It will come as a surprise to very few reading this article that small- and medium-sized businesses (SMBs) are prone to and concerned about cyber attacks. Any business using internet-connected assets—and you’d be hard-pressed to find an organization today that isn’t—is a prospective target of cyber criminals. Every business maintains some repository of attractive data, or systems that connect to those that do. This makes every business vulnerable. SMBs are a juicy target for adversaries because it can be assumed that these organizations have fewer resources to secure assets and data than their big kahuna counterparts (which may be the ultimate mark). They are therefore less troublesome to compromise (though the bar for more-resourced companies seems to be set somewhat low, too) yet provide the access that criminals want (see: Target, Home Depot, Boston Medical Center, or CVSPhoto as poignant examples).
Well I was born in a small town
To understand the scope of the problem, Ponemon Institute, sponsored by Keeper Security, conducted the 2017 State of Cybersecurity in Small & Medium-Sized Businesses (SMB) survey and published its results in September. Approximately 600 business and technology professionals from companies with fewer than 1,000 employees were surveyed about the state of cybersecurity at their organizations. The results (though a bit sad) are predictable: More SMBs experienced a cyber attack or breach in FY2017 than they did in FY2016, and they feel ill-equipped to deal with the scope of the problem.
Source: Ponemon 2017 State of Cybersecurity in Small and Medium-Sized Businesses (SMB)
Though the number of SMBs experiencing compromises isn’t shocking, what is somewhat bewildering is these organizations’ approaches to managing certain aspects of security. Up from last year, 54% of respondents said that “negligent employees are the root cause of data breaches.” Correspondingly, phishing was the primary attack mechanism for 48% of companies. Yet only 43% of respondents said the company bothers to maintain password policies, and of those companies that do implement password policies, 68% said the policies are not strictly enforced.
OK, so, “negligent” employees/contractors are the prevailing problem in allowing breaches, yet less than half of companies think they need to put a policy in place—including the requirement for helpful techniques like 2-factor authentication—that can help mitigate the problem. Even if you’re thinking, “A policy is one thing; security operations is another,” 59% of respondents said they do not have visibility into employees’ password practices “such as the use of unique or strong passwords and sharing passwords with others,” and almost half of those surveyed said they can’t monitor employee behavior. This line of thinking is curios because it puts the onus for cybersecurity on non-security professionals: Users are the problem, but we have not taken measures to disallow risky actions.
And I live in a small town
If a major business risk has been identified (and the high numbers of breaches and attacks reported by SMBs would indicate that is has), wouldn’t it logically follow that that IT and security, in collaboration with the business, would act to shore up policies and controls? Yet the data from this survey indicates that it’s business leaders (including those in IT/security) who are negligent in setting those policies, and IT/security teams who are at failing to implementing technical controls to measure and manage vulnerabilities and risks.
Survey data are only useful if the results are used to improve upon processes and procedures—to do something about the problems identified. In security’s case, talking about “the state of the state” isn’t hardening our organizations against adversaries’ actions. Instead of just reading this (or any) survey and thinking, “Huh, that’s interesting,” we should read these reports as a call to action. In this case, it’s clear that SMBs need to take another look at how the executive team is addressing the problems of phishing and access controls. This can start with outlining a strict password (or general acceptable use) policy and enforcing it, something all organizations should be able to do, regardless of size. The next step is implementing tools that provide the visibility into what’s happening on the network. When it comes to insisting on strong passwords, prohibiting the use of default passwords, and not allowing reuse of passwords across systems, SMBs don’t necessarily have to buy expensive tools to accomplish this. Windows, for instance, has many of these capabilities (and others) built in—organizations need only look.
Source: Windows admin console screenshot
Probably die in a small town
“We consistently see SMBs, and even mid and large enterprises,” says Adrian Sanabria of Savage Security, “overlooking things they can do to make their environment significantly more secure. Things that require little more than checking a few boxes or taking 30 minutes to enable an additional feature.”
If you’re working at an SMB with limited resources to run security, choose wisely. Lamenting lack of resources won’t get you far in preventing and detecting incidents. Digging a little deeper, committing to the hard work, and leveraging the right technologies—especially if they’re already within your toolset—will.
Adrian will be leading a full-day workshop on how to defend your enterprise using only Windows tools during InfoSec World 2018 in Orlando, Florida, March 19-21, 2018.