Third in a series on security for SMBs:
- Link to Part 1 here.
- Link to Part 2 here.
We talk a lot about defense in depth, but that term has grown overly broad, muddying the waters. Let’s simplify the concept and how SMBs can apply it:
A defense-in-depth strategy both mutually supports and reinforces layers of security.
While some vendors see it as adding feature sets to a single technology -- endpoint or firewall features, for example -- we see it as something far greater: the art of layering multiple technology types or services while reducing operator burden.
This means implementing regular training mixed with simulated phishing/malicious attacks that address the various ways hackers attempt to breach organizations through their users.
Then, we layer in endpoint security, web security and DNS protection, including securing and protecting DNS over HTTPS, alongside backup and recovery functionality. The layers are mutually supportive and form a closed feedback loop operating on a threat intelligence platform that shares information and data on threats in real-time to its components, helping organizations remain resilient against different types of attacks.
By combining the latest detection, protection, prevention and response technology with consistent attack training and engaging content, IT security departments can tackle the people, process and technology combinations needed to successfully mitigate attacks.
Businesses relying on just one layer of security are leaving multiple attack vectors open for exploitation and increasing the time needed to detect a threat on their network. Together, this vastly increases the ease at which an attacker can compromise the business by leaving it vulnerable.
Defense in depth amid the pandemic
The COVID-19 pandemic has had a massive impact on how companies implement defense in depth. Many are asking how it will change best practices for defense in depth in the future?
Even before the global pandemic came into effect in early 2020, many businesses had adopted part-time and full-time remote work schedules. With that shift, companies began to consider the related security challenges that resulted from diminishing IT perimeters.
The user has become, arguably, the single-most-important threat and asset to an organization.
Attackers will exploit fear, uncertainty, and doubt to target individuals in an attempt to manipulate them into clicking a malicious link. As a result we’ve seen a rapid and growing trend where businesses take user education seriously and build a security culture that is focused on driving sustained behavioral change and security, not compliance.
Combining training and real-world testing or simulation of phishing attacks has been shown to pay major dividends when it comes to staying safe, and can result in up to 90% less malware on networks than businesses just using an endpoint protection product alone.
Organizations that have adapted well to the work-from-anywhere phenomenon track the latest risks and threats faced by the company, and actively provide tips to staff about cybersecurity trends and best practices. Business leaders that embrace the importance of security awareness training incorporate reminders and updates about cybersecurity into ‘all hands’ meetings and other important company updates to underscore the importance and purpose of investing in cyber resilience.
Key actions successful businesses can take include:
- Reviewing backup and recovery plans and re-test robustness to account for people/place changes
- Conducting a ‘privilege audit’ of permissions, checking all existing accounts, processes, and programs to ensure that individuals have only enough permissions to complete their job
- Locking down Remote Desktop Protocol (RDP), encrypting the data and using 2FA/MFA (Multi-factor authentication)
- Reinforcing a strong password policy and making multi-factor authentication mandatory where possible to reduce the risk of a privileged admin breach
- Reviewing and amending the patch management program to ensure the business’ software is updated, patched, and secure no matter where their device is.
- Enabling users as a line of defense. For example, a simple but effective change could be to ask employees to change their home router password from the default, out-of-the-box version they were provided, and ensure it is updated and patched.
- Educating end users about phishing/spam and run regular security awareness and phishing simulations
- Ensuring employees know when and how to report a suspicious message or activity.
- Reviewing layers of security -- the person, the device, the network connection, and the cloud (application) all form a layer of risk.
- Installing reputable cyber-security software that uses real-time threat intelligence and offers multi-layered shielding to detect and prevent multiple kinds of attacks at different attack stages
By George Anderson, Director, Product Marketing, OpenText SMB&C
George has spent the past 20 years in the IT Security industry in roles for Computacenter (Europe’s leading systems integrator), global product marketing lead for Clearswift (a data loss prevention, email and web security vendor) and for the past 9 years with Webroot where he is currently responsible for product marketing for their business security division – Endpoint and DNS Protection and Webroot Security Awareness Training.