What you see is what you get with Small Business Security Culture
As a small business owner myself, I truly understand the everyday challenges we face, Payroll, Human Resources, Service Delivery, New Business, Equipment Maintenance… Cyber Security is often overlooked because of a real lack of a Security Culture in the business. Therefore, Small and Medium Business (SMB) will not Commit Resources to address the true risk of doing business in today’s world of Hackers, Activists, Nation States, Terrorist, and Rouge Employees.
The risk of fraud and online crime, both real and perceived, is costing SMB real money. In study after study, SMB’s are increasingly the victims of online crime. Whether from virus infections, ransomware, hacking attacks, or other system security breaches. On top of the financial loss and inconvenience, there is the potentially disastrous loss of customer trust.
Despite the critical importance of cybersecurity, many SMB’s appear almost oblivious to the risks. The first rule in fixing a problem is you have to be aware of the problems that you have. We, InfusionPoints, review the security posture in many organizations every year. Many organizations’ first question more often than not, is why would “we” be a target.
In fact, SMB’s -- not big-name corporations -- actually make the best targets. Attackers have found that as large enterprises have increased their fortification and defenses, SMB’s are now the most vulnerable and therefore, the most attractive targets. All the attackers have to do is push a little on targeted resources, wait for it to fail, and then they're in.
SMB’s need to draw up a plan that improves their Security Posture while transforming the Security Culture in their enterprise. SMB’s need to follow the lead of larger organizations by adopting a more holistic-centralized strategy when it comes to increasing the SMB security posture. I know it is a different story for SMBs that have a hard time thinking in terms of long term planning, partly because of their business culture. Which always leads to “why us, now?”
I truly understand that budgetary and resource constraints are real for SMB’s and the need to maximize every dollar spent. SMB’s just can't afford to be as comprehensive in their security approaches. Typically, the first activity we recommend is to perform a Security Quick Look Assessment (QLA) to review your attack surface, security policies, security architecture, and internal and external security controls. The QLA is designed to find the gaps or blind spots in your security posture and build a plan to improve your Security Culture and Posture.
For the most part, we typically find the following foundational security controls needing to be implemented or improved:
SMB’s need to implement a Security Awareness Program to train their users to be the first line of defense with real world training. An excellent program would include phishing and social engineering, improvement of the SMB security culture, improvement of key vendor management relationships, improvement of security policies and to build a cloud strategy.
External security controls - There needs to be more than a firewall at the perimeter of their enterprise and virus protection on the endpoints. Most need to:
- Improve management and monitoring capabilities of their firewall and edge network. Hire an external Managed Security Service Provider (MSSP) because the SMB, in most cases does not have the skills or resources to properly manage or monitor these security devices.
- Develop a better understanding of what and how data traffic traverses, is processed and stored throughout their enterprise.
- Perform an external vulnerability assessment.
- Lastly, when you are ready, perform an external penetration test.
Internal security controls – SMB’s need to build a defense-in-depth approach to securing their ecosystem by:
- Improvement in internal network security by segmenting the network into business security zones, monitoring and correlating log and event data by hiring a MSSP, and implementing a network access control solution by only allowing SMB owned systems into the ecosystem. Manage and control the wireless network as well.
- Implement a secure configuration management program that itemizes the SMB inventory, ensures patches are applied in a timely manner and establishes a set of standard platform/OS configurations to include endpoint protection by deploying firewalls, antivirus, and malware solutions.
- Implement an access control system by strengthening password management to include password strength, password rotation, and two-factor when required.
- Improvement in cyber resilience by developing plans, building, and testing; disaster recovery, incident management, backup, and restoration for the entire SMB ecosystem.
- Perform an internal vulnerability assessment.
- Lastly, when you are ready, perform an internal penetration test.
I know this is more than a mouthful and it can look overwhelming, however, it is truly not as hard as it looks, if you plan properly. Tackle the activities in bite-size manageable tasks, choose items that you can accomplish by yourself, bring experts in who can help build plans, and implement at the same time. The key is to transform your security culture by increasing your security awareness, tighten your security controls, and improve your visibility into the health of your ecosystem before a security breach or disaster occurs in your environment. Plan for what can go wrong, because it will.
We have developed a Small and Medium Business (SMB) and Telecommunication NIST CyberSecurity Framework (CSF) profile that we leverage for our QLA. The QLA takes into consideration the relevant compliance requirements to assess your current cybersecurity posture, rapidly build a profile that fits your organization, and identify gaps to build a cybersecurity program that can protect and defend your customers', partners’, and employees’ data. In addition, our VNSOC360 Managed Security Services provides an all-in-one service designed and priced to ensure that SMB can effectively defend themselves against today’s advanced threats, for more information Contact us for a free Security Operations readiness review.