Managed security services basics [Updated]
We routinely hear about the cyberattacks that bring down the Goliaths of the business world: Facebook, Equifax, and NVIDIA come to mind.
Taking down a major corporation can take months of preparation, only to fail or have only marginal success. Instead of putting all their eggs in one basket, threat actors have started playing the numbers game, hoping to hit a larger number of smaller targets with only a fraction of the effort compared to infiltrating enterprise networks.
As threat actors become increasingly sophisticated and indiscriminate about whom they target, no business can assume it's small enough to fly under the radar.
In the information age, the protection of one's data is essential for the survival and prosperity of any business. So businesses of every size need a solid security plan and framework.
Security is hardly a foreign concept these days. But many may be unaware of the scope of security and the threats they should be concerned about.
Not only do we have more internet-connected devices in our homes and offices than ever before, but many of these devices are mobile and connect to a variety of networks in a variety of locations with a variety of security measures and practices. And as we rely more and more on the internet for work and leisure alike, we can expect the number of threats to grow.
Why should businesses care about security?
Many businesses underinvest in security because they don't see why they would be a target. Or they think they can get by relying only on endpoint protection.
But we now know that all companies of any size have reason for concern. Threat actors, whether individuals or organizations, are tirelessly looking for companies that don't put proper stake into their security.
The threat actors may not be targeting a specific business. They have instead learned that it's better to spread their efforts across more targets: They can hit 100 different smaller companies (or individuals) and get the same benefits they would expect from infiltrating a large corporation. Large corporations are more difficult targets because they have more resources to invest into the latest security practices.
An attack can cost the infiltrated company in a number of ways, including increases in cyber liability insurance premiums.
What security threats should businesses be concerned about?
The list of possible threats is already long and it shows no sign of shrinking in the future.
While we cannot provide a definitive list, below are some security issues that all businesses should consider:
Bad password management
The average user's email address is connected to about 130 unique accounts. While some accounts are able to verify a user with alternative methods, most accounts still require a user password.
That's a lot of accounts. And a lot of passwords.
Many users try to get by with creating simple passwords, such as:
Obviously, these passwords are incredibly easy for hacking programs to guess. Such programs are commonly referred to as password crackers.
Some users may think they're handling their password problems by reusing the same password for multiple accounts. Maybe even every single account. This is a terrible idea, because if a threat actor figures out the password for one account, he doesn't get access to only that account—he now has access to all your accounts.
The first step to fixing your password problem is to start using a password manager.
One benefit of a password manager is that it can generate complex passwords for you. Passwords like "$kFP84Dm615^27j" are virtually impossible to guess. Another solution is to use password phrases like "Big-violet-pumpernickel-9873". While this phrase incorporates common words, its length makes it particularly tough for a machine to crack.
Highly secure passwords are harder to remember than "password" or "123456", so you will likely have a hard time remembering your secure passwords for all 130 of your accounts. That's another benefit of a password manager: It keeps up with the complex passwords for you.
The second step is to make sure you're using multi-factor authentication.
Multi-factor authentication, also referred to as MFA, is a security practice wherein after entering the password for an online account, the user is required to supply additional information to confirm the user's identity.
The additional piece of information may be:
• Biometric (retinal scan or facial recognition).
• SMS-based (6 digit code sent via text).
• A digital code on a USB key.
Each of these methods carry their own unique advantages and drawbacks, but on the whole, MFA is effective at preventing account takeover.
Proper password management is one of the best ways to improve your security.
Not training employees to spot phishing emails
If a company uses email to communicate (and we all do), it is essential to train employees how to spot and avoid phishing emails. Email is too crucial—both as a business tool and as a potential security liability—to be ignored.
The average data breach will cost a business over $4 million. This means that each time an employee is considering whether to engage with a suspicious email, there's roughly $4 million on the line. So it makes sense to help employees spot the red flags of a malicious email by investing in end user security training?
There are plenty of training platforms you can use to send simulated phishing emails to your staff. Consistent training over time has proven to be effective in lowering a company's risk of a successful phishing attack.
No data backup or disaster recovery plan in place
An essential yet often overlooked component of a security system is a robust and reliable data backup and disaster recovery plan. Security isn't simply about stopping threats from gaining entry to your network. It's also about getting back up and running after a successful attack or a disaster. The quicker one can recover, the better. After all, time is money.
Reliable data backup and disaster recovery systems could literally mean the difference between business-as-usual and bankruptcy. Equally important is the need to test these systems on a regular basis. Backing up files is pointless if those files become corrupted, or cannot be recalled because of an error. Data backups are a crucial component of disaster recovery. But data recovery entails more than just restoring from backup.
Businesses should talk to a reputable IT support provider and get an automated backup and disaster recovery system in place. Once that system is in place, ask the IT provider for regular reports to ensure those backups are successful and usable in the event they are needed.
Relying on outdated hardware and software
Enterprise-grade hardware and software are not cheap, by any measure. Companies that have invested significant capital into routers, switches, network firewalls and access points, as well as operating systems and industry-specific programs, want to get as much use as possible for every dollar spent. The hardware and software may be usable for much longer than intended or recommended.
But these products may also pose major security risks if they're no longer receiving updates from their manufacturer or developer. When this happens, that product is said to have reached its "end of life" (EOL).
While the hardware or software company may have shifted its focus to ensuring the security of newer products, threat actors out in the wild are still looking for vulnerabilities in the old hardware. This means that a router or operating system which has reached its end of life steadily becomes more vulnerable with each passing day.
The best way to avoid this is simply to plan ahead—investing in excellent network documentation can help with these scenarios. Sit down with your IT support team once a year and create an inventory of your products. Take any upcoming "end of life" dates into account when building the IT budget for the coming year.
No automated patching
Applying software patches as they become available is an essential security practice. These updates are usually issued to fix a security vulnerability the company found in its software, and they are offering to fix it.
Unfortunately, the average user does not install security updates whenever the notifications pop up on their devices. Instead, these messages are often perceived as annoying disruptions in an otherwise productive day. So the update remains uninstalled and the software in question remains vulnerable to a known security flaw.
One solution is to set up your network to patch and update workstations automatically when users are away from their machines. This means each machine on the network is always working with the latest security features, employing an update process that doesn't disrupt anyone's work day.
Old user accounts still active
Also referred to as "ghost users", these are accounts which are still active despite the fact that the person no longer works at the company. This is somewhat like breaking up with someone but neglecting to take back their key to your apartment. It is essential for a company to know precisely who can access the company IT network at any given moment. If a person is no longer there, their user account should be turned off immediately.
These old accounts floating around pose two specific security risks.
For one, a disgruntled employee who finds out they can access their company network can do real damage in the time it takes to make a pot of coffee.
Making matters worse is the fact that hackers love to use ghost accounts as they probe a company's IT network for vulnerabilities. Since they are still technically valid logins, any activity they generate won't set off any automated alarms. Assuming they can compromise one of the logins they find, hackers use ghost accounts to operate without alerting anyone to their presence.
Employees with too much access
How many people in your company have access to every file and every system? How many people could, even inadvertently, break something that grinds your business to a halt? Remember, not everyone who works at the bank gets keys to the vault.
Smaller companies, and startups in particular, are often forced to deal with this security risk. When companies are in startup mode, everyone on the team is playing multiple roles. In such scenario, a single individual requires broader access to systems on the network to fulfill their various functions.
However, as a business grows, roles become more specialized. Specialized roles require access to specific systems and data. At this stage, companies should consider granting network access according to the principle of least privilege, which states that each user shall only have access to the systems required to do their jobs.
Good security requires multiple layers of protection
No one thing is going to make any business immune to security risks, so businesses should ensure that they have all the necessary layers to prevent and protect from threats.
As previously stated, businesses most often fall victim to attacks that are not directly targeted at them. Let's borrow from a common saying: The threat actors most often throw a bunch of stuff at the wall and see what sticks. While you cannot eliminate the possibility of a successful attack, by covering the basics, you do give these attacks less chance of sticking.
While covering security basics may sound simple, it's far from easy, if only because of the number of devices (and therefore the number of possible exploitable surfaces) a single business may need to account for. Security risks can rise from technology both old and new. Printers and Internet of Things (IoT) devices both need to be properly secured. Of course, we can't forget about the cloud, as more and more businesses move their data and systems to solutions like Microsoft Azure.
This "simple solution" can become a full-time job in and of itself. But pairing with the right certified MSP or MSSP can provide your business with enterprise solutions that allow for peace of mind in your day-to-day operations.