Risky business

Jun 19, 2022

There are several proactive actions that can be implemented to mitigate IT security risks and keep your firm prepared.

When it comes to eliminating the risk of an IT security incident at your firm, the only way to get to zero risk is to not be in business.

However, there are several proactive actions that can be implemented to mitigate risks and keep your firm prepared. Ultimately, mitigation is about minimizing the risk factors, assessing the cost, and making plans to recover as quickly as possible with minimal loss and downtime.

While it would be difficult (and frankly, boring to most readers) to provide a comprehensive list of disaster recovery, cyber-attack response, and malware prevention tools, this article is designed to provide an overview of four categories of mitigation strategies that can help protect your firm – whether you have an in-house IT department, outsourced IT, or you do it all yourself.

Let’s take a look:

  1. Classification. Classification includes defining and understanding the events that can cause business downtime or data loss. To keep it simple, there are two main classification categories: infrastructure loss and cyber-attack/corruption.
    Infrastructure loss happens when you lose access to the physical environment. This occurs if your building floods, burns, or a truck drives through the front of it. Infrastructure loss also includes lost connection to local hardware, such as if a gas leak shuts off access to your space, which can be especially detrimental if your firm has a local server. For engineering firms, this is a specifically unique challenge since most employees work with large CAD files; limited – or loss of – access can be detrimental to productivity and projects.
    We’ll delve into mitigating risks for a cyber-attack/corruption soon, but for this “classification” category, it’s important to understand each type of event and how it could impact your business.
    In either case, our best advice is to create a disaster recovery playbook. This step-by-step, written plan for each scenario with important login information and phone numbers can provide an established, strategic gameplan in the case of an emergency.
  2. Insurance. Speaking of cyber security, having the right insurance to protect against infrastructure loss and cyber-attacks is critical and one of the most comforting “tools” you can have in your toolbox.
    To start, add a cyber-security policy or rider to your existing business insurance. If your firm already has a policy, review it to understand what it does and doesn’t cover.
    For example, an electronic data loss policy typically only covers the replacement cost for hardware, and not in the case of cyber-attacks or malware events. At Croy, our policy includes access to a third-party security firm that specializes in malware attacks. In the event of an incident, this is our first phone call (the phone number is included in our disaster recovery playbook for quick reference). The security firm will assess the damage, determine if the cost/time for recovery is worth the investment, and even negotiate and pay the ransom, if needed. An investment that is well worth it in our books.
    After reviewing your insurance policy’s details, follow-up with a call to your insurance provider to dig deeper and get a full picture of your coverage.
  3. Infrastructure. Keeping your business environment safe involves prioritizing managing, updating, and/or patching your equipment – including all infrastructure, servers, workstations, and AV – weekly.
    To begin, check your router, firewall, or wireless access points for firmware and software updates. Threat actors are constantly looking and communicating exploits or bugs that take advantage of weaknesses in either firmware (component-level) or software (the operating system in your router, firewall, etc.), which makes this task a priority.
    Most providers are proactive about pushing out updates to patch their equipment, but it is still necessary to update your internet-facing equipment and workstations as well. To make sure your machines are receiving and applying updates at regular intervals, I recommend having automatic updates turned on.
    At Croy, our IT team uses automatic updates and network monitoring tools to keep us informed to see how far behind they are on updates. This allows us to prompt a user to install or reboot when an update or patch needs to be applied. But this step can also be as simple as making sure you and your employees are checking and installing updates regularly.
    In addition, below are a few other strategies I recommend to protect your infrastructure:
    1. Pay for anti-virus or anti-exploit software. While there are free options, it is worth investing in a paid version. These are typically inexpensive and offer better protection than free tools.
    2. Implement network segregation. While all your data may be important, there is data that is more critical to restore quickly given an incident. I suggest keeping primary, active project data separate from older, archival data. This will help you quickly and easily target which data to recover first. It also can help prioritize what data can be off-loaded or moved more easily.
    3. Determine security groups. We use the phrase “principal of least privilege” to help determine the minimum access a user needs to perform his/her job. This is important if malware infects a machine, and then operates and encrypts the network using the compromised user’s account. If the user cannot access certain folders, data in those folders could not be encrypted – therefore, limiting access creates a small barrier that may prevent a mass encryption.
  4. User interaction. There’s a joke in IT: If we had no users to support, we would have no issues! But, of course, we wouldn’t be needed either. We have a symbiotic relationship with our coworkers and work to support them in various ways.
    That said, while the strongest component of our firm is our employees, they are also often the weakest link in our security. To combat this, we focus on educating our employees – warning users, providing examples of what to look for in malicious emails, and sending fake phishing emails to continually train awareness. If you don’t have the bandwidth to do this in your own business, there are options to outsource this type of education and probing effort.
    In a similar vein, email security is a constant battle, but it can be won. Many firms have access to threat protection tools to help keep malicious emails from making it into employees’ emails. Whether you have an in-house IT department or outsourced support team, ask employees to send any suspicious emails to your IT staff to investigate and make adjustments as needed.
    Finally, implement multi-factor authentication, such as inputting a code received via text message or having an app authenticate the user’s identity. While this effort doesn’t win the “convenience award,” it does help significantly protect employees, data, and infrastructure for a huge security win. 

Jason Cunningham is the director of corporate operations at Croy. He can be reached at jcunningham@croyeng.com.

Click here to read this week's issue of The Zweig Letter!

About Zweig Group

Zweig Group, three times on the Inc. 500/5000 list, is the industry leader and premiere authority in AEC firm management and marketing, the go-to source for data and research, and the leading provider of customized learning and training. Zweig Group exists to help AEC firms succeed in a complicated and challenging marketplace through services that include: Mergers & Acquisitions, Strategic Planning, Valuation, Executive Search, Board of Director Services, Ownership Transition, Marketing & Branding, and Business Development Training. The firm has offices in Dallas and Fayetteville, Arkansas.