Laurence Cadieux
October is Cybersecurity Awareness Month. Launched in 2004, this is an internationally recognized event to help the general public learn about cybersecurity: what to do, and what not to do (and a few “wow — don’t even THINK about ever doing that!”).
These days, the importance of cybersecurity awareness and education cannot be underestimated. As we recently highlighted in our Shocking Cybercrime Statistics: 2023 Edition, the situation is alarming. For example, the number of malware attacks has reached 5.5 billion per year, 71% of businesses say they have fallen victim to ransomware attacks, and the global cost of cybercrime is predicted to reach a staggering $8 trillion annually by the end of this year.
A Refresher for You — an Eye-Opener for Them
To mark Cybersecurity Awareness Month at Devolutions, we have asked our security teams to put together a list of seven essential cybersecurity tips that they believe every SMB should follow.
If you are an IT pro who could write a book (or probably several) on good cybersecurity habits and practices, then we encourage you to use this article as a refresher. Even seasoned experts can benefit from revisiting the basics now and then!
In addition, we invite you to share this article with your colleagues, clients, and others in your network who may not be aware of some key issues and best practices. These tips could be the eye-opener they need to stay out of harm’s way.
Tip #1: Be Proactive & Assume You Are Being Targeted
Instead of believing that they’re “too small to be targeted,” SMBs should assume they are being hunted and should proactively strengthen their cybersecurity profile. Doing so is FAR cheaper, faster, and easier than trying to clean things up in the aftermath of an attack.
Keep in mind that hackers are increasingly targeting SMBs, whose security measures are far too often weak. In the last year, 60% of SMBs experienced at least one cyberattack — with 18% experiencing six or more — and the financial toll of a cyberattack on an SMB now ranges from $120,000 to $1.24 million per incident. Even more chilling is that 60% of SMBs shut down within six months of being hacked.
Tip #2: Implement 5 Policies to Reduce Risk & Increase Control
SMBs should adopt five core policies to minimize their cybersecurity risks, while at the same time increase oversight and control. These include:
- The principle of least privilege (POLP): end users get only the access level required to carry out their day-to-day tasks; no less, and no more. End users who temporarily require elevated privileges should submit a request that is approved or rejected by the SysAdmin.
- Zero trust architecture, which is based on the principle that nobody should be automatically trusted. Instead, end users (along with machines and apps) must be authenticated through technologies such as MFA, IAM, encryption, analytics, etc.
- Segregation of duties, which prevents a single individual from being responsible for carrying out conflicting duties.
- Defense-in-depth, which uses multiple layers of protection to slow hackers down, as they attempt to snake their way to the perimeter, and from there to mission-critical assets.
- The four-eyes principle, which requires that any activity by an end user involving material risk must be reviewed and confirmed by a second employee who is both independent and competent.
Tip #3: Use PAM to Bridge the Authentication-Authorization Gap
SMBs need to fully deploy a privileged access management (PAM) solution that bridges the gap between authentication and authorization. Principally, PAM is composed of two parts:
- Identity management, which is concerned with WHO an end user is.
- Access management, which is concerned with WHAT an end user is authorized to do.
Also, the phrase “fully deploy” is important. While 98% of SMBs are managing privileged accounts to some extent, only 12% have a fully deployed PAM solution in place — which means that 88% are more vulnerable (and in many cases much more so) than they believe.
Tip #4: Put a Robust and Practical Plan in Place – and Follow It!
SMBs need to build and follow a comprehensive plan that, at a minimum, should have three core elements:
- Define and document objectives: Many SMBs focus on end user competence and compliance — which is important — yet they neglect to verify that objectives are understood or even known in the first place!
- Define roles and responsibilities: Ensure that key internal stakeholders understand cybersecurity requirements across the business, and map them to a RACI chart (Responsible, Accountable, Consulted, Informed).
- Communicate downstream and monitor upstream: Cybersecurity policies must be available for all stakeholders, and updates should be communicated in a timely matter. Establishing bi-directional communication channels is critical, as is making continuous adjustments and improvements as necessary.
Tip #5: Make End Users Part of the Solution
SMBs should provide end users with cybersecurity awareness training that focuses on fundamental issues, risks, and threats. Just some of the key topics that should be part of the training include: access control, identity theft, social engineering (e.g., phishing, business email compromise), incident reporting, password management, physical security, remote working risks, and more.
In addition, it is extremely important for SMBs to identify and eliminate “Shadow IT.” This refers to the use of hardware, software, and/or cloud services without the knowledge and approval of the IT team. Gartner predicts that by 2027, 75% of employees will acquire, modify, or create technology outside IT’s visibility — up from 41% in 2022.
Tip #6: Augment Skills & Capacity with an MSP
SMBs that lack in-house IT security and cloud security expertise — either because they cannot find the people they need, or they can find them but not afford to enlist them — should partner with a Managed Service Provider (MSP) to close the skills and capacity gap.
What should you look for in an MSP? Here are some key factors to keep in mind:
Choose an MSP that has the proven capacity to serve your specific needs.
Discover how long it typically takes an MSP to respond to a problem, how fast they resolve issues, and what to expect if you need on-site support. All of these commitments and standards should be locked into the Service Level Agreement.
Bad actors — and for that matter, misbehaving IT software and systems — do not take vacations, and neither should your MSP. They should monitor your infrastructure 24/7/365, and have multiple tools and policies that support business continuity and disaster recovery.
An MSP should certainly provide you with informed advice — but ultimately, any decisions that you make regarding vendors, tools, and technologies must be 100% yours.
An MSP should be capable of clearly and effectively communicating with both IT and non-IT audiences.
Tip #7: Swap Your VPN for a Just-in-Time Gateway
Despite their widespread popularity and important advantages, virtual private networks (VPNs) trigger multiple issues:
- They are notoriously difficult and time-consuming to deploy, which is especially problematic for SMBs that do not have large IT teams.
- VPN clients tunnel traffic through the private network, which can significantly degrade network performance.
- When granting temporary access, SysAdmins must spend time updating and keeping track of VPN and firewall rules.
The solution to these drawbacks? Replace your VPN with a just-in-time gateway that:
- Deploys quickly and easily.
- Improves network performance by restricting tunneling to RDP connections, so there is no negative impact on other network traffic.
- Replaces static VPN and firewall rules with dynamic access rules, which eliminates the need for SysAdmins to update VPN and firewall rules for temporary access.
To learn more about the advantages of swapping a VPN for a just-in-time gateway, click here.
From the Desk of Devolutions CISO Martin Lemay:
We are in the era of the digital Wild West, where threats are abundant. All organizations — but especially SMBs that are increasingly targeted — absolutely must develop a defense capability to protect their interests, and all their stakeholders, from often predictable cyberattack opportunities. Whether this capability is developed internally or outsourced, expertise in cybersecurity is crucial to maintain balance.
The Final Word
Although October is Cybersecurity Awareness Month, understanding the risks and threats — and knowing how to identify, control, and reduce them — must be a year-round, ongoing effort.
Obviously, these seven tips are not meant to provide organizations with a comprehensive, detailed blueprint. But they should be part of the foundation for action and awareness. As we all know, the more lucrative identity and data theft becomes, the worse things are going to get. Given the potential costs and consequences, a strong, reliable, and compliant cybersecurity profile is no longer optional: it is essential!
Patrick Pilotte
