Can SMBs effectively ‘DIY’ their cyber-security efforts?

Troels Rasmussen at N-able weighs up the pros and cons of outsourcing cyber-security for smaller businesses

 

The idea of a Managed Service Provider (MSP) has existed for decades as a way for organisations to outsource their IT and security departments. But in today’s market, tighter budgets, more rigorous security and compliance requirements, and company growth can result in a company considering taking IT, and particularly security, back in-house.

 

Outsourcing offers the advantage of offloading the heavy lifting to a third party, but it also means doing it their way. Any special considerations need to be negotiated and potentially paid for.

 

Greater control over security is possible for a small-to-medium-sized business (SMB), but they need to consider the necessary steps to gain this control, and whether a combined or ‘co-managed’ approach might be the way forward. It’s easy to be overwhelmed by the number of threats out there, especially when large hacks are widely covered in the press—for example, the recent attacks on the UK retail sector. But instead of getting caught up in the hype, SMBs should zero in on essential protections that address the threats facing them.

 

What threats should be a top priority?

Novel threats, like the risks posed by quantum computing in the wrong hands or deepfakes impersonating bosses, tend to occupy brain space. But getting the basics right will truly fortify defences, even if it’s slightly less glamorous. The tactics of the most active threat groups are testament to this: 

 

Threat #1: Play

The Play threat group is one of the most active groups of the last year, targeting businesses around the world and across sectors. Their most common tactics involve targeting unpatched, exposed devices.

 

Their lateral movement and persistence techniques are among the most commonly used, primarily using commercial off-the-shelf tools and built-in Windows applications (known as LOTL, or Living Off the Land). This keeps their profile low inside a network, as traditional antivirus is less likely to detect these techniques.

 

Threat #2 QILIN

The number of Qilin victims has surged in the last six months due to the shutdown and fracturing of other Ransomware-as-a-Service (RaaS) groups. Qilin works in collaboration with Initial Access Brokers, affiliates who hand off their victims after gaining access to their networks. This brings greater diversity to their campaigns but the primary techniques observed have been phishing campaigns, exploiting vulnerable network devices, and using stolen credentials to log in to exposed VPN and RDP servers.

 

Threat #3 Tycoon 2FA

As a Phishing-as-a-Service (PhaaS) provider, Tycoon 2FA allows threat actors to conduct business email compromise (BEC) attacks easily and at an affordable price. Attackers will share fake DocuSign requests or OneDrive links that direct unsuspecting victims to a fake page hosted by Tycoon who harvest the logins entered.

 

This overview of groups and their tactics shows that ransomware, BEC, social engineering, and exposed devices pose the biggest threats, despite being commonly known and understood – as opposed to deepfakes and other sophisticated techniques. And these common tactics aren’t going away. N-able email filters measured that total phishing messages increased by more than 50% in the last six months (from 1.49% in January to 2.34% in June).

 

Mastering the basics

These techniques persist because basic protections are often missing, misconfigured, or poorly enforced. But the good news for SMBs is that defending against these attacks doesn’t require a heavy investment or highly sophisticated tools, but a disciplined focus on fundamentals. A lot of what’s needed might be called ‘securing the front door’ including:

 

Implementing phishing-resistant MFA

MFA should be the first secure step a business takes, but not all methods are equally secure. For example, SMS based MFA is common but easily intercepted. Instead, CISA recommends FIDO/WebAuthn authentication or passkeys.

 

Backing up data to a secure offline storage solution

It’s recommended that you align to different strategies, such as the 3-2-1 backup rule, and immutable backups. For the 3-2-1 rule, you will need three copies of data to speed up recovery if backup data is compromised, two different media if physical systems fail and one stored offsite usually in a cloud-based storage unit, to ensure data availability. Immutable backups are copies of data that cannot be altered or deleted, isolated from systems so that they can provide a robust level of protection against ransomware.

 

Creating disaster recovery and incident response plans (and practising them)

Having a playbook that clearly outlines the processes and relevant stakeholders is vital in the case of an incident. This will provide the immediate actions that need to be taken to not only prevent cyber-criminals from moving through the network but also comply with various compliance and legal requirements.

 

Aligning to a framework

One method of ensuring you have the basics down is aligning to a global cyber-security framework, to understand exactly what is necessary to put in place. There can also be sector specific needs, depending on the industry a company works in, or region-specific compliance needs, so it’s important to research which ones align best to your business. This will also help if cyber-insurance is a priority.

 

For example, the National Institute of Standards and Technology (NIST) Cybersecurity Framework is comprehensive and widely adopted. It covers the whole breadth of a potential attack, providing guidelines for identifying, protecting, detecting, responding to, and recovering from cyber-security incidents. Aligning to this helps organisations ensure they are covering the basics: adopting a flexible and scalable approach to cyber-security, ensuring they have the right risk management protocols in place (and making sure they can prove it) and improving communication with stakeholders—for example, the board, who will want a simple answer to whether procedures and incident response plans are in place.

 

In terms of region-specific frameworks, UK Cyber Essentials is relevant for organisations operating in the United Kingdom. It provides a framework to defend against common cyber-threats and offers a certification that demonstrates basic cyber-readiness. Certification isn’t everything, but it is an excellent first step in bringing credibility and trust to your organisation’s cyber-strategy and helps meet compliance and regulatory criteria. 

 

A holistic approach

Threat groups are specifically targeting SMBs with tried and tested methods and defences must be watertight to counter this. Focusing on the basics and aligning to a framework that suits your industry and region’s regulatory requirements can ensure the foundations are covered, before thinking about more advanced threats.

 

---

 

Troels Rasmussen is GM of Security Products at N-able

 

Main image courtesy of iStockPhoto.com and Erikona