No security experts on staff? You can still have a robust cybersecurity program
Over the last 12 months, you certainly have heard about an increasingly complex and sophisticated barrage of cyber threats. However, if your business has a limited number of IT staff and resources, you may be questioning whether having comprehensive data protection is even possible. As we have seen, cyber-attacks are not only impacting larger enterprise organizations. They affect companies of all sizes, many of which can’t afford to build and manage a Security Operations Center (SOC) with technology and skilled security staff needed to detect and contain these attacks 24 hours a day.
It may feel daunting as a smaller organization, cybercriminals might have an inherent advantage. However, many small to midsize organizations are still relying solely on basic protection like anti-virus and firewalls. Just having these baseline protections is simply not enough, and you do not have the luxury of just ignoring the situation.
There are rays of hope for organizations without security teams to begin deploying comprehensive cybersecurity and make significant improvements in their posture.
A great place to begin is by completing a thorough cybersecurity assessment. These assessments come in lots of flavors. What you are aiming for is an inventory of what assets and data are being protected, what weaknesses may exist in your current environment, and what your baseline cybersecurity "grade" is so that you can track improvement after future re-assessments. Today, many organizations assess their cybersecurity posture against a reputable framework such as NIST, which may include hundreds of controls to review and map against. Organizations often will conduct these assessments by way of using consultants, questionnaire-based software tools or simply excel.
Beyond a cybersecurity controls review, technical testing is an important part of a cybersecurity assessment as well, and it will further assist in identifying weaknesses in systems that attackers may utilize to be successful in their attacks. Organizations should be assessing their networks, devices, and web application for vulnerabilities. The deployment and use of vulnerability scanning tools can assist in identifying IT resources that have vulnerabilities that may need to be remediated before an adversary utilizes them in an attack. Most scanners will produce detailed reports ranking the vulnerabilities (Ex. Critical, Medium, low) and providing remediation steps and tips.
A secondary level of technical testing may include the assistance of ethical hackers who can perform penetration testing of your systems. These experts utilize an array of technology tools and manual techniques to attempt to compromise internal and external systems and provide detailed reports of their findings, risk ratings, and recommendations.
One hidden advantage to conducting a thorough assessment upfront (and on an ongoing basis) is that it gives you a way to open conversations with other internal business stakeholders. These conversations often include non-IT leadership and may involve reviewing what weaknesses, vulnerabilities, and gaps you presently have in your cybersecurity protections along with identifying what needs to be rectified- a critical first step to developing cybersecurity budgets.
Your layered assessment should not only review your technical defenses and controls but also review how your organization establishes security expectations through the deployment of policies. Policies and procedures are important tools in your cybersecurity program. For example, your Technology and Data Use Policy set the tone for how users are expected to interact with computers, systems, and applications. This should include employees and contractors you may partner with, which will help protect you from supply chain risks.
Cybersecurity is not a project performed one time but rather as an ongoing program. Therefore, this assessment process should be continuous and done at a regular frequency. For example, perhaps you may choose to perform penetration testing on your systems annually and review vulnerability scan reports monthly to check your posture continually.
Beyond the Cybersecurity Audit
With your assessment results providing a benchmark for improvement, you will take the next steps to protect the organization from the varieties of malicious activities that cybercriminals use; for the newest threats, you will need a comprehensive layered approach.
For example, many initial cyberattacks use email as the attack vector. According to the Verizon Data Breach Investigations Report, 94 percent of malware was delivered to victims by email, whether using spear phishing’s more specifically targeted methods. In these impersonation attacks, attackers act as an internal business leader, customer, vendor, or broader approach to sending curiously written emails with enticing malicious links and files duping users into interacting with them.
Given the high percentage of email attacks, it stands to reason that any sensible data security program will include providing continuous regular employee training on how to recognize and avoid phishing attacks.
The second area of focus should be on employee credentials that access your computers and networks. Verizon found that 37 percent of the over 150,000 attacks they had investigated involved stolen or improperly used credentials. It’s been seen that during many of the breaches today, criminals are targeting to steal usernames and passwords. Once obtained, they can be used in successful attacks, especially since password recycling (using the same password on multiple applications) is common. In addition, numerous organizations are still not protecting their systems with multi-factor authentication. Preventing account takeover is essential.
Organizations must continue to deploy password management solutions that can be deployed to system users and proactively utilizing solutions that search for compromised credentials being dumped, traded, sold, and shared between criminals.
A third area to consider is that cybercriminals are continually trying to defeat current protection technology deployed on target systems. Recent incidents are revealing that attackers are first testing and then successfully enabling their attack methods directly against some of the top endpoint detection systems by designing them to avoid their detection and/or disabling them during the attack.
Suppose there is only a single layer of endpoint protection in place, and an attacker can defeat the blocking and tackle at that level. In that case, it leaves an organization requiring additional monitoring and detection systems to alert of Indicators of Compromise beyond traditional endpoint protection which is often not seen in smaller organizations.
The Role of the SOC
The backbone of most large enterprise organization’s security is the Security Operations Center (SOC). This operation conducts ongoing testing, scanning, monitoring, and response using advanced technology along with the human element provided by cybersecurity experts. The SOC takes an organization’s cybersecurity beyond traditional blocking and tackling solutions such as anti-virus and firewalls to include continuous assessments, threat hunting, and response.
Unfortunately, most small to midsize organizations will likely not be able to build a Security Operations Center (SOC) given the lack of skilled internal resources and budget. The cost of a small SOC with tools, maintenance, and cybersecurity experts will cost $1,000,000+ per year, well out of reach for smaller organizations. In response to these constraints, smaller organizations are moving to outsource this function to Managed Detection and Response (MDR) providers who can provide these services to their organization for a fraction of the cost of building it themselves, often with enhanced services including containment, incident response, and remediation.
Cybersecurity IS Within Reach
With some effort and investment, any organization can implement robust cybersecurity with the right tools. Tools to automate threat and vulnerability detection, build a comprehensive set of policies to foster secure behaviors, set up a regular training program of employee security awareness and utilize a SOC to hunt, detect, and remediate incidents as they occur. As shared, it is not necessarily easy to do it on your own. Many best-of-breed tools can be expensive and when deployed as numerous single-point solutions, it can be exhausting to manage.
Attacks are increasing in rate, target all sizes of organizations, and include a vast number of attackers with an unlimited amount of time to figure out new attack methods. To that point, protecting data across your entire organization does not mean you need to build your own SOC or hire an internal team of security experts to manage it 24/7. Instead, find solutions that combine multiple tools and expertise to provide complete visibility and control of your entire cybersecurity landscape. With this in place, you will have what you need to assess and build a program to continuously improve cyber-hygiene, automate vulnerability and threat detection, foster a robust internal cybersecurity culture, and contain threats before they cause further damage.
Rob Simopoulos is the Co-Founder of Defendify, the all-in-one cybersecurity platform that makes cybersecurity possible for organizations without security teams. In his 20+ years in the security industry, he has received awards and recognition from many trusted industry experts and publications. You can reach Rob at [email protected]