Cybersecurity isn’t an easy problem to solve with a small business like budgets
Small businesses are at the receiving end of cyberattacks, almost as much as big businesses. It is a common myth to hear ‘we aren’t a big company, no one would like to attack us’. It is worth noticing that data is the new oil for our times. In this data-driven world, every byte on the internet has a monetary value and cybercriminals are stepping up their efforts as masses join the internet during this post covid era.
Cyber security is everyone’s responsibility.
With this article, our aim is to provide actionable advice to small business on how best to improve and maintain cybersecurity posture to ensure they are prepared against common cyber attacks. If you wish, treat it as an internal checklist and ensure you have ticked off these before going for security products shopping or to question your existing service providers. Where your business is already showing cyber security maturity, you should opt for a cyber health check (or IT security health check) to assess the risk. This independent exercise should detail gaps around people, processes and technology in use.
0. Less is More
There is no point in investing in products unless you have done the homework well. Your functional requirements should drive the security investments, not what you feel would add value.
The fewer products you have, the less data chaos and complexity you have. Start small.
1. Endpoint Protection
Any systems, laptops, desktops/workstations that are end-user systems are known as an endpoint. Endpoints are the first point of entry for an organisation and often targeted by attackers. An entry into an endpoint means a stepping stone to an
internal network of an organisation. For example, an employee working on a company laptop attacked by spear-phishing attack would mean direct internal network access for an attacker.
● Secure your endpoints (entry points) using anti-malware solutions that detect, block and deter any malicious attempts.
2. Network Segmentation
Network segmentation refers to multiple segments of a network that work in line with specific access requirements. This is one of the most effective measures to deter an attacker or to limit an attacker in case of an attack.
● Utilise your current equipment and establish various network segments with access controls such as VLANs, IP filtering and internal firewalling.
3. Principle of Least Privilege
Follow the Principle of least privilege (PoLP). This means privileges must be allocated on the need to know basis.
To turn your organisation into a fortress, the following tools and tactics are likely the best bit of this article.
● Privilege Access Management
● Network segmentation
● Separation of Privilege
● Systems Hardening
Although implementation may face some upstream resistance from internal departments, you must protect the most prized assets by interacting positively with all parties. A good cybersecurity implementation involves a balance of usability and security. You can’t deploy any tools or controls without users by your side.
4. Secure Internet Access
Due to the rise of remote working, securing remote workers is one of the major concerns for businesses.
● Ensure that restricted internet use policy is in effect, both in practice and on paper.
● Web and email traffic must be checked for malicious content, both ways – incoming and outgoing.
Ensure that all default passwords are changed on all network, security and other computing equipment.
Implement and mandate the use of password managers. Where supported by the services, opt for passwordless authentication.
By implementing simple to use password managers, an organisation is adding multiple benefits in the long run, namely:
● Positive change towards security education and training
● Offering secure alternative taking the onus of remembering passwords, reuse of passwords that often amount to credential stuffing, password spraying attacks. This way, users don’t have to remember passwords or use weak passwords.
● Password managers help users select random and complex passwords each time, avoiding password reuse.
6. Multi-factor Authentication
Ensure that multi-factor authentication is enabled on all internet-facing portals and devices.
7. Secure Configuration
Secure configuration is important for all systems used within or outside the organisation. It ensures technical security baselines are followed before assets have joined the production environment, thereby, reducing the attack surface and network footprint. It includes areas such as patch management, secure hardening of operating systems, secure configuration of third-party software in use and security measures via group policy and local restrictions. If your business has never validated your security posture, it is time for a penetration test that would identify gaps and helps you with analysis and risk remediation steps. This would be a booster to help and decide on future IT investments and security strategy.
8. Secure and Regular Backups
Ensure regular and secure backups. Try using an automatic cloud-based backup solution where possible. More importantly, test back up restores to ensure you are ready when you require backups in case of an incident.
Employees could be your strongest or the weakest link, based on your cyber security approach.
● Ensure regular user education is delivered for all employees. This should be without exceptions. Threat actors won’t let you know who is picked and chosen as an attack target, your business doesn’t want to be caught on the exceptions.
● Ensure separation of privileges for staff when working in corporate and production environment.
● Ensure that internet access is disabled on servers or other business-critical assets where no internet connectivity is needed except patching updates. In that case, firewall rules should be defined to allow the required traffic only.
This will restrict users browsing the internet from servers and other critical assets, reducing the impact of an attack in case of an incident.
10. Secure Wireless Networks
● Separate corporate and guest wireless networks, however, small your business is.
● For corporate networks, implement certificate-based authentication to ensure verification of identity for both users and machines.
● Use captive portals for guest networks to ensure accountability and separation for staff and visitors.
Logging and monitoring, secure communications, in-depth active directory security are further areas that should be considered by a business in the long run.
Always remember that cyber security approach for an organisation can never be a done-for-you service.
● Don’t buy a product unless functional requirements and analysis is done at ground level.
● Don’t rely on your IT service providers to solve your security concerns.
● Don’t trust a single security vendor to provide you solutions, services and all advisory – it’s a clear conflict of interest.
● Review the usability and security balance regularly to ensure security is an enabler for growth.
About the Author
Harman Singh is professional services director at Cyphere. Cyphere is a security services provider helping organisations secure their most prized assets. We are not a ‘report and run’ consultancy. Cyphere provides technical security assessments and managed security services. To understand, analyse and help solve customer business problems, we work on both sides of the fence (offensive/defensive security).
Featured image: ©Sergey Nivens