Security on a Shoestring
As larger organisations bolster their cybersecurity against attacks, cyber criminals are being opportunistic and moving their sights to smaller organisations. For cyber criminals, it is simply a numbers game. The more victims they can get, the more money they can make. Unfortunately, due to resourcing constraints and other factors, many small and medium businesses (SMBs) lag behind in security investments and may be seen a low hanging fruit to target.
For an SMB the impact of a cybersecurity incident can be devastating as it can be very costly to recover and regain any lost customers or business partner and their trust in doing business with you. So it pays to understand and invest in ensuring how you can operate in a cyber-safe manner.
The good news is that there are some simple steps that SMBs can do to help improve their security posture and keep cyber criminals at bay.
But first, let’s understand the factors that inhibit SMBs’ ability to invest in cybersecurity initiatives:
- Funding – SMBs generally have limited funds to invest in their activities, as they are likely to be early in their business lifecycle. Funds are more likely to be dedicated to growth activities.
- Resourcing – SMBs may struggle to fund the talent necessary to manage cybersecurity internally. As a result, this is often outsourced or not managed well.
- Prioritisation – cybersecurity is almost always prioritised below other core business activities. So it might not get the attention it requires.
- Expertise – SMBs may struggle to attract the talent necessary to manage cybersecurity internally.
- Outsourced MSPs – most SMBs have little choice, but to outsource their cybersecurity to managed security providers (MSPs). This can be problematic if the outsourced provider does not understand the true business risks of the organisation and address the client’s cybersecurity needs as necessary.
Now that we understand the constraints, let’s look at what SMBs can do to change this.
- Focus – SMBs need to focus their cybersecurity investments on their key business drivers and activities. They must view cybersecurity as a business enabler and not a burden. This requires aligning cybersecurity investment to the key business initiatives and ensure that you are conducting business in a cyber-safe manner.
- Risk management – Risk management is key to business survival. We understand the need for financial risk management and legal risk management – cybersecurity risk management is no different. Understand the cyber risk profile and exposure of the organisation and invest accordingly to protect it. The size of the organisation does not necessarily dictate its risk profile. For example a small military contractor will have a larger risk profile than a large charity.
- Know thy enemy – it is important to know who is attacking you and how. And this does not need to be sophisticated. Larger organisations invest in threat intelligence. Smaller organisations can simply do their own research and understand this. Phishing and Business Email Compromise are big issues impacting businesses now. Understand what these are and ask if you are protected?
Next, consider the four types of controls, or approaches that can be used in a cybersecurity context:
- Predict – systems, tools, policies and procedures that help detect vulnerabilities in systems and predict potential avenues of attack.
- Prevent – systems, tools, policies and procedures that prevent threats affecting your systems. An example would be the corporate firewall.
- Detect – systems, tools, policies and procedures that give you the ability to detect threats that may be affecting your system. An example here would be an Intrusion Detection System.
- Respond – systems, tools, policies and procedures that allow you to respond to threats and contain / eradicate them. A policy example would be the corporate Incident Response Plan and associated tools such as a Security Information and Event Management (SIEM) system.
As with most things, the 80/20 rule applies to cybersecurity as well. By this I mean 20% of effort can mitigate 80% of the risks – if you focus on the right things. Here are three steps to get started:
- Threat Intelligence – do basic research and find out what and how cyber criminals are targeting SMBs. Then ask the question if you are confident that you have all the right security measures in place as outlined below.
- User Awareness and cultural change – your biggest security assets – and vulnerability – are your staff. Ensure that they understand cybersecurity basics and can identify cybersecurity threats such as a dodgy looking email or request for an immediate payment of an invoice that doesn’t quite look right!
- Risk Analysis – understand your risk posture based on your business activities and ensure you are at least doing the following:
- Patching / vulnerability analysis – apply security patches regularly to your IT equipment
- Network security including wireless – ensure your network is set up securely and that your wireless access points don’t allow just anyone to join your network!
- Security detection and response – for larger organisations, ensure you have the ability to detect and respond to security incidents as its almost a case of not if, but when
- End-point security – ensure your laptops, mobile devices, tablets, etc. have the relevant security tools in place
- Email and web filtering – ensure your email and web traffic are being filtered by a security tool and ‘nasties’ are being removed
- Cloud security – if you are using cloud (and most SMBs do) ensure your cloud provider has basic security controls built in such as patching, strong user authentication
- Anti-phishing training – train your employees to spot and reject phishing emails. This will go a long way toward combatting phishing attempts
- Third party security assessments – where you are using third parties, ensure that they have these basic security controls in place so that they do not become a backdoor into your organisation
- Backup – backup all your data regularly and ensure the backups are not on the same network as your original data. This will help recover in the case of a ransomware attack
- Password management and 2FA – ensure you use strong passwords everywhere and as far as possible, use two-factor authentication that requires a password and usually a number sequence similar to what you see with internet banking.
A reasonable timeline to work to is:
- 1 Month
- Understand your business priorities and risk – protect the important
- Activate the human firewall – educate your users
- Understand who is attacking you and how, and how vulnerable you are
- 3 months
- Based on your priorities, improve your defences and address the threats
- Get some visibility into your environment – know if you are under attack and know how to respond
- 6 months
- Check and act
Ultimately the key takeaways for me that SMBs can apply are:
- Treat security as being about business outcomes and risk management
- Understand who is attacking you and how and bolster your defences accordingly
- Focus on the 80/20 rule.
To learn more – Read our case study to see how Unisys successfully secured the Invictus Games in six weeks. Also here’s a related article on recent guidelines for SMBs to protect their networks from cyber security threats – ASD to SMBs: here’s a plain English guide to self defense.