Security for SMBs: Insights for essential controls – Business
There are important steps that small and medium-sized businesses can take to limit security risk. Unfortunately, many choose not to implement them and fall victim to ransomware attacks or worse.
Take the simple example of passwords. Verizon Communications Inc. reports that 80% of data breaches are linked to compromised login credentials, and research from the Ponemon Institute has found that only 55% of respondents in a survey said their companies have a policy on passwords.
“The main thing is you need to know where your risk is, where are holes in your risk management plan,” said Bob Carver, principal cybersecurity threat intelligence and analytics at Verizon. “It might be the passwords; it might be user education. It’s finding out where you have holes in protection of your network and your endpoints and your data.”
Carver spoke with Shelly Kramer, managing director and principal analyst at theCUBE Research, and research analyst Jo Peterson in the latest episode of the SecurityANGLE podcast series. The conversation covered a range of topics, including the evolution of cybersecurity roles, the importance of cybersecurity education, the risks faced by small to medium businesses and essential measures SMBs can take to enhance their cyber protection.
Security controls offer path for small businesses to follow
The Center for Internet Security has published 18 CIS Critical Security Controls that serve as a roadmap for SMBs to follow in working to mitigate risk, develop cybersecurity policies and train teams to embrace a security-focused culture. The 18 controls cover a wide range of best practices, from updating systems regularly and using privacy blockers to having a current, tested recovery process in the event of a breach.
“I do suggest a lot of small and medium-sized businesses look at the CIS 18 controls,” Carver said. “People can look over that and have an understanding of what needs to be done. I ran into one [incident] where somebody had their home security system, which was made in China, and they had the software and they put it on their phone and … a company laptop. All of a sudden there was bi-directional traffic to and from China. If there’s no controls, no policies to be able to limit that sort of thing, it can get out of control real quick.”
Controls over what can be downloaded onto company-owned devices or systems can make a difference, Carver added.
“People load all sorts of junk on company PCs all the time,” he said. “Even some of these coupon clipper things have all sorts of nasty stuff behind them. I don’t think you can always just let people download and install whatever they need to.”
DNS tools and browser extensions offer protection
Even for certain websites that employees must access to do their work, controls can be an important part of cyber protection. Carver uses tools such as uBlock Origin, a free and open-source browser extension for content filtering, and the tracking blocker Privacy Badger to guard against dangerous malware.
“There’s a lot of malware that goes over advertising and the tracking that goes on right now,” Carver said. “Small businesses could enable certain types of DNS services that do have blocking. You can choose malware domains to be blocked, botnet domains to be blocked, phishing domains to be blocked, tracking domains to be blocked.”
In addition to download controls, there are steps to be taken in the use of key hardware as well. Threat actors can employ an evasion technique known as memory-only malware, that injects malicious code into a process running on hardware such as a router. The lack of a defined file can make this harder to detect, but there is a simple solution, according to Carver.
“Just reboot your router once a week if you have a simple router,” he said. “Some of them can be auto-programmed to auto-reboot at two, three or four in the morning. You don’t even have to think about that.”
Commonly used web browsers can be “hardened” by tweaking various security settings. There are also emerging “hardened browsers” that come pre-loaded with strict security controls, and a few of these are Tor, Mullvad, LibreWolf and Brave.
“They started trying to do this 10 years ago, and it’s starting to happen again,” Carver said. “I haven’t found one that just knocked my socks off yet. But I think there will be a time that hardened browsers and possibly even ‘paid-for’ browsers might be a thing.”
Here’s the complete SecurityANGLE conversation: