Although organizations of all sizes are targeted by cyber criminals, small and medium-sized businesses (SMBs) have turned into a preferred target. In fact, according to Aberdeen research, the risk of a single data breach is 63 percent higher for SMBs than it is for larger organizations with over 1,000 employees.
Overall, The Ponemon Institute’s 2017 State of Cybersecurity in Small and Medium-Sized Businesses report(released last September) revealed that 61 percent of businesses experienced an attack in 2017. The most prevalent attacks against SMBs include social engineering and web-based attacks.
When SMBs suffer a breach, they’re less likely to bounce back. In fact, the stats from a U.S. National Cyber Security Alliance study show that 60 percent of these businesses shut down within six months of a breach.
Part of the issue SMBs face is lack of resources. They simply don’t have the time, money, or dedicated personnel to stay ahead of these attacks. However, the other part of the issue is perception. Most SMBs don’t see themselves as being at the risk level as their enterprise counterparts because they believe their data isn’t as valuable. However, they can also be a foothold for attackers to gain access up the supply chain of larger organizations.
Even if you have fewer resources, there are some immediate steps you can take to limit your risk if you’re an SMB.
1. Lock Down Administrative Privileges
One advantage SMBs have is the relatively small amount of privileged accounts they need to manage and audit. Make it part of your weekly routine to look at who has admin privileges and shut down access to anyone who shouldn’t have full permissions on these accounts.
2. Scrub Your Inbound and Outbound Traffic
Depending on your industry, it could be difficult to monitor all inbound and outbound connections for an SMB staff. However, with a smaller pool of users, it can be easier to lock down your traffic.
For instance, are you expecting to see inbound or outbound 135-139 port traffic? (Ports 135-139 are typically used for client/server communication, browsing requests of NetBIOS over TCP/IP, and Common Internet File System (CIFS.) Do you use SSH? FTP? If not, lock down those inbound/outbound services. Having a smaller pool of users will mean your operational needs are most likely more condensed, therefore limiting your attack surface.
3. Identify What You Can’t Do
To stay focused on the things you can do, take the lead to speak to your head of IT operations or Chief Information Officer (CIO), if you have one, and identify the things you can’t do, either due to time or resources. Some items for the “can’t-do” list could include things like penetration testing, risk assessments, security operations center (SOC), forensics, and large-scale incident response.
After you’ve narrowed the functions that are reasonably out of the picture for your team, discuss the budget for contracting out some of the high-priority items on the can’t-do list. For example, perhaps having a SOC is a high priority on your list, so it might make sense to set aside a budget to hire a third party to perform those functions.
4. Have a Scaled Down, Flexible Incident Response Plan
Having an 80-page incident response plan that no one reads isn’t in the cards for an SMB.
Keep your incident response plan nimble by only including a few sections: incident classification guidelines, roles and responsibilities, a contact list (include third-party vendors who can help you like investigators or forensics experts), and a notification chain. Just as you would in a larger firm, though, you should update it on a regular basis – at least annually.
5. Have a Backup Strategy, Communicate It, and Test It
An effective backup strategy with the ability to get your business up and running again quickly can compensate for a variety of other unattainable security aspirations and give you “extra life.” Keep it simple by backing up servers at set intervals. For example, run full backups three times a week with incremental backups each hour.
Communicate very clearly with your staff so they know exactly what’s backed up and what’s not, so they can adjust their workflow accordingly and make sure high-value work is protected from outages or attacks.
6. Patch, Patch, Patch
Squashing vulnerabilities is like being a participant on American Gladiators. You feel outnumbered, outmatched, and exhausted.
One of the most important aspects of patch management is staying on top of the next patch. You should have this on your calendar as part of your weekly or monthly “maintenance” checklist. Pay attention to notifications from Microsoft and other vendors so your systems stay up to date.
7. Lock Down VPN Access
With a smaller number of users, you need to keep track of who’s logging in via VPN and only enable the service for those with a business need. Make sure that as employees are hired or fired that you update their access accordingly and include this as part of set up or offboarding checklist.
8. Stop Playing Password Whack-a-Mole
With a smaller IT and security team, the last thing you need to be doing is performing password resets after lockouts. A little training will go a long way, so teach your team to create a long, unique password phrase that they’ll remember, and establish a technical control for enforcement.
In return, set the password expiration for a longer period. Password managers can also be helpful for setting up unique passwords.
In addition, in many smaller companies, employees and contractors share access to accounts like social media or design programs, for instance. Although security best practices say never to share passwords, if you can’t get around it, at least ensure that passwords are changed immediately whenever someone on the team is hired or leaves.
9. Don’t Overlook Cloud Security
If you’re like most SMBs, you’re probably running a lot of your applications and services from the cloud, whether you’re using software-as-a-service (SaaS), cloud infrastructure environments, or both. However, as an SMB, you need to make sure you’re implementing proper controls and configurations, and you need visibility into your accounts to mitigate the potential of account takeovers.
You can’t rely on the cloud providers to ensure your platforms are used securely. Consider outsourcing your cloud access monitoring to an MSSP who is familiar with SMB needs and can offer a lower cost, easy-to-implement solution instead of investing in a high-cost CASB.
Summary
It can be daunting to stay on top of your cyber security needs to protect your intellectual property and minimize the frequency of breaches. However, it’s necessary that SMBs take their security priorities seriously, and they get back to some of the basics of cyber security hygiene that I’ve laid out in this blog.
For a deeper understanding of the overarching cyber security landscape, check out our 2017 Cyber Security Trends Report.
Ryan Clancy is managing consultant at Delta Risk. Read more Delta Risk blogs here.