Small- to mid-size businesses (SMBs) need to remember that digital criminals aren’t just going after large corporations. In its 2020 Data Breach Investigations Report (DBIR), for instance, Verizon Enterprise found that nearly one third (28%) of reported data breaches had involved small businesses in 2019. Similarly, Keeper Security and the Ponemon Institute found that the volume of small- to mid-sized businesses affected by a data breach had increased to 63% in FY 2019—up from 58% in FY 2018 and 54% the year before that.
The Data Breach: A Study of Change
The data breaches referenced above no doubt involved a variety of attack techniques and malicious actors. Some began with an account takeover; others used malware. Some owed their origin to external threat groups, whereas others were the work of malicious insiders.
In all of those security incidents, however, there was a common denominator: something changed. Maybe a user authenticated themselves using a new connection and behaved differently afterward, or perhaps a native service ran an unusual script that then dropped a new file on a connected system. Attackers can try to evade detection all they want, but at the end of the day, they need to change something if they want to accomplish their nefarious ends. They’ll inevitably give themselves away in the process.
The key is being able to leverage their digital security defenses to detect these changes—something with which many SMBs are still struggling. In a January 2020 research study, for instance, BullGuard found that 43% of U.S. and UK organizations with fewer than 50 employees lacked a cybersecurity defense plan, and that 23% of respondents weren’t using any endpoint security tools. Along these same lines, Alliant Cybersecurity found that more than a fifth (22%) of small- to mid-sized businesses had switched to remote work in response to the global COVID-19 pandemic without having had a clear cybersecurity threat prevention plan in place at the time.
Understanding the Need for Change Management
SMBs can’t afford to leave themselves blind to the system changes that stem from an active security incident. Doing so could jeopardize their data, their reputation, and their future. In response, these organizations need to consider investing in change management.
What Is Change Management?
Apptega defines change management as “the associated processes and seeks to create stability within a system and prevent uncontrolled or random changes or to document change processes when you have turnover within the organization.” Change management thereby frees SMBs and other organizations from needing to simply react to change. It allows them to plan for and proactively track changes in their environments using risk and impact assessments, testing, implementation sessions, and subsequent documentation.
Key Considerations for Change Management
SMBs can’t track changes across their environments unless they know what they’ve got. Indeed, they need to build an inventory of all hardware and software that’s connected to the network. They can actively seek out these connections, or they can use passive discovery tools to help map out their environments and create a corresponding inventory.
Once they have that step taken care of, SMBs need to make sure their assets are configured in a way that supports their security policy. They can do this by establishing an appropriate secure baseline for each of their hardware and software assets, and configuring those assets to their respective baselines. They can then leverage monitoring tools to detect changes to those configurations. For example, if any of those changes are unauthorized or unapproved, they can use that visibility to investigate what happened, and quickly return the affected asset to its desired state.
Here are some key points that SMBs should remember along the way:
- Document a process of establishing a baseline of hardware and software configuration settings and implement the process to generate a listing of expected environment standards.
- Implement controls to monitor the current system settings for changes and review of unnecessary software, login IDs and services on a regular basis.
- Document and implement a formal change management process that uses the security settings that they’ve indicated as already documented and established as a baseline.
- Identify and document device or system owners. These owners should approve (in a consistent, documented form) any change to the systems that they own.
- Establish a method of classifying non-routine changes to systems, applications, and infrastructure. Based on this classification, a specific and consistent workflow should be incorporated to provide a path for relevant changes to be evaluated, properly approved, and tested prior to introduction into production, with validation of the change occurring afterward.
How ITEGRITI Can Help
Given the lack of security solutions, some SMBs might not have the resources necessary to craft an effective change management program on their own. Those organizations can consider working with ITEGRITI. Its team members have deep experience in cybersecurity strategy, planning, and development; knowledge which they can use to help customers form their own organizational change management plans and accompanying processes.
To get started, organizations need to first determine their cybersecurity risk baseline. They can understand their current risk exposure by taking ITEGRITI’s Cybersecurity Risk Assessment. These risk assessment questions are based on the essential cybersecurity controls that help companies to avoid hacks and minimize business impact during cybersecurity events. They will receive a copy of the risk baseline report along with a cybersecurity maturity score, based solely on this attestation, along with control implications in areas where cybersecurity controls may need improvement.
Click here to receive an assessment of your organization’s cybersecurity risk.
This SMB Guide is part of a series to assist small and medium-sized businesses with their cybersecurity needs. You can read others in the series here:
- Cybersecurity Guide: The Role of a CISO
- Cybersecurity Guide: Security Awareness & Training
- Cybersecurity Guide: Asset Inventory
- Cybersecurity Guide: Asset Baselines, Hardening and Change Management
- Cybersecurity Guide: Vulnerability Management
- Cybersecurity Guide: Access & Account Management
- Cybersecurity Guide: Supply Chain Management/Third Party Vendors
- Cybersecurity Guide: Incident Management & Review
- Cybersecurity Guide: Information Management & Protection
- Cybersecurity Guide: Boundary Defense, Electronic & Physical Security