Small Businesses: How to Improve Your Security on a Budget
An unfortunate truth is that threat actors don’t discriminate when choosing victims. Great—inclusive criminals. As long as there’s an opportunity for financial gain, it doesn’t matter how big or small an organization is. Therefore, 61% of small businesses reported at least one cyberattack during the previous year, according to Verizon’s Data Breach Report. This makes the enduring misconception that SMBs are immune from the worst attacks troubling. That may have been closer to the truth in years past, but we’re in a different world now.
Threat actors have near unlimited time and resources to not only get inside your system, but to sift through your files, determine your revenue, and demand a ransom to match. The most successful attacks are often researched and tailored to exploit the victim once they’ve gained access into their systems.
If this doesn’t seem like a fair fight, you’re right. Threat actors don’t care about the human element of your business or the consequences of going offline for days at a time — in fact, that’s better for their leverage. But with the right security measures, you don’t need to rely on chance to protect your organization from potential disaster. You can reduce the damage even the most innovative criminals can bring (and we’ll help!)
Protect Your Email
Business Email Compromise (BEC) is one of the most common forms of social engineering attack. The objective of a BEC is for a threat actor to gain access to a user’s email account and attempt to dupe others into transferring funds into an attacker-controlled bank account. Cybercriminals can also access sensitive information once inside, which is why protecting email at your business should be a priority.
#1: Stay ahead of threat actors.
The best way to prevent social engineering attacks from succeeding at your organization is through awareness and education. What an employee doesn’t know will hurt them —and your business. Security awareness training and phishing simulations teach staff common signs to watch for so they don’t fall victim to sly social engineering attempts.
On a budget: AWS, Wizer and Curricula are all free-to-use options.
Security splurge: KnowBe4 is an industry-leading (paid) option.
#2: Have a defensive line.
Enforce multi-factor authentication for all accounts. Even with the best training, we are all human — and we’re all busy! — so it’s not unimaginable that someone may still fall for a convincing phishing attempt. The next line of defense is blocking threat actors from making it inside. Requiring users to provide two or more credentials in order to gain access will create an additional obstacle for threat actors attempting to break into your system.
On a budget: Microsoft Authenticator and Google Authenticator are free-to-use.
Security splurge: DUO Mobile. Why spend? It offers a wide breadth of coverage, various advanced security tools, and effective integration.
#3: Technology is your friend.
The use of email security tools are on the rise. We saw a 158% increase of their use in 2021, but that’s still only 16.8% of users across all industries. Considering the preventive power of these tools, more widespread use is definitely encouraged. They can scan attachments and URLs to spot obvious spam messages, but also highlight when a potential phishing link is bringing you to a bad site.
On a budget: Standard Microsoft and Google filtering. These stop basic spam, but can be slightly tailored to your needs.
Security splurge: An investment in their advanced licenses. Consider this as you grow your business to unlock more security features from Microsoft and Google.
#4: Verification, always.
Enforce Out of Band Authentication (OOBA) to verify payment change details. To avoid a typical BEC scenario — maybe a customer has been requested to update their payment details for an invoice payment — but the request was made by a threat actor using your email credentials. This can be avoided in a pretty straightforward way. Set expectations with your clients in advance to ensure that a phone call is made if there are any changes to payment processes.
Protect Your Credentials
Our digital lives exist entirely behind usernames and passwords. Being smart about how we protect our accounts matters. Sadly, this means you can’t keep using the password you came up with five years ago for every single website you access. We know you probably know that already, but we mean it. Update your passwords!
#1: It’s in the vault.
Password management vaults are your friend. You don’t need to memorize a bunch of different password combinations or hope for the best as you repeat the same login for every account. Instead, they’ll store your passwords so you only have to remember one as they repopulate options for you.
On a budget: LastPass, KeePass, Dashlane
Security splurge: 1Password is available on all devices, supports multi-factor authentication, and has easy-to-use organizational tools.
#2: Cybersecurity golden rule.
We said it with email, but we’ll reiterate. Enforce MFA on all applications that support it. Plus, an added suggestion to help manage your credentials: incorporate SingleSign On (SSO).
Protect Your Endpoints
#1: Important abbreviations — Next-Generation Antivirus (NGAV) & Endpoint Detection Response (EDR).
Next-Generation Antivirus and Endpoint Detection Response are a worthwhile investment to protect your endpoints against new variants of malware. They pinpoint anomalous activity and suspicious behavior within your system based on AI and Advanced Machine Learning. While Windows Defender is a free Antivirus option, it only detects low-hanging fruit which leaves you vulnerable against more advanced attacks. We recommend investments in either SentinelOne or CrowdStrike Falcon to be installed on all laptops, desktops and servers.
Protect Your Remote Access
#1: Ditch accessible Remote Desktop Protocol (RDP).
Having externally accessible Windows Remote Desktop is a major red flag. Attackers love to see this — you don’t want to please the threat actors — because it allows them easy access to your systems through brute-force or stolen credentials.
#2: Explore new security options.
You wouldn’t be alone in dumping RDP. Over the course of a year, we’ve seen the overall presence of open RDP ports drop by 50%. Organizations are moving towards more secure options, especially as remote work seems to be here for the long haul. Focus on VPN solutions or shift to Zero Trust Network Access, which takes the concept of VPNs and bundles it into an easier to set up and manage option.
Protect Your Backups
A robust backup strategy is one of your strongest assets in the event of a breach. You’ll find yourself in a much better position if they are up-to-date, secure, and layered when a threat actor is dangling a decryption key over your head.
#1: Create a moat for on-site backups.
Your on-site backups are your heavy-lifting defense against attackers. That’s why we recommend you isolate these as much as possible because they will get your systems up and running the fastest. You don’t want them to get deleted (so immutable backups are a good idea).
#2: Don’t put all your eggs in one basket.
Leverage off-site backups, too! Cloud software makes this easy with seamless integration and an easy setup. Tape backups are another option, which gives you a physical copy of your data that can be stored a legitimate distance from the source. However, this will introduce a slower recovery process.
TL;DR: Good Security Is Complex, but Achievable (Even on a Budget)
Take it one step at a time and focus on the key areas we mentioned: your email, credentials, endpoints, remote access, and backups. Everything highlighted above will help mitigate your risk and reduce the blast radius if you encounter cybercriminals looking to exploit your organization.
For more information, you can watch our discussion on best practices for SMBs here. If you’re looking to make progress in your cyber hygiene — but aren’t sure how to start — you can also consult with security experts through our vCISO services.
What’s the difference between your most overprepared travel buddy and a cybersecurity pro?
The following interview was originally published as part of Corvus’s quarterly Cyber Risk Aggregation report, known as the Nutcracker Report. We deliver these insights on trends in the aggregation of cyber risk to a select group of reinsurers, reinsurance brokers, and program managers. If you’d like to receive the report in the future, please send your inquiry to email@example.com.