Securing small businesses is a different type of challenge to securing larger organisation. Whilst the question of budget inevitably comes up in both large and small organisations, small businesses ultimate lack both time and resources. Budgeting for security tooling is always a tough ask because security tools are often seen as a zero return on investment. A drain on CapEx/OpEx that could be used elsewhere.
“We don’t have the budget for tools, let alone security tools”
The thing is, even with little or no budget, SMBs can still reduce the threat surface by doing four simple things. Will this make them 100% secure? Absolutely not? Is this a holistic approach to information security? Not at all. But these common-sense steps will go a long way to securing an SMB from ‘most’ external cyber threats. By doing these things SMBs can spend more time on building their business without worrying as much that ransomware attack is going to send them back to square one! So what are these four quick-ish wins?
Securing small businesses: CIS backed virtual desktop
One of the intelligence communities top recommendations is implementing security patches quickly and maintaining a hardened baseline security configuration for desktops and servers. If you don’t have the experience or knowledge this is often outside the expertise of in-house technical experts and if you have outsourced your IT, it’s likely secure configuration is not provided by default. There is however a way to make the process easier. It’s quite possible some (or all) or your server infrastructure is virtualised (either in your own DC or in the cloud) but have you considered virtualising your desktop? Virtualising your desktop machines means that all your data stays in your data centre and doesn’t live on physical computers which can be lost or stolen. In some cases, you can get rid of physical computers and instead have low-cost thin client machines which are cheap to buy and run. A thin client has a longer life too and will not degrade in spec like a laptop because you can keep upping the spec of the virtual desktop independently of the thin client – essentially the thin client just provides a video representation of the virtual desktop. Data will never fall victim to a local hard drive failure because no data is stored locally. Patching is also a breeze and can be centrally rolled out with minimum impact to the users – no more rebuilding every single desktop every time you want to make changes, do it once and push it out to everyone at the next reboot.
“No more rebuilding every single desktop”
The additional benefit of going virtual is the ease at which Centre for Internet Security hardening templates can be set up once and deployed across your entire virtual desktop fleet. These hardening templates lock down the desktop environment and reduce the attack surface available to a hacker. CIS hardening templates are not just for servers but are also available for desktop Windows, Linux and Mac OS. They also have hardening guidelines for both iOS and Android devices too. These configurations are also auditable from a number of vulnerability scanning and configuration benchmarking tools such as Nessus or Nexpose – as well as the CIS-CAT tool.
Notwithstanding the obvious security benefits, going down the CIS virtual desktop route is not only going to save you money in the long run in terms of hardware costs, but it will also make maintaining your desktop environment considerably easier AND cheaper. A user reports a potential ransomware infection on their desktop – you now have the power to kill the desktop centrally to stop an outbreak with the click of a button. A zero-day infection on a users desktop – no worries, one fresh CIS hardened desktop image served up in a jiffy!
Securing small business: Getting Basic Authentication Right
People seem to dish out privileged access like sweets in SMBs. In SMBs it’s common for people to double hat and so lines concerning segregation of duty and least privilege can often get blurred. It doesn’t have to be this way. The first step – no one needs Local Admin on their day-to-day accounts. Just don’t do it. For IT folks, again, their day-to-day accounts must not have admin privileges. Have two accounts for those that need privileged access. Privileged accounts should then only be used when performing an administrative task within an approved change window (so their use can be more effectively audited). Remember the fewer privileges an account has, the less damage can be done should that account become compromised.
These days Multi-Factor Authentication is pretty cheap to implement. Consider implementing MFA for all users from the outset but at a minimum for accounts with admin privileges. If users are used to that being the de facto position, they will soon get used to the idea – some will moan but those gripes can be overcome! A person’s smartphone can now be leveraged as the one-time password generator and as most people have their phone on them all the time it shouldn’t be hard to make the cultural change with the appropriate senior management backing!
It may also be worth considering where else you use authentication. Does your business connect to other organisations using Application Program Interfaces (API)? If so, make sure you keep the authentication details secure.
Securing small businesses: Use Office 365 Secure Score
Many SMBs use Office 365 (O365) as their productivity suite and email gateway. What organisations often miss is there are a wealth of security and data protection tools built into Office365 which if configured properly can significantly reduce an organisation’s threat surface. Getting started with Office 365 security tools is pretty simple. Start by getting your Secure Score and then take each recommendation on its merits for the needs of your business.
To directly quote Microsoft “You are given points for configuring recommended security features, performing security-related tasks (such as viewing reports), or addressing the improvement action with a third-party application or software. Some actions are scored for partial completion, like enabling multi-factor authentication (MFA) for your users. Security should always be balanced with usability, and not every recommendation will work for your environment.“
If you’re using Office 365 and you haven’t taken advantage of Office 365 Secure Score. I would recommend running the report ASAP. Securing small businesses with tools you already have – that’s just a no-brainer!
Securing small businesses: DNS-based Web Filtering
Are you using the DNS servers you ISP have provided? Chances are you are? If you are then you are missing out on a pretty quick win when it comes to malware prevention. At the very least moving to Google’s DNS service is likely to reduce your exposure to malicious sites for nothing, nada, zip! Granted this won’t give you web filtering but it will reduce your exposure to malware for nothing.
If you also need web filtering you can use services such as WebTitan or Cisco Umbrella which provides DNS web filtering at relatively low cost. The benefits of DNS web filtering over a traditional proxy approach speak for themselves in terms of a more secure setup and the removal of numerous options for user circumvention (e.g. need to turn off proxy to access the internet outside corporate network). Whatever content restrictions SMBs impose on their staff I would always recommend blocking sites that have been newly created in the last 30 days or have not yet been classified by the service provider. At a minimum, it’s a good idea to place a warning screen to give the user one last chance to change their mind if they are unsure about the trustworthiness of a link they have just clicked in that well-crafted phishing email…
Not breaking the bank
Securing small businesses can be challenging but there are things you can do. These recommendations aren’t particularly groundbreaking but they are often overlooked by SMBs who simply don’t know about such information security good practice. As mentioned at the beginning of the article, they are a starting point to minimise the SMBs threat surface but there are still other things to be considered as part of wider cybersecurity strategy…we haven’t even mentioned detection or cyber incident response and restoration…
About the Author:
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy, which in addition to offering training, consultancy and advisory services, provides vCISO and Data Protection as a Service. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook
About Fox Red Risk:
Fox Red Risk is a boutique data protection and cybersecurity consultancy which, amongst other things, helps secure small business by implementing technical security improvements such as those described in this article. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301 22301:2019 article 28 awareness bcms BIA business continuity calculating risk change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership monitoring operational resilience Outsourced DPO Privacy processor risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools training transparency vciso virtual ciso