Jason Steer at Recorded Future describes how small and medium-sized businesses can increase their cyber-security by using risk intelligence even when budgets are severely limited
Small and medium-sized businesses (SMBs) are often left behind when it comes to protection. Without the budget or in-house skills, sub-par decisions may be made about cyber-security strategy.
Yet it’s just as important that these organisations have strong defences in place, as well as proactive detection and response capabilities, as it is for large enterprises. In fact, it may be even more so, given that SMBs are a national powerhouse of job creation and wealth.
Fortunately, there are simple things they can do today for little or no cost to help reduce cyber risk and support a more intelligence-driven approach to security.
Small business: an economic powerhouse
At the start of 2020 there were almost six million small businesses in the UK. If that sounds like a lot it’s because it is. In fact, they account for over 99% of the total number of businesses in the country, 61% of total employment (16.8 million workers) and over half of turnover (£2.3 trillion).
These aren’t trifling figures. The success and prosperity of our small businesses matter a great deal to the health of the UK economy and society as a whole.
These businesses arguably rely more than their larger counterparts on cloud and digital services. That’s been especially true during the pandemic, as technology helped organisations of all size support home working and reach locked down customers.
But the same platforms put them at risk of remote attack. Gaps in employee awareness, and poor password and vulnerability management were ruthlessly exploited by threat actors to deliver ransomware, coin mining malware, banking Trojans, and more.
According to official government figures from March 2021, a quarter (25%) of charities and 65% of mid-sized firms suffered at least one security breach over the preceding year.
Following the intelligence
While smaller organisations are heavily reliant on IT, they unfortunately don’t have the resources to spend on securing these systems. Often there’s not even budget for a dedicated IT role, let alone a security expert.
Outsourced services sometimes take up the slack, while volunteers from elsewhere in the business do the rest. This can have several negative knock-on effects. Take staff awareness training, a key capability to keep workers informed and alert to the latest phishing scams. According to government figures just 11% of micro-businesses, 25% of small companies and 38% of mid-sized organisations ran such programmes last year.
Another challenge is that a lack of in-house expertise can often make cyber-security strategy too narrow and inflexible. SMBs may focus their efforts around compliance requirements, or else tailor defences to specific headline threats. But given the volatility of the threat landscape today, it makes more sense to have an intelligence-led approach.
What does this entail? First, SMBs need to know what their most important IT and data assets are. It could be anything from a CEO’s laptop to a customer database. They need to know where these assets reside, who can access them and what software is running on them, if relevant.
Then they need to understand which risks could have the most serious impact at any particular time, and draw up a plan to mitigate these. Critical risks could be anything from software vulnerabilities and breached passwords to emerging malware and new attack campaigns. Intelligence from third-party providers can help with all of this, providing visibility both internally and outside the organisation.
At the moment, the intelligence would suggest ransomware and Business Email Compromise (BEC) are the biggest risks. As a recent supply chain attack on a US software firm shows, ransomware can come from anywhere, even via your managed service providers (MSPs).
Mitigating risks like these will require improved staff training for phishing and BEC attempts. Processes will be needed to double check fake payment request and to ensure the prompt patching of key systems. The use of multi-factor authentication on Remote Desktop Protocol (RDP) ports and other internet-exposed services is also essential.
For SMBs, a serious cyber-attack causing major data loss or service/system outage could lead to an existential business crisis. That makes intelligence- and risk-based security increasingly important.
The good news is that, although there are expensive enterprise-grade platforms on the market, effective intelligence doesn’t need to cost the earth.
There are plenty of vendors out there that offer high quality research into cyber-attack campaigns, as well as daily email digests of emerging risks and threats. Some even deliver intelligence direct to your computer screen via browser extensions.
But smaller businesses should also consider using free open source intelligence tools to look for software vulnerabilities—even something as basic as Microsoft’s Patch Tuesday posts. They should also look at services like HaveIBeenPwned to search for exposed employee passwords, or Virus Total to hunt for new malware. Even Twitter can be a useful tool to unearth insights into cyber-crime activity, if you follow the right people.
Above all, never forget that cyber-criminals also use open source intelligence, especially to support phishing and social engineering campaigns against your staff. Remind employees that over-sharing online can land the entire organisation in trouble.
Good intelligence-led cybersecurity is all about staying proactive and adaptive as risks inevitably evolve over time. In many ways it’s like old-school spying. If you can find a piece of intelligence that helps to patch a vulnerability quicker or reset an employee password sooner, it will give you an advantage over your adversary. It’s not quite Bond versus Blofeld, but the stakes for SMBs couldn’t be higher.
Jason Steer is a Principal Security Strategist at Recorded Future, where he’s responsible for employee education and awareness and monitoring key technology partners. Recorded Future is a major provider of intelligence for enterprise security. www.recordedfuture.com
Main image courtesy of iStockPhoto.com