It's a harsh reality for most small and mid-sized businesses, but it's the truth. You simply don’t have the resources to stop well-funded, highly-targeted attacks.
But that's not to say that cybersecurity is a meaningless and unachievable goal. The best and most accessible defense for an organization like yours is actually your strategy, preparation, and protection in advance of a security incident.
Prevention, Detection, and Recovery
Even the best anti-virus program or edge security technology can fall victim to an attack — vying for the latest and greatest cybersecurity tool won't guarantee you'll be 100% protected. Instead, it's important to strike a balance between prevention, detection, and recovery.
What the average organization needs most in their security strategy is this:
basic (but strong) protection against common attacks, and
the ability to detect & recover from attacks that aren't stopped
No-Nonsense Security Improvements for the Average Business
Improving the security and stability of your IT operations doesn't necessarily mean getting new hardware and software. Many impactful changes are operational or strategic, and may even involve technologies or tools you already have in place.
-
Transfer Risk: Ensure you have adequate cyber insurance coverage.
Most cybersecurity experts believe it is a matter of “when” not “if” you’ll experience a cybersecurity incident. Direct and indirect costs of a security breach can rapidly accumulate to reach hundreds of thousands or even millions of dollars. Thus, a proper risk management strategy includes transferring some of that financial risk through a qualified and reputable cyber insurance policy. Speak to a broker who has agents that specialize in them. -
Establish complete data backups – including an offline or immutable copy.
The best response to a ransomware incident is to restore data from backups. So it’s no wonder that seeking out your backup data and destroying it is a textbook ransomware attack technique. You must have a copy that is untouchable to a threat actor, either by being completely “offline” or stored in a service that provides “immutable” functionality where the data is locked against tampering or deletion for a minimum period of time. -
Know what you have so that you know what you’re trying to protect.
Clear audits and documentation of your IT environment are vital for a comprehensive security strategy. If you cannot easily answer questions about the exact tools & technologies used in your company environment, adequately securing that environment will be challenging to achieve. You don't need to overcomplicate this or shoot for perfection in your IT inventory, but ensure that key business leaders can easily find information in the event of a security incident. Questions like, "Do we have any Solarwinds products installed in our network?” or “Do we have any Citrix Netscalers?" should be simple and quick to answer when the information is needed.
-
Get notified for critical vulnerabilities and have a strategy to patch them.
If you work with an IT Service provider, they should have a way to communicate Zero-Day vulnerabilities to you and your team. Ensure that your IT support, whether in-house or external, has a plan for who & when to communicate critical vulnerability bulletins and deploy security patches.
If you're doing this on your own, our experts recommend the CISA Cybersecurity Advisories and Vulnerability Bulletins as a great starting place. Our team monitors countless technology vendor and public security bulletins to ensure our clients are made aware of vulnerabilities that affect them as quickly as possible. Then, we identify and deploy a solution to close the gap as soon as it can safely be done. -
Invest in a 24/7 monitored & managed EDR solution (i.e. “MDR”)
Endpoint Detection & Response technology without trained staff monitoring it will ultimately miss threat actors doing “obvious” things. You don’t have the resources to do this internally, so outsource it. This is your number one technique to detect hackers and kick them out before they do more harm.
-
Use MFA (Multi-Factor Authentication) to protect everything a remote attacker can externally access.
Humans have bad password hygiene – we will use (or worse, re-use) guessable passwords on important accounts. Threat actors regularly compromise credentials on one site, then test those credentials against other common online accounts and services in an attack method called "password spraying". Anything externally-facing like cloud services (Microsoft 365 especially), VPNs, and other remote access technologies must be protected with multi-factor authentication.
-
Migrate all on-premise Exchange email services to Microsoft Office 365... yesterday.
Running on-premise Exchange is now “indefensible”, both in that it is practically impossible to adequately secure it, and that it is a choice that no longer holds up in the court of IT experts. Microsoft monitors and defends O365 with dollars, technology, and people at a level far above your capabilities internally. In fact, they even patch security vulnerabilities before the rest of the public is made aware of them.
Consider the same perspective for other on-premise apps as well. This can be an effective method to transfer risk, improve performance, and reduce costs.
-
Conduct comprehensive Security Awareness Training (SAT) regularly.
In any business, employees serve as the first line of defense – but human error also stands as the #1 risk to security. Teach your team to identify Phishing, Business Email Compromise (BEC), and other common social engineering threats that can open the door to larger attacks.
-
Provide employees with a password manager and ensure they use it.
Gone are the days of having to change your “good” password countless times after it gets phished or stolen. The easiest way to prevent password reuse and credential compromise is to keep a vault of secure passwords, unique to each account. While using this type of tool can be an adjustment – both in a personal sense and across your business – the benefits are great, and a good password manager provides convenience that you'll never want to go without again.
-
Migrate from on-premise data storage to trusted cloud data services.
IT risk is not just hackers; it’s also the loss of devices or digital data. Data access is a key factor in business continuity.
Cloud services often have built-in protections to sync, track, and restore business data. High-availability is "baked in" for you, with no additional configuration or expense. Plus, current ransomware attacks aren’t typically hitting cloud services. Attempting to ransomware "the cloud" or a particular cloud data service or account often produces an unsuccessful outcome: with data rollback and syncing to endpoints, the recovery options win out over an attempt to lock or delete business data. Backups are still necessary, but the additional protections provided by these services help prevent the need to do a full data backup recovery in the face of an incident.
But what about...?
You’ll notice the above checklist didn't mention things like “have a firewall” or “deploy antivirus / endpoint protection software.” Why is that?
These are givens. If your business is still working on the security basics, like edge security or virus prevention, Five Nines can help.
When you have the security and IT basics in place, this checklist can serve as your next steps to better security. We hope you identified some opportunities for improvement, things you may not have been doing yet, or things you may not have been doing as well as you could. If you need any assistance getting started on or improving your business security, reach out to us today!
Written by Blaine Kahle, Director of Technology