acceptable use of your IT and telecommunication assets. You can't provide people with the excuse "No one said I couldn't." Document what is permitted and what isn't.

You might require governance to comply with a law, regulation, or standards such as GDPR, ISO 27001, Privacy Shield, or the California Consumer Privacy Act.

You should have a data breach procedure and an IT incident procedure, and they should both be rehearsed.

Remember, if it isn't written down, it isn't a procedure. Saying "Everyone knows what to do," isn't a procedure, that's tribal knowledge. It means there is neither governance nor control around that activity, and there certainly won't be an audit trail.

And obviously, procedures are completely ineffective if they're not followed.

Third Pillar: Staff Awareness

Your staff are the most important element in the security of your systems and the safety of your data. Cyber-friction is the name for the pushback you may get against change and any extra steps that are required to ensure good security practices. Changes, policies, and procedures must be rolled out in an informed and inclusive way, so that you get staff buy-in and support. You need them to realize---and welcome the fact---that the security steps are there to protect them just as much as the organization.

Is it reasonable to expect your staff to know how to identify scam emails and other forms of attack without appropriate training? Of course not. They require cybersecurity awareness training, and it should be topped up at least annually. The better they can spot threats, the better they can protect the organization. Many ransomware attacks close businesses down. Your workforce has a vested interest in ensuring your organization is not exposed to cyber-risk.

A security-minded culture is one in which your workforce is empowered to query anything suspicious, just to be sure. And to be able to do so without criticism. Every false alarm or "I thought I'd check, just in case," is an indication that they understand the threats, and they're not taking shortcuts or blindly hoping for the best.

Workplace values like these must be instilled into the organization from the top down. Being too petrified to do their job doesn't serve anyone well. But willing due diligence, a sense of engagement, and the comfort of sensible governance are indicators of true staff buy-in.

It's People, All the Way Down

It starts at the top. Senior management needs to understand that everyone is a target. They must appreciate the requirement for, and budget for, the technological defenses. Cybersecurity underpins business continuity, and the ability to maintain trading.

Failure is not an option. The cyber budget will be cheaper than the mayhem caused by a single successful ransomware attack. Remember there's reputational damage as well as financial damage.

The defensive technology must be installed, configured, maintained, and patched. By people, guided by governance.

Staff must use sensible behavior and robust passwords. Governance will provide guidance and controls, but someone has to write the policies and procedures.

An empowered workforce operating in a security-minded manner is achievable, but it doesn't happen without a management plan to make it happen.

It really is people all the way down.