How Automation is Making Security More Attainable for SMBs
With increasing, indiscriminate cyberattacks, cybersecurity is no longer a nice-to-have, but a need-to-have for businesses of all sizes. Not all entrepreneurs are IT gurus, however, and many small and mid-sized businesses (SMBs) don’t have in-house security teams or the money to bring them in.
So, how can SMBs bolster their defenses without breaking the bank? The answer can be found in the automation of security compliance.
It’s obvious that automation can save time and money, but in the security compliance space, automation can also be a means to level the playing field when it comes to accessing the best cybersecurity for businesses of all sizes.
Without automation, the audit process is incredibly time consuming and expensive.
Automation in security compliance works well because compliance audits are largely achieved through the repetitive tasks that computers do best: time-intensive tasks, time-based tasks, and monitoring and reporting on the status and completion of control activities.
In the United States, the SOC 2 certification is the leading information security standard that organizations can be attested to by a third-party auditor, which in this case is a Certified Public Accountant (CPA). To earn a SOC 2, an organization’s controls must meet the AICPA’s Trust Services Criteria for Security, Availability, Confidentiality, Processing Integrity, and Privacy. Security is a required criterion; the others are optional.
Without automation, the audit process is incredibly time consuming and expensive—things that startups do not have to spare.
Firewalls and Secure Network Perimeters
Automating security controls like firewalls, technical vulnerability detection and remediation, encryption, and human controls expands access to security to SMBs by making it cheaper, easier, faster, and more efficient.
Automated monitoring processes run 24/7 checking firewall rule sets and system configurations against a known good state. Any deviations from that control will be reported to security teams in the form of an alert. Some systems will even mitigate the vulnerability by changing it back to the known good state.
Although automated monitoring of physical perimeters is not commonplace, we do have these capabilities as Internet of Things (IoT) technologies continue to evolve. Smart fences with networked sensors can self-detect and alert on breach conditions or unsecured access points. Similarly, drones can autonomously scan perimeter defenses and alert security teams based on a map of the known good state and deviations from that state.
Technical Vulnerability Detection
Scanning and remediating technical vulnerabilities is a process that parallels the maintenance of a secure, physical perimeter. The main difference, however, is that technical vulnerabilities don’t spawn from misconfigurations or changes. New weaknesses are discovered by security researchers almost weekly.
According to the U.S. Cybersecurity and Infrastructure Security Agency, in just the first few weeks of 2022 Apple, Microsoft, Google, Adobe, Cisco, VMWare, SAP, Mozilla, Wordpress, Citrix, Samba, and Oracle released critical security patches. These patches were released to address vulnerabilities that would let a remote hacker take control of the affected system.
Without automated scanning processes, finding and fixing these vulnerabilities would be a 24/7 job.
In this case, physical security practitioners have the upper hand as fences that work one day don’t tend to fail the next. However, this is the dichotomy of emerging IoT. On one hand, automated detection will be drastically improved. On the other hand, technical vulnerability management is a process that must be applied to all physical security systems, and the capabilities of these physical system tools are likely to lag behind the adoption of IoT-enabled infrastructure.
Encryption of Datastores and Communications
Maintaining the efficacy of encryption technologies requires correct applications to in-scope systems and transmission channels, and secure management of keys. With that in mind, automated processes are superior to manual ones because they continuously check databases, filesystems, and transmission settings, ensuring that encryption is applied and keys are secure and managed in compliance with policies and service-level agreements.
The superiority of automation can also be found in physical security with the use of smart doors, locksets, and windows that continuously report their status and send alerts when insecure conditions are found. These technical monitoring advancements can be found in many hospital maternity wards in the United States. Without them, personnel would need to manually check each security point—which leaves room for breaches as we can’t be everywhere at once.
Risk Assessment, Human Controls, and Training
The last silo of controls is the administrative control set, which deals with the human factor. Human controls are the most common contender for audit findings that result in SOC 2 report exceptions. Human controls are the controls used to mitigate the risks from people. These include things like pre-employment criminal history checks, reference checks, screening interviews, acknowledgement of policies, procedures and terms of employment, training, and performance reviews.
We all make mistakes. It’s easy to miss a training, accidentally provision access before policies have been accepted, or fail to complete a recovery test within the allotted time.
Improving management of administrative controls through automation can be done by something as simple as reminding people what they are supposed to do and when.
For example, reminding employees to accept the latest revision to the company Code of Conduct and complete annual security awareness training in the next seven days. Or checking in with managers to they are completing performance reviews by deadline. In each of these cases, automated reminders can be sent directly to the responsible parties via email, an internal messaging system, or text to remind them to complete their task by the deadline. Managers can also be automatically notified when deadlines are missed.
Cyber threats will continue to evolve as we move into the digital age, making maintaining the security of systems and people is a complex challenge. Automation of compliance with information security and privacy frameworks like SOC 2, ISO 27001, the U.S. Health Insurance Portability and Accountability Act, and the EU’s General Data Protection Regulation is the state of the art for cloud-native SaaS companies. Automation of security management, monitoring, and response processes is still novel in some sectors, but it will be an essential element of the control environment as we move forward into the 21st century.
Matt Cooper, CPP, CISSP, CCSP, CISA, CIPM, CIPT, CIPP/E, CIPP/US, ISO 27001 LAis a certified Facility Security Officer (FSO) and the Principal of Cybersecurity & Data Privacy at Vanta, an automated security compliance SaaS. In his role, Matt assists customers with audit readiness; working to understand the big picture of what they are trying to achieve; and helping them prepare to meet their SOC 2, ISO, or HIPAA compliance goals. Follow Matt on LinkedIn.