top of page
Abstract Linear Background_edited.jpg
Search

When Cybersecurity Matters for SMBs

  • Writer: mspaaa
    mspaaa
  • Jan 17, 2023
  • 5 min read

Updated: Jul 9, 2023

A business mentor of mine would often say, "SMBs always feel they need stronger IT Security until they have to pay for it".


Sure he was being somewhat facetious, though at the time his message also made some sense. Companies were always selling "a box" or new software application to improve IT security. And then there was the total cost of ownership (TCO) associated with any new purchase. It wasn't just the initial expense of the product or implementation service, but the maintenance, support, upgrades, training, and the list goes on and on. Most SMBs wouldn't entertain purchasing more than a basic firewall, anti-virus software, and a simple backup solution when they understood the full price.


So when does Cybersecurity matter for small and medium size businesses? The simple answer - it always has, but more so today. Technology is more complex and more sophisticated. Cyber threats and threat actors are more advanced. Some can also be highly organized and well funded too.


On a positive note, technology used to prevent and respond to cybersecurity threats has also become more sophisticated and the cost of entry is tolerable for most SMBs too.


Strongly consider the following practices to increase the cybersecurity hygiene for your small or medium size business:


  1. Define your stakeholders - business sponsors, key consultants, and other employees that play an active role with maintaining security and responding when necessary

  2. Implement Security Awareness Training for all technology users immediately

  3. Reduce or eliminate server resources when possible and transition to a reputable public cloud provider, such as Microsoft Azure and M365.

  4. Partner with a reputable MSP or consultant that understands how to properly configure cloud resources for an appropriate balance of functionality and security. This is critical. Moving to the public cloud is not fool proof - it still takes qualified professionals to scope, implement, and maintain and always will. This is especially true for scoping and configuring the correct m365 and Azure entitlements necessary to take advantage of a "modern SMB network".

  5. Reduce account and password sprawl. Federate identities and leverage SSO when possible. Use a password manager for accounts that cannot be integrated and avoid reusing the same passwords. Never use the same passwords for personal and business resources.

  6. Implement a strong MDM solution, such as Microsoft Intune. Require all computers and devices to be controlled or partially managed. Intune has terrific flexibility for corporate owned and BYOD devices.

  7. Remove unneeded software from computers. Standardize installed programs and related settings whenever possible. This will reduce the attack surface and reduce the amount of general upkeep necessary too (you really don't need 5 Internet browsers installed on your computers...). Vulnerability scanning is now considered a critical and standard component of even SMB network services. Most MSPs will not provide this service by default for a variety of reasons, mainly because they either don't have the technology already deployed and do not want to incur the cost or they can scan for vulnerabilities, but they do not have a tool to adequately patch all software that will report as being vulnerable.

  8. Similar to vulnerability scanning - always apply critical security patches. This doesn't just stop at the operating system, or applications installed by the operating system - it's all software installed on all computers.

  9. Remove elevated rights from computer users. Limit administrative privileges to a select few and only login with administrative privileges when necessary to make changes to a system.

  10. Understand the basic concepts of recovery point objectives and recovery time objectives (RPO and RTO) when thinking about your data backup and recovery needs. How much data can you lose and how long once someone says, "start the recovery", do you believe is acceptable to wait until you are back up and operational again?

  11. Ensure all data is backed up and stored in a way where it cannot be overwritten during a cyber incident. Ensure backup data is encrypted. This includes cloud locations such as OneDrive, Exchange, Teams, and SharePoint too, as Microsoft does not natively provide backups for these services. Default versioning and "recycle bins" are part of a recovery solution, but are not considered backups. This is often overlooked by many SMBs.

  12. Test your backups. Ensure this is done predictably and file audit evidence too.

  13. MFA, MFA, MFA - there are many different flavors. We are big fans of Duo for mixed environments, but much bigger fans of MS Windows Hello for Business for companies running exclusively on Windows 10/11 or higher endpoints. When done correctly, WHFB can be configured in a secure way that disables traditional password use and requires MFU, or "Multi-Factor Unlock". This technology can even use your cell phone as one of the "factors" to unlock your computer. The FIDO2 key option is also incredibly simple to setup and very secure.

  14. Enhance access control with identity-driven signals and decision controls for device and user identities. Azure Conditional Access Policies are a great way to do this.

  15. Encryption everywhere - at rest and in transit. Having the correct m365 licensing and implementation strategy can ensure all devices are configured automatically.

  16. Endpoint firewall - gone are the days for most SMB computers connecting to a corporate firewall 100% of the time. Select environments may choose a form of always on vpn technology for various reasons, though we strongly recommend to enable endpoint firewalls on all computers. Again, a good MDM such as Intune can help manage and ensure devices are "compliant"

  17. Modern anti-virus w/ EDR capabilities - Microsoft Defender ATP is a great product that integrates directly with Intune. There are too many modern features to list on this blog entry! Additionally, there are reasonably priced "Security Operations Center" or SOC services, that will provide 24x7 monitoring too.

  18. Consider using endpoint VPN service if you must anonymize traffic or when connecting to Company resources from untrusted networks. Although the need for endpoint VPN is becoming less necessary, there are still specific use cases where it is beneficial and there are still specific attack scenarios where it will always be helpful.

  19. Evolve beyond file permissions for data - it's not just about securing where the data "lives", but also where it "travels". By way of example, if John has access to the HR file data on a traditional file server or Sharepoint document library, and Lana does not, John can download the data and send a copy to Lana, then Lana could read the data and continue to distribute to others. Advanced data labeling and classification technology would prevent this from happening, even if John emailed a copy of the data to Lana or copied a file to her computer. With this level of protection, Lana would have the file, but the file would be encrypted and she would not be able to open or review the contents.

The preceding, and more, can be achieved by businesses of all sizes. From 1 employee to a couple hundred, similar licensing and methodologies can be used to implement with great success.


Take a look at CISA's Cyber Guidance for Small Business for more information - https://www.cisa.gov/small-business




Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.

© 2024 mspaaa.com

bottom of page