Small Size, Big Shield: How Small Businesses Can Be Cyber Ready

Small Size, Big Shield: How Small Businesses Can Be Cyber Ready

Often when data breaches of corporate networks are thought of, larger and more publicly visible business entities may come to mind. However, small businesses are just as susceptible to cybersecurity attacks and their owners should remain just as vigilant in ensuring that their systems maintain a harden attack surface. According to inc.com , 60% of small businesses go out of business within six months after suffering from a cybersecurity attack (60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here's How to Protect Yourself | Inc.com ). This article will discuss a few practical ways in which businesses operating on a small budget can protect themselves against the data and reputation loss that comes with compromised systems.

?

Guard Against Insider Threats


Some of the largest threats to organizations aren’t just external adversities but often take the form of internal vulnerabilities:

  • Train employees and support staff. Long gone are the days where an understanding of how computing and networking works were reserved for the computer ge…geniuses. In this day in age EVERYONE must have a working fundamental knowledge of cybersecurity because everyone is a potential victim of cybercrime. The more technologically sophisticated society becomes, the higher the required base knowledge of how technology works is for its citizens. Regardless of company role, it should be mandatory that all employees to take a cybersecurity awareness training once a year minimally. This training should cover subject matters such as phishing (think emails with suspicious links), ransomeware, safe online practices, and suspicious activities such as social engineering (Social Engineering Training Courses | Social-Engineer, LLC ).


  • Restrict administrative privileges. The security principle of “least privilege” states to only provide system users with just enough access that is needed to complete their job functions. This principle should serve as the foundation in which all business owners and security administrators configure their systems and networks around. There are several factors to consider which make least privilege vital to organizations. In a scenario where a hacker has already exploited a vulnerability that has allowed them access into a corporate network, the overabundance of administrative accounts increases the likelihood of privilege escalation. Privilege escalation happens when a basic user (legitimate or malicious) can traverse a network and/or conduct administrative functions by gaining unauthorized access to more privileged accounts. Another scenario to consider are employees who move from one job role to another. These users’ accesses, roles, and abilities should immediately change along with the job function. Unfortunately, it is quite common for this to be overlooked by administrators and a new attack vector is created in the form of privilege creep. Privilege creep is when a user has account privileges that far exceed the necessity of their job role. This can lead to problems ranging from intentional sabotage, fraud, and even the aforementioned privilege escalation attack. Remember to always configure and maintain user access with a “need to know” mentality.


Some may mean well, some may not...don't wreck your mind trying to figure it out. Safeguard against all! (credit: Teramind | Infographic design by Antonio Grasso)



  • Evaluate remote access policies. The environment in which employees commonly work has evolved with technology especially post-COVID pandemic. Hybrid & remote work has become much more common place and requires organizations to strategize how to maintain a secure network posture while providing their employees with more autonomy. Policies must be implemented which dictate from where and how an employee can remotely connect to a company’s internal network. For example, restricting the use of public Wi-Fi and only using a trusted home network when remotely connecting to a work environment. Also, installing and requiring the use of a VPN (virtual private network) client on user devices will add a layer of protection when employees connect remotely to corporate networks by creating a secure encrypted connection.

?

Implementing Network Layer Security


Hardening the attack surface of an organization’s network is vital and small businesses aren’t an exception:

  • Securing internal Wi-Fi. Strong passwords and encryption should be implemented on all access points. Either WPA2 or WPA3 level encryption should be used and WPS should absolutely be disabled. WiFi Protected Setup (WPS) allows any device to automatically connect to the access point in which its activated. Unless the access point is part of a publicly available guest network, WPS shouldn’t be activated and even in this scenario another layer of security is needed. Lastly, ensure that network and access point names are hidden by default. This can be done by disabling the router’s broadcast functionality and implementing a whitelist strategy. A whitelist requires the MAC address of users’ devices to be manually added to an access control list by an administrator which would then allow them to see and connect to internal corporate networks.


Lock'er down!


  • Segment the network. There are several benefits to dividing the internal corporate network into smaller segments (subnets). Going back to the principle of least privilege, it helps ensure that each department has access to the resources that they need in one place and that another department cannot access them without a “need to know”. Network segmentation also can limit the spread of a ransomware attack. Instead of an entire network being locked out from such an attack, only a segment may be, mitigating the damage and availability loss incurred.


  • Monitor Network Activity. Within a network, there should always be a hardware and/or software solution tracking the behavior within and the flow of data going in & out. At minimum, a small business should have an Intrusion Detection System. An IDS monitors network traffic and alerts security staff if it picks up unusual network activity. These alerts can be configured based on many different factors such as: set thresholds for network traffic, signature based, behavior based, etc. A step up from this would be the implementation of an Intrusion Protection System. An IPS can do everything an IDS does but it also takes measures to remediate the detected activity. The configuration can be based on the same differing factors as in an IDS and the IPS can either block or drop certain traffic that it deems malicious.

?

Defense-In-Depth


One or a few well configured controls aren’t enough. Small businesses must also implement some form of defense-in-depth. Defense-In-Depth is a layered security model that implements a set of compensatory controls in place for every set already established with the assumption that the existing controls can be breached. The below image serves as an example of the different layers that can be implemented (Describe defense in depth - Training | Microsoft Learn ):


The various layers of Defense-In-Depth

?

Here are some defense strategies within these different layers that can be implemented together:

  • Backing up data. It is very important to regularly back up data and store it offline or on a separate redundant network. Having back ups readily available is critical to how fast a business can recover from a disaster (man made or natural) and continue operating. There are several affordable cloud solutions that can help facilitate this or companies that offer physical solutions for storing large amounts of data offsite.


  • Have robust password policies. Require the use of unique and complex passwords with a password manager. Setting a high character length, a mixture of different mandatory character types (with the exception of certain special character types to avoid some plain text based exploitations), and strict expiration & reuse rules can mitigate the success of password guessing attacks. However, this can cause the introduction of another very common attack vector: users writing down and sharing passwords. This vulnerability can be mitigated in a few ways. A Single Sign On (SSO) solution can be implemented which takes the responsibility off the user from having to memorize several different passwords at a given time and just requires them to login to a system based on either something then know (PIN number), something they have (One Time Temporary Token), or something they are (Biometrics). Which leads to the next point:


"Something that you are". Biometrics can simplify the user authentication process

?

  • Implementing Multi-factor Authentication (MFA). This adds an extra layer of security to user accounts. Often these solutions are used in conjunction with strong passwords. In the unfortunate scenario where a malicious user were to successfully guess an account password, there would still be a requirement for them to authenticate in a way that only the true account holder should be able to. Again, examples of this include an established PIN number, a one time password sent to a separate device or email account, or fingerprint scan.


  • Keeping software up to date. Having out of date or unsupported software can lead to huge vulnerabilities in an organization’s attack surface. As challenging as it may be, small businesses must prioritize keeping current operating systems, anti-viruses, and firewalls updated and replace all legacy software. Software that is not updated or is no longer being supported by the manufacture are going to be full of security vulnerabilities that attackers will immediately seek to exploit and gain unauthorized access to information it contains. In addition to using updated antivirus and firewall solutions, small businesses should also consider implementing endpoint detection and response (EDR) tools for enhanced protection.

?

Just say "NO" to legacy operating systems. An unsupported OS is not an effective cost savings strategy!!!


  • Implementing access controls. Building off the principle of least privilege, access controls should be implemented on software, systems, and network levels. Security user groups can be created to organize employees based on roles, duties, and components. An administrator can then control who has read, write, and delete access to certain resources within software, systems, and network segments. This also includes restricting administrator privileges by limiting access to administrative functions & tools for related accounts and have them based on organizational roles. Physical access should be considered as well. Control access to buildings and data centers with guards, pin pads, and key fob scanners. Protect data at rest on company owned devices by enabling a hardware-based encryption solution in case the devices are ever lost or stolen.


  • Disable macros. Macros are small scripts built into Microsoft Office suite products that can allow users to perform or automate small tasks. Because these use executable code, they can be reverse engineered to perform malicious actions. Administrators should disable this functionality by default and only allow its use according to the corporate policy.


  • Email and content Filtering. Set up filters to block phishing and spam emails. While this can be automated, having well trained employees who can spot a fraudulent email that may slip through the cracks of a filter, creates an extra layer of security. It is also best practices to block access to known malicious websites and limiting access to unnecessary or risky websites. Content filters can be configured to block or reroute access from commonly misspelled websites to prevent typo squatting. Typo squatting happens when malicious actors buy domain names that are misspellings of commonly visited websites (i.e. goggle.com or facebok.com ) and set up fake versions of the real websites for nefarious purposes (i.e. phishing).

?

S...Squat happens! But you don't need to be knee deep in it.


  • Encrypt sensitive data in all forms. Whether data is sitting on a hard drive (at rest), being migrated between servers (in transit), or is in the process of being viewed & updated (in use), there should always be a layer of encryption masking it from unauthorized users. Minimize the occurrence of unprotected plaintext sensitive information in the organization in the case that all other security measures have failed to prevent unauthorized access to it.


  • Develop an incident response plan (especially for ransomware). There needs to be a well established plan for identifying, containing, and recovering from cybersecurity attacks. One of the most devastating types of cybersecurity attacks in ransomeware. Ransomeware is a type of malware that tends to target business entities, locks down their networks, and demands a payment of high amounts of money (usually in the form of bitcoin) by a certain time in order for the infected company to regain access else it will encrypt or delete all files on the infected network. Compliance or noncompliance can be detrimental to a small businesses as they may lack the financial resources to recover. This is why it is vital to know how to:

?

o?? Immediately identify this threat

o?? Contain/Quarantine it

o?? Remediate it

o?? Have scheduled backups of data ready to deploy

o?? Know approximately up to how much business data can be recovered (recovery point objective)

o?? Know approximately how long it will take to recover (recovery time objective) any lost business data.

?

RTO is important because the longer the downtime, the more potential loss of revenue.

?

Don't get stuck between a rock and a hard place. Be and stay prepared so you don't have to negotiate with terrorists!


  • Regularly scan for vulnerabilities. Its best practices for any business with an IT infrastructure to conduct vulnerability assessments and penetration testing. Both seek to determine how strong an entity’s attack surface is. Vulnerability scanning will check an organization’s software, systems, and networks for common vulnerabilities and exploits (CVEs) and will assign each vulnerability found with a criticality score to help prioritize remediation efforts. Penetration testing employs a wide variety of tools to not only find vulnerabilities but attempt to exploit them to simulate an actual cybersecurity incident. Pen testing is also great for testing how well an organization’s defense-in-depth strategy is. Both vulnerability scanning and penetration testing can be done either by in-house staff or by third party security companies.

?

Seek Outside Assistance

There are businesses and services that exist for the mere purpose of helping organizations with their cybersecurity needs. In addition to the aforementioned third-party vulnerability assessors and penetration testers, other services include:

  • Cybersecurity Consultations. If hiring & maintaining security staff proves challenging, small businesses should seek the advice of cybersecurity subject matter experts who can assess their current security measures and provide recommendations for improvement.


  • Cyber Insurance. Small businesses can transfer the risk of financial losses in the event of a cyber-attack and protect themselves by purchasing a cyber incident policy to help cover any related damages.


In conclusion, small businesses must stay informed about cybersecurity and make sure all employees receive regular training on best practices. This includes keeping up-to-date with the latest ransomeware trends, attack methods, and prevention techniques. A company can have as much defense-in-depth as money can buy but it just takes one poorly trained employee to cause it all to come crumbling down. Always remember that cybersecurity is an ongoing process and staying vigilant & proactive are the main keys to small businesses protecting themselves from cyber attacks.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了