A security controls checklist for SMEs

Risk Management06 Nov 2023

For resource-poor businesses, chasing after new cyber-tools can drain security spend without truly addressing security gaps. Lawrence Perret-Hall at CYFOR Secure outlines how organisations can pursue more proactive security measures

The last year has been a particularly concerning one for SME security teams. A record-high 73% of businesses with 500 employees or fewer reported an attack in 2023, and the ongoing cyber-skills shortage is increasingly leaving these organisations without the expertise to overcome the wave of attacks.

Small to medium businesses, armed with limited budgets and little to no dedicated security professionals, are struggling to proactively defend their organisation against surging attacks – and attackers are noticing.

Business leaders need to recognise the threat that these vulnerabilities pose to their organisation. Recently, ransomware groups have been shown to target smaller organisations, who are easier to breach and easier to pressure into paying up. While these businesses could be forgiven for thinking they aren’t lucrative targets, helping transfer some risk through cyber-insurance has never been more important as part of an overarching proactive security strategy.

Do I need insurance?

Too often, cyber-insurance, like many security considerations, becomes a topic of discussion after a cyber-incident. And yet, over one fifth of businesses report that the impact of a cyber-incident in the last year was enough to threaten the viability of the business. Like all insurance, the best time to invest is long before you need it.

And in today’s environment, cyber-insurers are far more than just financial safety nets - the industry as a whole should be seen as a crucial driver behind improving compliance and security posture for many organisations. For small businesses in particular, to ensure the lowest prices and most comprehensive cover, insurers and their expert cyber-risk management panels can support in proactively embracing security best practice.

When building a more proactive security strategy, many organisations - not just small businesses - look for a silver bullet security control or tool that will prevent breaches and demonstrate a stronger posture. But insurers measure an organisation’s risk appetite based on the multiple levels of defence they have in place and whether or not they are prepared for the eventuality of a breach.

When facing an audit from any insurer, it can be hard to know where to start. Here are eight minimum security controls that can ensure a ‘defence in depth’ approach and secure cover.

Essential steps to securing the right cover

1. Add Multi Factor Authentication (MFA)

Multi-factor authentication, in which users are asked to authenticate themselves before accessing sensitive or privileged applications, materials, or devices, is a popular security control for organisations of any size.

MFA is a great first step towards a zero-trust model and can ensure that any malicious actors able to enter a network struggle to access important information or escalate their privileges. This is particularly effective against credential theft attacks and business email compromise (BEC). Business leaders should ensure that MFA is in place for:

a. access to web email

b. privileged user accounts

c. remote access to network

In the past, implementing MFA was a sure-fire way to demonstrate security maturity to insurers and was considered practically a prerequisite for cover. However, cyber-criminals have since adapted. Tactics such as ‘prompt bombing’: repeatedly triggering MFA push notifications until a designated user approves the authorisation request, have become commonplace.

To add further protection, look to use an MFA method that relies upon entering a verification code, rather than simply accepting a prompt.

2. Use an Endpoint Protection Platform (EPP)

Modern day security teams have a vast network of endpoints to manage, even in small businesses. Remote working environments have expanded networks, and consequently created a larger attack surface.

As businesses scale, managing endpoint devices such as company or even BYOD laptops is a tough but important challenge. An EPP can help businesses to protect these devices from malicious activity and malware without jeopardising growth or flexible working models.

3. Email filtering solutions

Phishing emails are a common and often lucrative tactic for bad actors. Many of the big ransomware stories we see started with one malicious email, and the age of generative AI makes these campaigns far cheaper and easier to run.

Businesses should have solutions in place to filter out any emails with malicious links or attachments. Not only does this mitigate the risk of malware, but, if selecting a solution that allows teams to automatically detonate and evaluate attachments in a sandbox, it can form a vital basis for ongoing threat intelligence and risk education.

4. Employee phishing training and testing

Of course, no level of email filtering can eradicate the risk of phishing attacks. Often, social engineering attacks are designed to evade these programs, replacing malicious links with a QR code, embedding them into PDFs, or even directing the victim off the email server to a secondary location, such as WhatsApp. For these reasons, it is imperative that staff are trained in recognising and reporting suspicious emails.

Social engineering is a vital tool in the cyber-criminal playbook and humans are the weakest link in many organisations. Investing in cyber-security education could be the difference between a successful breach and a failed attempt.

5. Disable administrative rights for general users

Administrative rights are the highest level of permission given to a computer user. These allow a user access privileges into anything within the system or network, essentially “unrestricted access” to the entire system. In certain roles, this access is necessary, but the trade-off is that these highly valuable credentials can cause a lot of damage if stolen and exploited.

It pays to be selective with this level of access: general users only need to access the networks and platforms necessary for their jobs.

6. Patch promptly

According to the Ponemon Institute, 57% of cyber-attack victims report that their breaches could have been prevented by installing an available patch. Regular patching is an essential part of good cyber-hygiene, but it is easy to let slide in a small organisation. It is important to implement and maintain a patching protocol that necessitates all critical or emergency patches are updated within two weeks. The faster, the better.

7. Manage and protect privileged Service Accounts

It is important to understand which accounts have the most privileges and are therefore a valuable target for credential theft attempts. A bad actor with access to one of these accounts can install malware, modify the existing system, and access other user accounts remotely, so they should be a priority for protection. Identity and access management and risk-based authentication solutions can make sure that any suspicious activity is identified and verified fast.

When a service account user leaves the business, it is vital that businesses have protocols in place to swiftly remove access privileges and prevent exploitation.

8. Maintain offline backup

No security posture is infallible, and any business needs to be prepared for the worst. Backups are an essential part of recovering from a cyber-security incident, and for this reason, they are often targeted by ransomware gangs to push businesses to pay.

Having the right strategy for these backups is key. Offline backups, regularly updated and tested, provide businesses with air-gapped recovery options in the worst-case scenario, and reassure insurers that the financial cost of an attack won’t be sky high.

Lawrence Perret-Hall is COO at CYFOR Secure

Main image courtesy of iStockPhoto.com