Each year at the KNOW Identity Conference, we have the world’s smartest minds and most influential organizations discussing the latest trends and leading practices across digital identity solutions for the enterprise. This year, we’re challenging ourselves to think through how we can make security concepts, from access management and authentication to single sign-on, meaningful to a broader audience including small businesses.
The conversation is a timely one. A 2019 study showed 43% of all security breaches involved small businesses, and the House recently approved a bill to help small businesses defend against cyber attacks and intellectual property theft.
As event producers, we thought we’d take a chance to eat our own dog food and offer some practical tips for how small businesses can protect themselves against security vulnerabilities in the absence of a formal identity management strategy.
So Why Do I Need to Eat Dog Food?
For a small business, thinking about the implications of cybersecurity and identity management can be daunting. “Security will become a priority once… we reach 100 employees… once we’re profitable… once we launch our product…” It’s easy to kick the can down the road, but small businesses generally have less security in place, often making it easier to breach the network. If you’re a business with a valuable asset (and we hope you are), you’re not immune to cyber threats, which can compromise your position as a trusted provider.
Although external threats, such as cybersecurity attacks make front-page headlines, threats often times come from employees themselves. When it comes to internal threats, organizations are equally worried about accidental data breaches via employee or contractor negligence (51%) as they are from malicious insider attacks (47%).
Simple Ways to Start Today
Identity management requires an integrated approach across people, process, and technology. There are ways, however, to improve your cyber smarts, and many only take a few hours.
Assess Your Assets and Evaluate How You Use Your Data
When we set up our registration flow each year, we’re often shocked at some of the suggested questions some organizations ask of their attendees. Collecting more information than you actually need can put your customers at risk. It may be tempting to collect as many data fields as possible “just in case” you may need it one day, but you may also be exposing yourself to more liability. Limit yourself to capturing the data that you truly need. For example, if you want to attract C-suite level executives to an event, asking for “Current Role” makes sense. If you’re not planning to mail your customers a birthday card, maybe you don’t need their birth date and mailing address on file.
Promote Data Governance
Governance can be a scary word, especially for small teams, but it doesn’t have to require drawing up a bunch of sticks and box diagrams. Create a plan and stick with it. At a minimum, identify what information is sensitive, where it’s stored, who has access to it, and what measures should be in place to protect it. The easiest place to start is restricting access to sensitive data to only those employees who truly need it. From there, put a process in place for handling that data. For example, perform all testing with dummy data, which reduces the risk of accidental data leakage. Lastly, continue to educate your team about security, make it a required part of employee onboarding and ongoing training.
Apply the Same Standards for Your Vendors & Contractors
When selecting a vendor or contractor, especially those who will require access to sensitive information, ask them about their security practices and how they protect their data. By asking, not only will you understand the product’s security risks (i.e. how easy/hard it is for someone to get ahold of your customer data), but you’re also communicating to your partners that information security is important to you. If your partners don’t think information security is a concern, look elsewhere.
Ditch Using ABC123 as Your Password (Seriously)
We know -- having to remember passwords sucks. Password hygiene, however, is one of the simplest ways to protect yourself against cybersecurity threats. The best practices you’ve heard are true: make them strong and difficult to hack, don’t write them down on a piece of paper, don’t share them with colleagues, and don’t use the same password across multiple websites. If you’re guilty of bad password behavior, invest in a password manager such as LastPass or Dashlane, which can create and store complex passwords for you.
Implement Additional Technology Where It Makes Sense
There’s a lot of solutions on the market these days to improve your security strategy significantly, and are designed with small businesses in mind. Multifactor authentication (MFA) is a great place to start for adding additional layers of protection. Similar to what is required of you when you log-in to your bank account, multifactor authentication can request you to enter a code sent to your mobile device or to log-in using a hardware security key.
Yubico, as an example, provides two-factor authentication via a small piece of hardware to ensure online access to confidential information is restricted to approved employees and contractors. We also recently implemented Virtru, which can be easily embedded into Microsoft and G-Suite applications. Another off-the-shelf solution, Virtru allows you to encrypt the data within your emails without having to invest in additional perimeter security. You can also easily revoke access to emails/files, set them to expire at a certain time, and restrict forwarding, giving you greater control over secure data sharing practices without disruptions to getting the job done.
Identity management strategies are as much about sound business practices as they are about information technology. As such, whether your organization has 10,000 employees or 10, there’s no reason not to make today the best time to take an incremental approach to beef up your security practices.
Looking for additional resources? Visit the U.S. Small Business Administration’s guide to cybersecurity and join us at KNOW Identity 2020, where we will be getting our hands dirty with practical security challenges ranging from Privileged Access Management to cloud security.