There is no such thing as 100% security. SMBs should assume a breach has happened and secure their network accordingly.Unlike the chicken and egg debate, the question of what came first is easily answered for computer viruses and antivirus products. It wasn’t the antivirus. You may remember from our antivirus post that the first virus that affected personal computers was the Elk Cloner, in 1981. The threats to computers and even other devices have grown exponentially since then. In fact, if you take a moment to think back over the major breaches of 2017, the landscape looks pretty bleak.

Major breaches are only one small part of the problem. Sure, you hear about them in the news, sometimes to the point that you tune them out. But have you ever thought about the number of breaches that affect small and medium-sized business?  You don’t hear about them on the news, because they’re not associated with global brand names, but that doesn’t mean they don’t happen.

How Breaches Happen

A fact that often goes unmentioned in those news reports is that unsecured SMBs are a gateway to those enterprise breaches. Here’s the scenario: An SMB has a supplier come into their office—could be a graphic designer, a bookkeeper, even a break/fix IT guy. That vendor plugs a USB key into the network and goes to work. Unbeknownst to the SMB, the USB key was last plugged into a personal network that was infected with malware and now the USB key has the same infection, which it passes on to the computer or device it’s plugged into.

The malware quietly spreads across the network until the SMB connects to another vendor’s network through a web portal, then the malware jumps to that network, where it repeats the cycle and continues to move higher and higher up the business ladder. That doesn’t mean the malware is gone from the SMB’s network, either. It’s still there, quietly collecting and sending information and learning more and more about how that IT infrastructure is used, learning passwords to other services and applications, and infiltrating other vendors’ networks.

The most frightening part of this whole process is that when this happens, it could take more than 140 days for the breach to be discovered, and when it is, it’s often discovered by an enterprise company not the SMB that was originally infected. That means the malware could still reside on the SMBs network and continue collecting information and spreading unfettered.

The Concept of Assume Breach

While this is only an example, it has happened, and it begs the questions: As an SMB, have you been breached? How would you know?

That’s where the concept of assume breach comes into play. No network connected computer system can be completely safe. As long as you’re connected to other machines or the internet, there is a possibility one or more devices in that network has been infected, and the infection can be passed to other machines that connect through the same network, so you assume you have already experienced a breach. Once you’ve made that assumption, then you need to secure your systems as if you have been breached.

Security in an Assume Breach Scenario

The first step in an assume breach security plan is to secure the most valuable assets on your network with the highest security capabilities you can afford.  This means investing a large chunk of equity into protecting financial and knowledge assets that have the potential to be devastating if they fell into the wrong hands.

It also means reducing the access to these assets to the point it’s not only difficult for hackers to get to them, but also until they are cumbersome to access, even for users who have the correct authorization. These assets should also be segregated into a separate security system to prevent a cascading failure should your preliminary defenses be breached.

Once you know that your most valuable data is protected, then the second step is to secure the rest of your organization by first seeking out any potential infections or damage that may have been done, remediating it, and protecting against other threats that might arise. Think of it as putting a cybersecurity plan in place in backwards order from the recover step to the protect step. It doesn’t mean your general security needs to be any less detailed, just that your most valuable assets should be protected better, and separately.

The Value of Assume Breach

It sounds like a lot of work and expense, and it is. But proactively taking these steps now can save you much more than time and money. There is some chatter on the Web about enterprises holding their SMB partners financially responsible for breaches that originate at the SMB. Given that the average cost of an enterprise security breach can be several hundred thousand dollars, that’s a bill most SMBs can’t afford to pay. It’s less expensive to assume breach and mitigate risk proactively.

There is no solution other than placing a computer in a room and never turning it on to ensure 100 percent security. Threats are evolving at such a rapid rate that all security measures are reactive. Instead of trying to halt the progression with fences and barriers, it’s best to assume some of the bad guys have already breached the perimeter. The question now is, what are you going to do about it?