This article is part of a series exploring the cybercrime threat facing small and mid-size organizations (SMBs), and how such organizations can mitigate their risk of compromise. In Part 3, we cover the products and solutions needed to secure small business environments.
Having covered the need for information security policies, we now come to what most people associate with cybersecurity: products. Notice I said “products” and not “product” – there is no magical, “fix-all” widget on the market right now (likely never). Cyberattacks come from a wide-range of sources, through a wide-range of entry points, using nuanced and often highly-sophisticated methods; therefore, you should deploy a variety of cybersecurity solutions equally diverse and sophisticated.
So, what products do you need in your network? In a $100+ billion-dollar cybersecurity industry, there’s seemingly a “solution” for anything and everything; however, we are going to cover the essentials here. The following are the products and solutions we believe every organization should properly deploy in their IT network:
Part 1 – The Threat Landscape
What it does – Ensures your device operating systems and locally-installed applications are updated with the latest versions, bug-fixes, and security patches against known vulnerabilities. Software vendors (which your business uses) create and release such patches on various schedules – many will then push notifications to prompt updates.
Much of this can be done without a separate product (in theory), but becomes increasingly difficult as companies grow and deploy more software platforms. If you don’t want to manually manage each update/patch for each device and app, you’ll want to acquire central patch management services. This is usually facilitated by an IT team using remote monitoring and management (RMM) tools.
Why you need it – Because working with the latest versions of supported software not only achieves optimized production, it reduces the software’s vulnerability to compromise. Listed as the #4 recommendation in the Verizon 2018 Data Breach Investigations Report, prompt patching is key to reducing risk of cyberattack.
Food-for-thought – Many don’t realize there is a never-ending cat-and-mouse game between software companies and cybercriminals. Software company release a version, cybercriminal finds a vulnerability and exploits, software company fixes vulnerability and releases update – wash, rinse, repeat. Follow the basics: patch your software!
What it does – This software uses cryptography to prevent unauthorized access to your data. There are solutions for file-level, disk-level, at-rest, in-transit, with most requiring a “key” to decrypt the data.
Why you need it – One of the greatest ways to reduce your risk of exploitation in the event of a cyberattack is to render the affected data (essentially) useless. It is much easier to encrypt the data than to prevent the dozens of ways to expose/steal it. The U.S. Small Business Administration, Verizon 2018 Data Breach Investigations Report, and the National Cyber Security Alliance all list encryption of sensitive data as top recommendations for cybersecurity (see NCSA technology check list here).
Food-for-thought – Not all company data needs to be encrypted (or should be) – identify sensitive data and make that your priority.
What it does – Known to many as “antivirus”, endpoint protection platforms are much more robust. Many provide antivirus, anti-spyware, personal firewall, app control, and other styles of host intrusion prevention capabilities into a single, cohesive solution. In many respects it is the core product in protecting an end user. Endpoint solutions monitor, alert, and remediate against macro, application, file-based, and other attack types.
Why you need it – Each device connected to your network is a potential entry-point for security risks – you must secure at the device level. Relying on employee discretion, spam filter, or firewall alone is a single point-of-failure approach – it will fail you. In the previously mentioned U.S. Small Business Administration’s Top Ten Cybersecurity tips, deploying endpoint protection is #1 on their list.
Food-for-thought – Perhaps more than other cybersecurity products, there is extreme variance in the endpoint security software market. Many are not worth their salt (including that freemium stuff you may be using), so make sure you use discretion and pick a reputable business platform. Endpoint protection is a foundational cybersecurity tool needed to combat the attacks we covered in Part 1 (macro malware, ransomware).
What it does – At a basic-level, a firewall is “a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules”. However, a firewall could refer to a router with some URL filtering or an enterprise-class Unified Threat Management Appliance with VPN, firewall, intrusion prevention, and content filtering capability. This product should be the “firewall” between your network (LAN) and others.
Why you need it – Without a firewall, there is no way for an organization to control who/what goes in-and-out of its network. A good firewall solution can facilitate routing of traffic, content filtering (increased productivity and reduced risk), VPN (secure remote access), and block/prevent malicious entry into the network. There is no such thing as a safe network without a good firewall at its core (and yes, it is high on the SBA Cybersecurity Tips list).
Food-for-thought – Changes in technology architecture and rapid evolution in cybercrime techniques have led many to believe that traditional firewalls are increasingly deficient in their ability to prevent attacks. With so many entry-points out there, businesses are turning to next-generation firewalls and UTMs to cover more of their bases. Moreover, firewalls are not set-it, forget-it products – you need to proactively monitor and update both the firewall and the network policies.
What it does – Email filtering often refers specifically to spam filtering or the automated filtering and interception of ingoing/outgoing mail based on policies and “black-listed” email addresses and domains. This service can be sourced through third-party solutions, though many business-grade email platforms provide filtering natively.
Why you need it – 92% of malware attacks come through email. Email filtering blocks a lot of small threats at the most popular entry-point and saves a lot of “inbox headache” as well.
Food-for-thought – Many small organizations still deploy POP and IMAP-based email service. If you are one of these organizations, the best thing you can do for your digital safety is move to Office 365 or G-Suite. These platforms are the industry leaders, providing quality email filtering and reliability. If you are still using an on-premise email host, make sure you are using a reputable, dedicated service.
What it does – Physical security is used here as an umbrella term for measures and tools to deter and prevent unauthorized physical access to IT and data assets. This includes door locks, alarm systems, secure network rooms, and lockable cabinets and desk drawers.
Why you need it – The latest-and-greatest in cyber tech will be “all for naught” if someone steals your hard drives (which were sitting in an unlocked closet) from the office. Theft and larceny are still threats to small businesses and must be accounted for in your cybersecurity program. Many government and regulatory authorities recommend or require physical security measures (e.g. PCI DSS Requirement 9).
Food-for-thought – A good start would be to make sure your server and network core are in a secure room with limited access. Another fundamental step would be the establishment and enforcement of a clean desk policy (to be part of your information security policy). Next level steps might be alarm systems and measures to lock computers up while away.
What it does – Ensures data is securely copied and stored on a separate device/location from the primary data residence. This product category is very diverse, including (but not limited to):
- Internal-redundant drives
- Direct-attached storage
- Network-attached storage
- Storage arrays
- Cloud-data backup
- Off-site, mirrored servers
Why you need it – In the end, there are no guarantees in cybersecurity, therefore, you need data back-ups. While not technically a cybersecurity product, any good cybersecurity program includes data backup as a last resort. An easy example of this principle is ransomware attacks. Should your organization get hit by the latest variant of ransomware, you simply restore the image backup from that morning (rather than bemoan permanent damage).
Food-for-thought – When it comes to data backups selected to contend with cyberattacks, location is key. A direct-attach external drive is great for failed updates and hardware failures, not ransomware. Many ransomware attacks can find and encrypt mapped-drives, rendering your backup useless. Offsite (i.e. Cloud) options will be needed for such scenarios.
Next-level tools: password tools
Once your business covers its basis, you might evaluate tools to augment passwords. Single-factor authentication protocols are way too easy to subvert (and we all know employees are known to use weak passwords…which they never change). Moreover, user credentials are the target of many popular cyberattack methods, like social engineering, phishing, and keylogging. Here are two ways your business can attack this problem:
Multi-factor authentication – At number six on Verizon’s top recommendations (2018 Data Breach Investigations Report), you’ve likely already used this technology on the consumer side. Major tech companies like Facebook, Google, Twitter, and Yahoo! are trying to push such features to its users in light of highly publicized breaches.
This transformation is happening on the business side too, from the business application side, to the network admin side, to third-party solutions. Only 28% of people use 2FA, but this number will grow as passwords continue to fail as a security measure.
Password managers – Another (or additional) way to strengthen authentication is to deploy password manager tools. Wouldn’t it be nice if you could just remember one tough password and let a tool create and remember a thousand others? That is exactly what password managers do.
Some are better than others, but the reputable platforms are a great way to turn a security weakness into a strength. The trick with password managers and 2FA is proper deployment and company administration.
The right tools for the job, paired with the right management
If you want to reduce the risk of cyberattack in your network(s), you need to take a strategic, multi-faceted approach in your cybersecurity program. The seven product categories listed here are each pillars of a larger defense program necessary to combat today’s cybercriminals, and unfortunately, none of them are “set-it and forget-it”. Each product your network deploys will need ongoing management, support, and maintenance to ensure peak performance and security.
Also, remember that each security product vendor will claim to provide “advanced” or “next-gen” technology. This simply isn’t true, and you will have to sift through the options to find the right solution for your needs. Let’s just say that “you get what you pay for” applies to the cybersecurity industry. Lastly, while the aforementioned products in this article are key to any small business cybersecurity program, there is one asset which is more valuable (and more dangerous) than any of them: your employees. Strengthening that resource/weakness is what we will cover in part 4.