10 Recommendations for SMBs to Improve Cybersecurity Posture

“There are two types of companies: those that have been hacked, and those who don’t know they have been hacked.”  – John Chambers, Former CISO, Cisco

Many businesses, both large and small, are looking for ways to improve their security and mitigate risk exposure while managing long-term costs. As large companies recognize that data breaches often start through third-party vendors and partners, cybersecurity has moved from a “big company” issue to one that affects the entire business ecosystem. This has demanded a new approach for small and mid-sized businesses to address cybersecurity. I recently attended a session hosted by EO Atlanta: Cybersecurity for Small & Medium-Sized Businesses 2018. Speakers included Derek Harp, President, NexDefense, Inc; Justin Daniels, Shareholder, Baker Donelson; and Steve Grimberg, Managing Director and General Counsel, Nardello & Co.

The objectives of the session were to inform business owners about:

• Developing a high-level understanding of cyber-threats and the legal implications
• Understanding  that organizational culture needs to embrace cybersecurity as a business issue
• Assessing the effectiveness of your cybersecurity strategy
• Reducing business risk by conducting an external assessment and implementing some basic protections

The session began with an overview of the cybersecurity landscape and presented key actors who are behind cyber-attacks, such as Nation States, criminals, and insider threats. In addition to sharing lessons learned, the speakers outlined the daunting task of staying secure in a world where threats continue to grow in number, frequency, and sophistication.

“The only thing outpacing growth in security spend, is security losses.”  – Justin Daniels, Shareholder, Baker Donelson

Overview of Cybersecurity Landscape 2018

• 2017 was the biggest year for malware yet, and the threat keeps growing
• Internet of Things (IoT) security is an emerging challenge for businesses that have little control over the devices on their network and their security
• Social engineering attacks are still successful at fooling end-users and remain one of the primary attack vectors
• Ransomware attacks are now a $5 billion a year problem and continue to grow
• Attackers are taking advantage of 2^nd and 3^rd tier vendors to get into big corporations, driving cybersecurity concerns down the supply chain
• The Dark Web is now a place to buy and sell malicious code for hackers

6 Key Takeaways from EO Atlanta’s Cybersecurity for Small & Medium-Sized Businesses

1. Attack software is getting more sophisticated

• Sophisticated attacks used to be rare
• Now there are marketplaces for malicious code that hackers can buy and deploy (Dark Web)
• Less initiated actors can now perpetrate more sophisticated attacks with less effort

2. Attack surfaces are growing

• The attack surface has increased dramatically as mobile devices have eliminated the traditional network perimeter
• The Internet of Things (IoT) has driven up the number of connected devices on the corporate network. Many times, these devices have the default security settings from the vendor, making them easy to hack
• Each of these devices is a potential access point for hackers to get into your network.

3. SMBs need to improve (2^nd and 3^rd Tier Vendors)

• Risk Assessments conducted by external 3^rd parties are becoming routine
• Organizations are required to document formal plans to define how to respond in the event of an incident
• Organizations must define formal policies to ensure a minimum security standard for their business

4. Attacks based on Social Engineering are on the rise

• Phishing
• Spearphising
• Whaling
• Smishing (SMS phishing)
• Water-Holing
• Attackers look for a popular website that everyone goes to
• The attackers set up a similar non-legitimate site
• Users go to this site and get malware
• NOTE: ISPs are working to detect these problems.
• Recommendation: If you get an alert that says a site’s SSL certificate is expired, don’t click on it. Be Suspicious!

5. Employees are the weakest link

• Employees are often careless or simply unaware of cybersecurity concerns and are one of your biggest threats
• Educational campaigns teach users that clicking on links and downloading files without verifying their legitimacy is a bad idea
• Training is an ongoing need, because once training efforts subside compliance goes down
• Some users are ‘unteachable’ and will continue to click on malware no matter what you do
• Cybersecurity is an integral part of each employee’s job responsibility.
• User engagement, awareness and your culture can directly impact the success or failure of your cybersecurity efforts

6. Risk Mitigation: Insurance, Contracts, and Cybersecurity

• Indemnification clauses in commercial contracts can present a number of potential issues with regard to managing the risk of a Cybersecurity breach
• Traditional indemnity and insurance provisions in contracts are inadequate to properly manage Cyber risk
• Companies need to consider how their indemnification agreements interact with their insurance policies
• Engage experienced legal counsel to review and negotiate indemnity and insurance provisions in contracts. This is an important risk management function for companies doing business today.

“Security is not a destination; there is no arriving.”  – Derek Harp, President, NexDefense, Inc

10 Recommendations for SMBs to Improve Cybersecurity Posture

1. Conduct external Cyber Assessments
2. Develop security policies
3. Security awareness training for workers
4. Apply patches and update software
5. Limit the account access (Least Privileges)
6. Use Password Managers, Ad Blockers, and Anti-virus software
7. Secure mobile devices and WiFi networks
8. Segment your networks
9. Complete and protected backups of all your key IT systems and data
10. Develop a business continuity/incident recovery plan

External Cyber Assessments can help you determine which threats you should care most about and give business owners a starting point to improve their security posture. The ultimate goal of an assessment is to identify weaknesses in your security environment so they can be addressed, reducing risk and improving the organization’s security posture.

“No system is 100% secure. But understanding the threats you face will help you improve your security.”  – Derek Harp, President, NexDefense, Inc.

A common pitfall in Cybersecurity is that many businesses approach cybersecurity challenges as purely a technology problem; however, the data contradicts this, revealing that breaches and attacks are typically user-driven. Technology, standards, and defense-in-depth cannot succeed without engaging employees. Cybersecurity training, communications, and awareness is an integral part of each employee’s job responsibility and a foundational element in the success of your cybersecurity program.

The world of cybersecurity is rapidly changing and cybercriminals have more tools than ever to infiltrate organizations. Every day, more businesses discover they have had a significant cybersecurity incident, meaning becoming a victim is inevitable. While you cannot control where or when you have an incident, companies can reduce the overall risk and improve their response time to mitigate the costs associated with the incident.

Learn how Identity and Access Management can help secure your organization in our new book, Reimagining Identity Management: How To Design, Choose And Implement The Right IAM Solution For Your Business.

Follow @Idenhaus on Twitter and subscribe to our Identity Management biweekly or our healthcare IT biweekly newsletter.

By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us