The Spartan warrior is known for a no-nonsense approach to life: luxury is a waste. A small business (SMB) should take the same Spartan approach to protect itself from attackers.
The cybersecurity industry is bloated with tools and complicated strategies, costing loads of excess money and demanding more time than an SMB owner has to spare.
An understanding of the value of your business’s data, combined with some essential cyber security controls, can lead to real protections against hackers. Nothing is hacker-proof, but good enough security applied in the right places makes your business far less of a target.
This mini-guide explains how to determine the amount of cybersecurity that brings you the most bang for your buck. This guide also illuminates essential concepts such as calculating the value of your data, understanding your real risks, and selecting security measures to protect your company’s valuable data against those risks.
Most cybersecurity tools are expensive luxury items sold as essential. When you’re done reading this article you will know how and where to spend limited time and money to implement the most battle-tested, and prudent cybersecurity.
Calculate the Value of Business’s Data
This component of a secure business is not security, per se. But before a cent gets spent on any cyber security measures, understand two things:
- The value of business’s data
- The risks to the data (in this case, cyber security risks)
The value of the date is not easy to calculate. Don’t try to assign a precise value down to multiple places past the decimal point is not the goal if the value has never been calculated before. Knowing something about the value of the data is better than knowing nothing.
For a first-time valuation of the data, answer these questions:
- If all the data disappeared, how much revenue could the business generate?
- If everything but the data disappeared, what price could the data sell for?
- How much would it cost to replace all of the data? (Measured in dollars or man-hours converted to dollars)
- If the data, is stolen is there a liability cost? (This answer would go on the red side of the ledger but it’s still a value of sorts)
The value answers to these questions don’t need to equate to each other. Instead, the answers provide a potential range for the value of the data. Having a clear(er) view of what the data is worth provides constraints on what is worth spending to protect the data.
No one wants to spend $50,000 protecting a vehicle, only to discover its worth less than $10,000. Also, imagine the nausea of insuring an inherited comic book for $1000, and later, after it’s destroyed in a flood, learn the inherited Whiz Comics #2 comic is worth somewhere in the ballpark of $280,000.
The market value of the comic book helps the owner determine how much to spend on protective measures against “attacks” like dust, light, air, and water. The same holds true for critical business data.
Understand the Risks to the Business’s Data
Don’t leave the security of the business’s data up to fate. Getting “hacked” may happen to every business on a long enough timeline of existence, but it doesn’t have to destroy the company, or come close.
A business on the internet is like an organism getting exposed to the dangers of its environment: predators, food shortages, diseases, etc. The organism will get hurt and sick, but neither of those is an automatic death sentence because of healing capabilities and an immune system. Over time nature has provided organisms with some capability of mitigating those issue, and aA natural form of risk mitigation.
The moment a business “plugs into” the internet in anyway it’s exposed to all sorts of predators and diseases with the potential for catastrophic impact (read: going out of business).
There are risks that pose a common threat but not every risk poses the same threat to all businesses, therefore risk analysis is an undertaking with investing time. Risk analysis will generate risk statements that double as information for further decision analysis.
System R has a 30% risk of hack in the next six months resulting in $DDDD in losses. It will cost $DDD to reduce the risk to 10%. Is it worth spending the money?The above statement is an oversimplification of the risk analysis getting to the “do we spend the money” question but taking time to understand the variety of risk facing the business, its IT infrastructure, process, and data, will allow for informed financial decisions.
“Risk Z could cripple or kill the company, therefore spend an appropriate amount of money to resolve is important.”
“Risk Y might hurt, like accidentally cutting a finger when chopping carrots, but it’s not worth spending money to fix. Instead use the money on better marketing, employee bonuses, or research and development.”
Doing further research into risk analysis can’t hurt, but the key to good analysis is good observation. Observation in the form of measurements. And here in lies the rub of risk analysis, gathering the right kind and number of measurements of value for good risk analysis.
A whole profession had grown up around this kind of diagnostic measurement. Much like in the medical field there are cyber security experts who can come in and measure, analyze, diagnose, and prescribe “treatment options” for cyber threat facing the business.
A step-by-step guide for measuring and analyzing risk is outside the scope of this article, however the remaining components of this article are prescriptions for enough of the most common threats businesses face today.
Before tackling more specific risks and implementing controls to reduce those risk, handle the components described in the remainder of this article.
Asset Management
Asset management in the simplest terms is “knowing what you own and where what you own is located”. Expanding the out to information technology, what you own and where it’s located, is one of the cornerstones of any approach to security. Remove the corner stone and all the other security technology becomes meaningless the same way a battle strategy becomes meaningless when the commander realizes they don’t have enough beans, bullets, or band-aids, to support the troops they also didn’t realize they don’t have to carry out the missions.
There is no security without asset management
As a general rule, the size of the business impacts the complexity of the asset management task(s). A small business with only a few digital assets can get away with using something simple, like an excel spread sheet. However, the moment updating and managing the spread sheet becomes a chore, and the chance of manual entry errors creating uncatchable problems (and this happens sooner than one might think), the business will need to spend a few bucks on asset management.
And don’t ignore this trying get to the more glamorous parts of security. Not understanding the business’s “asset landscape” will prevent the business from spending the smart money on other security control aimed at protecting the business’s operations and data.
Assets worth identify and tracking in the asset management “database”:
- Employee issues devices: Laptops, computers, phones, tablets, etc.
- IT infrastructure: Wi-Fi access points, servers, switched, routers, printers etc.
- IoT devices: thermostats, card readers, security devices, or anything else that gets an IP address
- Internet-facing “interfaces”: Websites, web applications, VPN servers, APIs, etc.
- Business-critical data and databases: PII, PCI, medical, proprietary data essential to the business, etc.
- Vendors holding any important data
This “database” requires a regular refresh to remain relevant as a cornerstone of cyber security and decision making.
Data Backups
Once the data has been located, valued, and then tracked, then it’s time to back it up – or at least back up the data that’s worth backing up. And know the business should know the difference between the data that is worth, or not worth, backing up.
Backups in this context is more than a copy of the data or the Windows restore functionality. This is a well thought out process and technology, that makes copies of essential data, in a separate location, for later restore due to an event causing the original data to no longer meet business needs.
Ever experience the frustration of losing forty minutes of writing because CTRL+S is not second nature? Imagine the frustration from thousands of dollars (or more) and dozens of manhours because there was no solid backup plan.
Often this means a minimum of one copy of the data, updated on a continuous basis, and stored in a different geographic location.
This should also include regular testing of the backups – that is practice restores to make sure the backups work. ** How often to backup restores fail? **
An untested backup is a broken backup.
There are three types of backups:
- Full: The entire data file or system.
- Differential: Only the new/altered information since the last full backup.
- Incremental: Only the new/alerted information since the last backup regardless of type.
Each type has pros and cons weighing factors such as cost, speed, fidelity, recovery time, and types of data. An easy “solution” is to just select one type and do that for everything set for backup. But you’ve done the calculations and risk considerations on your data, so now you can decide which options are best for which data files (or systems).
Phishing Countermeasures
For the last decade, Verizon has partnered with the United States Secret Service to produce Data Breach Investigations Report (VDBIR). The VDBIR’s analysis over the years (2021 VDBIR) shows an important trend: year over year, phishing is the number one means hackers achieve unauthorized access or achieve some other unauthorized action such as wire fraud or deeper phishing with a compromised email account.
Of course, ask a small business owner what the primary way hackers get in and “Phishing” is the response. However, many of these same small businesses will not have proper phishing countermeasures in place.
A guiding principle of cyber security is defense-in-depth: a layered approach to implementing security controls around critical components and data. The layers of defense against phishing are designed to dimmish the variety of methods phishing emails use to gain access.
- SPF, DKIM, DMARC: These mechanisms protect the company’s domain and email, making it more difficult for scammers to earn confidence and spoof your company’s email.
- Secure Email Gateway: There is a wide variety of capable products here, but the gateway should scan emails for spam, malware, malicious links, and other email attacks occurring now.
- Phishing Simulation Training: Reading a PowerPoint slide is one thing but getting trained with realistic-looking phishing emails is quite another. Good training can reduce click-through rates from the typical pretraining 25% to a prolonged post-training of 5%. Of course, no amount of high-quality training can strip away the L’appel du vide.
- Block Uncategorized Websites: Sometimes emails still get through and users click links or open attachments. Often, but not always, a malicious connection is then made to an uncategorized website.
Multi-Factor Authentication
The penultimate method for gaining unauthorized access to business emails and company networks is the stolen credential, at about 20% of all breaches. These stolen credentials are sold like credit card numbers in dark web marketplaces.
The credentials get stolen through some breach elsewhere on the internet where an employee has used a company email and reused a password that is similar or the same as the one for logging into the company email, VPN, etc.
A hacker then purchases thousands to millions of usernames and password combinations and throws those combinations (known as a credential stuffing attack) at interfaces all over the internet. If the domain the username and passwords are pulled from is known, the hacker can run the same kind of attack a specific company or email.
One possible countermeasure is harsher password policies, but this will only create new problems of ease-of-use and management, and all without actually solving the problem. Password reuse is a problem, and the more complex the password requirements the more of a problem it becomes.
Even with password managers (which are highly recommended), passwords still tend to get reused, because people still feel a compulsion to create the passwords instead of using the password manager’s password generation tool.
A better solution than silly passwords complexity is multi-factor authentication. That is, additional means of identifying oneself when authenticating to a system.
The types of additional authentication methods are:
- Hard Token: A key fob with a rotating number
- Soft Token: An app on a phone (normally) with a rotating number
- Push Notification: Authorization request sent to an app on a phone
- SMS: One-time code sent to a phone
- Biometric: Fingerprint or facial recognition, typically on phone.
Of the above list, hackers seem to bypass SMS with the greatest of ease, and nothing is “hack-proof”, but consider hard, soft, and push notifications, wherever feasible and manageable.
The world is at least a decade past the first calls of “passwords must die”, yet we are still taxed with these mill stones around our necks. If we must live with them then take a decent layered approach to protecting against stolen credential and other password attacks – multi-factor combined with a password manager.
Patch and Vulnerability Management
This is a holdover from a bygone era of cyber security that included firewalls, antivirus, and intrusion detection systems. These technologies have reached their zenith years ago and have since been surpassed by other, like the ones in this article.
Patch and vulnerability management (PVM) ensures all the right files are on the systems. Those right files are the code base for all the services that perform tasks and interact with other services, either on the same system or remote system(s).
Bugs get discovered in those files that hackers (or researchers) figure out how to exploit. Vendors release updated files (patches). Product customers at the enterprise level, download, test, and push the patches as needed.
Additionally, there are numerous vulnerability scanners designed to identify vulnerabilities. They range in price and capability, but they all at least create a list of vulnerabilities the SMB possesses.
For small business, PVM can look and feel a lot different depending on the size and complexity of the infrastructure.
Having only a couple assets to care about only really requires a written process that’s followed on a regular basis.
- Create a list of the relevant IT assets (you have an asset inventory now) – website, laptops, etc.
- Check for security updates with a specified frequency (weekly)
- Map assets and updates to the vulnerability scan output
- Prioritize from at least Critical to High. What Vulnerabilities Should I Worry About? for more info.
- Apply the fixes – either patches or some other mitigating steps if no patches are available
An SMB with handful of assets to manage can get away with doing it with an excel spreadsheet. However, at some point, the business grows, and cycling through this process becomes untenable. When that happens, there are a massive variety of PVM products to help.
Endpoint Protection and Response (EDR)
Endpoint control is the new antivirus. It does everything antivirus does, but more and better and further and faster… and better. EDR as a tool and capability, when installed, configured, and managed properly, provides defenses against all sorts of attacks antivirus could never dream of.
For a tiny SMB, antivirus is better than nothing, but it misses to much of the modern attack techniques, so move to an EDR as soon as possible.
Major Features:
- Core antivirus capabilities
- Installed on every endpoint and monitored and managed from a central location.
- Collects and compares information from access to all the systems where it is installed
- Can detect more complex and sophisticated attacks
- Can take action with a strong set of features to deny, disrupt, contain, and eradicate the threat.
- Firewall like capabilities at each endpoint
- Sandboxing
- Ability to “remove” problem systems from the network limiting the spread of an attack
- Watches for the exfil of data
EDR may just count sheep when it sleeps.
The reality is when it’s time to get EDR – all the previous components are “complete” – it may also be time to get an MSSP.
Application Whitelisting
With application whitelisting, nothing runs without “permission”. No employee or attacker installed programs. Nothing. This means some child process of a nefarious script an attacker managed to get on a system because of phishing, goes nowhere. Ransomware, 0days, trojans, and other malicious programs are dead on arrival.
Sense the power? This may be the John Wick of security tools.
With the power to protect also comes the power to destroy. What happens if an important program gets removed from the allow list? Well, all work could come screeching to a halt. Every time an employee needs to use an app not on the whitelist a support ticket needs generation and work. This takes time and can add to the frustration of security.
With frustration comes circumvention. The security that is circumvented is not security.
This should not deter a business from using whitelisting applications, it just means careful, tried and true best practices are employed.
Hysolate has a good list of AW best practices:
- Create an application inventory
- Classify Essential and Non-Essential Business Applications
- Integrate Whitelisting and Patch Management
- Allow Selective Admin Access to Admin Tools
Another approach (that I would like to credit if I can remember where I heard it) is to use application blacklisting to start, and then welcome security violators to the application whitelisting program.
“Click on a phishing email?” Welcome the application whitelisting.
“Download and installed a program without authorization?” Welcome to application whitelisting.
Good Enough Security
Back in 2003, in an article entitled Good-Enough Security: Toward a Pragmatic Business-Driven Discipline, Ravi Sandhu discusses what he calls the three golden principles of security:
Good is good enough.
Good enough always beats perfect.
The really hard part is determining what is good enough.
The security components and controls discussed in this article are an ever-escalating bare minimum as the business grows and the inevitable expansion of technology scales with the growth. As the growth and complexity (they go hand in hand) increase the cyber security controls will need to keep pace to meet the data protection needs.
Consider this phased approach to achieving good enough security:
| Phase | Security | Estimated Time |
| Phase 1 | Data Valuation, Data Risk Analysis | 1 – 2 weeks |
| Phase 2 | Backups, Phishing Countermeasures, MFA | 1 – 3 weeks |
| Phase 3 | PVM w/excel (or similar) | 1 week |
| Phase 4a | Consider an MSSP (optional) | 3 – 4 weeks |
| Phase 4b | PVM, EDR, and AppWhitelist | 2 – 4 months |
Complete phase 1 through 3 as quick as possible and to as large of a scope and extant as feasible. Then investigate getting a managed security service provider (MSSP), that also does IT management, do handle phase 4b, and pick up the phase 2 responsibilities.
It’s hard to put a rigid timeline on something like this because there are other factors at play – budget the obvious big one, skill, and available time, etc. But the results of phase 1 should show, to some degree, the value of the security and the merits of spending certain amounts of money on said security.
One final point of note: when the business has gone through all 4 phases (with or without an MSSP) it’s time to look into a security assessment like a penetration test. These are not free (and there are alternatives to pentesting), but it’s part of making sure all the implemented security is doing what it’s supposed to.