Originally Posted by Forbes – via forbes.com – February 9, 2021
President & Executive Technologist at ENTRUST Technology, San Antonio’s leading cloud and managed services provider.
During the past few months, several of our ENTRUST clients have asked, “Are we doing enough in the way of security?” and we must tell them that, sadly, they’re not. The digital world has changed so much in recent years that we tell our clients to “stop protecting yourself like it’s 2017.” The landscape for security threats shifted dramatically in 2020 alone, and our incoming email filters, which previously blocked dozens of malware attempts per month for a single client, now stop thousands of attempts per month.
It’s time to step up your defenses before you’re breached and your valuable data is affected.
Now that more companies are using remote and cloud-based technologies to foster work-from-home arrangements, that warning is particularly urgent this year. Based on our experience, we’ve identified seven different security “postures,” which can be ranked in levels. It’s helpful to think about them as if you’re guarding your own home against an intrusion.
See the seven levels of security in the graphic below and determine where you think you are today. Many company leaders believe they are at the benchmark or vigilant levels because they are paying for a service plan from a reputable IT firm who is “taking care of it.” In reality, they are only at the basic levels (based on information they received in 2017) with what the IT firm provides in their standard plans. In 2021, everyone needs to be at the benchmark level and should strive to be vigilant or resilient.
Image courtesy of: ENTRUST TECHNOLOGY
Blind (Level -1)
Some businesses are “flying blind,” which is similar to having a short fence around your house with the gate wide open. This typically means consumer-grade technology, an unmanaged router or firewall, and consumer-grade anti-malware. This is unacceptable for any business, but small businesses sometimes reason that they’re “starting small” or “doing what they can” until they grow. We always advise using some level of professional precaution to protect your business and assets.
Basic (Level 0)
Many businesses have a basic level of security, which is akin to having a short picket fence around your house but at least the gate closed. This usually means a managed, business-class firewall plus managed anti-malware. At ENTRUST and many other managed services companies, this type of security is typically included in every service package. We consider this barely acceptable posture — minimal and unprepared for serious attacks.
Basic + (Level 1)
As businesses begin to take their security seriously, they take a step above the basic minimum level, which is like having a tall fence around your home with the gate closed. On top of the basic protections, these packages include email filtering, web filtering and mobile device management for businesses. At managed services companies, this level is usually included in premium packages for clients. This level indicates that company leaders are taking more serious steps to protect their business.
Benchmark (Level 2)
Security specialists see this as the ideal baseline level of security that they’d recommend in 2021 given all of the potential security threats that surround us today. This is similar to adding to the tall fence a security camera or two to monitor the yard and front door to see who’s approaching. At this level, businesses have two-factor authentication and security awareness training for their team, as well as phishing simulation. Typically, it costs less than $10 per month per user and is easy to implement to ensure that everyone is prepared for security threats.
Vigilant (Level 3)
Few small or medium-sized businesses have built up their security to this level, which is similar to having a brick fence around your home with barbed wire and security cameras. You are prepared, know when a threat is coming, and have a reasonable amount of defense to prevent a threat. This level includes NextGen anti-malware with Endpoint Detection and Response (EDR), which is highly recommended in 2021 to stop serious threats. It’s typically a small monthly upcharge per month or user, and company leaders can ensure that each employee device is protected.
Resilient (Level 4)
Businesses that are serious about security and want a more “eyes on” approach, as opposed to only deploying tools, can incorporate threat intelligence that proactively protects against real-time threats by adding what is called “SOC and SIEM” services. This is akin to having a security guard outside of your home, posted in front of the brick fence with barbed wire and security cameras. This includes alerts for potential threats and real-time alarms on security-related events that are detected through security logs. Billed monthly by server, workstation or device, this level helps company leaders fend off even sophisticated attacks and recover from them quickly should a penetration occur.
Security Management (Level 5)
The top level of protection requires ongoing management of potential vulnerabilities, regular screening reviews, and regular updates to policies. This is like having security auditors at your home that back up the security guard and other defenses, to ensure everything is running properly and incorporating new updates as needed. This goes the extra step and continually looks for vulnerabilities that could be exploited by attackers. This level can cost an additional couple of hundred dollars per month, which some small businesses may find too expensive, but it’s certainly worth consideration.
After review, which of the above scenarios fits your security posture? You may not realize that your current service plan doesn’t protect you from threats automatically and that you can bump up to the next level with little additional cost. Luckily, in recent years, the prices for these services have become much more affordable for small and medium-sized businesses. Even the resilient level, with the security guard, is finally attainable and recommended for smaller businesses.
If you’ve done everything your IT provider recommended back in 2017, it is most likely not sufficient for 2021. Reexamine your security posture in light of today’s threats and invest in the protection level your business deserves.