Improving Your Organization's Security Posture

Envision IT Pressroom | December 1, 2021

Envision IT Pressroom
December 1, 2021

From Colonial Pipeline to Solar Winds, Facebook, Instagram, LinkedIn, and T-Mobile (just to name a few) digital security breaches and ransomware attacks have made big news in 2021. While these widely publicized incidents with large multi-national companies have made the headlines, an often-underreported story is the impact cybercrime has on small to medium sized businesses (SMBs) and the role that managed service providers (MSPs) can play in protecting and guiding this increasingly vulnerable segment.

In its most recent Internet Crime Complaint Center (IC3) Report, the FBI reported an increase of almost 300% of reported attacks in 2020. We often hear about the big business breaches in the news, but small and medium sized businesses are not out of the woods. In fact, of all reported ransomware attacks in 2020 more than 55% were targeting SMBs with less than 100 employees.

Improving your organization’s security posture to prevent, prepare for, or minimize the effect of a security breach requires a layered approach with a particular focus on five essential areas:

  • Automation, Expertise, and the Human Firewall – Multiple sophisticated layers of protection against today’s cyber threats and preparing your employees to serve as the first line of defense.
  • Remote Connectivity – Reevaluating WFH strategies to optimize security without compromising user experience.
  • Cyber Insurance – A necessary cost of doing business that can assist in the timely remediation of cyberattacks and incidents.
  • Incident Response Plan – A critical component to recovery readiness that requires collaboration between all critical business units.
  • Business Continuity – Organizations with Business Continuity Disaster Recovery solutions in place are less likely to experience significant downtime from ransomware.

Let’s look at each of these security posture elements individually and explore how they work together to build a more secure environment for your business. 

Automation, Expertise, and the Human Firewall
Bad actors are relentless and leverage AI and automation to constantly search for a door into your environment. To combat the complex and creative attempts into your business, you need to match the sophistication to defend against the barrage of attacks. The security industry is producing contextually aware tools to protect and detect malicious behavior at multiple layers within an environment to stay steps ahead of the cybercriminal networks. It’s important that you continually evaluate platforms and then implement and proactively manage them to effectively protect their business. The challenge for small and medium-sized businesses is that these platforms are priced for large enterprises and require highly trained security professionals to maintain them. This is where Managed Services Providers (MSP) can help. They have teams dedicated to evaluating and maintaining the best-of-the-best platforms and can apply the economies of scale across multiple customers. This model helps democratize enterprise-class tools and expertise to all-size organizations and defend your business against today’s complex threat landscape.

An MSP will take a layered approach to toolsets protecting from the end-user device through to the data at the systems level including protecting your data in case of a successful breach. Most often the right combination of honed technologies, security expertise, and processes enable the MSP to address issues and breach attempts before they become disruptive for your employees or your business.

An important element to an effective defense strategy is your employees. Afterall people are the livelihood of every business. The bad actors know that too and target them for access to your network. With that, more than 90% of successful data breaches start with spear phishing attacks originating with an ill-prepared employee. That makes for a terrible day for that employee and the business. It’s critical to prepare employees to be that first line of defense. An MSP should provide end-user education in the form of consistent training and reinforcement helping people within organizations be sensitive to threats and not take the bait. This helps employees be vigilant against cyber criminals both at work and at home. It’s an essential piece of an effective cybersecurity threat protection strategy and a meaningful way to care for your employees.

Prior to training it is common for a minimum of 60% of employees to fail a phishing test. Once the initial training is complete, it is not unusual for that failure rate to drop to nearly zero. However, after five to six months – if the training is not consistent – that failure rate starts to go up to 10% or more. This points out the need for the training to be consistent.  It doesn't have to be extensive but should serve as reminders that vigilance is important.

There is a lot of flexibility in both format and delivery of this type training. The curriculum can be delivered through pre-produced video modules that are designed to guide the employee through the learning and prepare them for their critical role in the company’s cybersecurity defenses.

The key to an effective training strategy is to build Familiarity, Curiosity and Trust. That includes helping the users understand: 

  • They are the first line of defense
  • What to look for in email
  • How to review sender address
  • How to look for unexpected content (attachments)
  • How to recognize unusual requests
  • How to look for grammar & spelling mistakes
  • How to report suspect messages

This type of training serves a number of purposes. The first is the training itself and the value of having an aware and vigilant workforce. This training should be designed to help your employees become aware of social engineering tactics that do not have as much cybersecurity awareness such as Baiting, Pretexting, Smishing or Tailgating to name a few.

The second purpose is auditing. This platform of continuous testing provides the company the ability to monitor users’ ability to spot suspicious emails. Whether it’s for new hires or existing employees, this type of automated training allows companies to identify gaps or problem areas that can be addressed proactively with additional training.

Industry best practices indicate that this level of training should be continuous and regular. Once a year is not enough. Remember, the bad actors are relentless. The Cybersecurity Infrastructure Security Agency (CISA) has reported that in 60% of the attacks profiled, initial access was via a phishing link, or a phishing attachment. If you can solve that one problem, you've solved a lot of the security breaches that occur.

Training and testing can identify next steps in strengthening your defenses. SMBs should work with their MSPs to implement other security platforms tools and meet at least quarterly to reinforce security protocols. This leads to the development of a roadmap that identifies high priority issues. Those issues, effectively and rigorously addressed, will keep the Human Firewall strong.

Remote Connectivity
With the nature of work evolving (in-office, remote, hybrid, fractionalized, out-sourced, etc.) many companies now know that the need to manage and secure their networks must evolve as well. A recent Gartner study found that 74% of businesses will offer permanent work-at-home arrangements and environments to their employees post-pandemic. This evolution is forcing companies to evaluate their work from home strategies to optimize security without compromising user experience.

As mentioned previously, bad actors are relentless. They also can be both patient and opportunistic.

They’ll be patient if they determine the environment is safe for them to do a little exploring. Once a bad actor gains access to a company’s network, they can sometimes “hang out” for up to four to six months before they decide to do something. They're taking advantage of that time to do reconnaissance. They are mapping out the network, figuring out how many servers and workstations and printers, etc., basically building an asset list. Then they can then start prioritizing and determining high value targets, and when to strike.

They can also be opportunistic. They think of it as an ROI exercise. What is the best way to extract the most value at the least cost? The trend is that it's taking less time for them to go in and execute an attack. As MSPs become more sophisticated threat hunters, the bad actors are executing quickly before they lose access.

Remote work has added tremendous complexity to the job of maintaining network security. The old thinking was to secure the office, the data center, and all internet edge appliances. Essentially secure the castle and all the assets inside. Now, all the assets are dispersed. The internet edge is now outside the castle.

Without the appropriate tools and expertise, many companies have lost their ability to manage those endpoints in a meaningful way, or even deploy software to them to try to solve the problem.

In addition, many companies have to deal with the lack of a firewall. Initially the quick fix was the deployment of VPNs. That proved to be problematic for a number of reasons. In the last year, the approach has been refined to “ditch the VPN” and figure out more secure ways of providing that level of protection to a dispersed work force. Solutions such as Citrix provide significant support in addressing this issue.

There are a number of “new normal” rules that should be followed when planning your organization’s remote connectivity and security plan, however, the simple rule to remember is “The Castle and Moat are Not Sufficient.”

Going forward, organizations must explore solutions that:

  • Secure the user, device & application (not the castle)
    • Provide protection inside and outside the walls
    • Protect both corporate and employee-owned (BYOD) devices
    • Incorporate SaaS, cloud, and on-premises applications
  • Replace security appliances with cloud security services
    • Single identity for all authenticated services
    • Same security regardless of where the user is
  • Require multifactor authentication
    • A user must provide two or more pieces of evidence to verify their identity.
  • Utilize Zero Trust enterprise security architecture
    • Zero Trust is designed to move the focus of perimeter-based defenses to securing every user and asset. Zero trust continually confirms identity instead of implicitly trusting every user within the network perimeter.

Cyber Insurance
Is your organization financially able to withstand a cyber-attack? What if you had to shut down for a week or a month? What kind of financial impact would that have on your company? These are important questions to ask yourself as you weigh investing in cyber-security insurance.

First a few data points from recent studies:

  • While the large multinational companies affected by ransomware garner all the coverage, the threat was not among the top three cyber threats identified by small businesses. Business owners may be underestimating the threat of ransomware, however, MSPs are not. 85% of MSPs consider ransomware one of the biggest threats to their SMB clients.
  • 30% of small businesses consider phishing attacks to be their biggest cyber threat.
  • 83% of small and medium-sized businesses may not be financially prepared to recover from a cyber-attack.
  • Despite these sobering numbers, 91% of small businesses haven’t purchased cyber liability insurance.

There are many reasons to invest in cyber insurance if you haven’t already. First, it can assist in the timely remediation of cyberattacks and incidents and help cover the financial losses that result from these events. Second, and perhaps most importantly, it will be increasingly difficult to operate your business in the future without it as more contracts that your business enters into will require that you have it and some may even dictate a minimum set of controls to be in place.

Cyber insurance is a specialty insurance intended to protect businesses from Information Technology risks related to technology infrastructure, data privacy, and data governance liabilities. It is often excluded from a general liability policy.

It covers losses due to:

  • Data Destruction /Ransomware
  • Extortion
  • Data Theft / Loss
  • Hacking
  • Denial of Service Attacks

Other benefits include:

  • Specialized Legal Representation
  • Incident response and forensic analysis (The Cyber Insurance provider should be at the top of your contact list as referenced in your Incident Response Plan)
  • Public Relations Expertise
  • Negotiation and Payment of Ransom

There are limitations however and they may include:

  • Ransomware payments (dollar amount)
  • Potential future lost profits
  • Loss of value due to theft of Intellectual Property
  • Betterment (The cost to improve technology systems or security upgrades)
  • Regulatory Fines (PCI DSS – Payment Card Industry Data Security Standards)
  • Security Standards Exclusions

Like technology itself, the future of cyber insurance is ever evolving and there are many factors to consider when you are planning your investment:

  • Insurance companies are starting to mandate security controls. You can expect this list of mandates to grow.
  • As with all insurance, with increased payouts of benefits, you should expect premium costs to increase.
  • Likewise, cyber insurance companies will expand their list of exclusions
  • The various policies available today will converge and begin to standardize.

It is vitally important, as part of your detailed incident response and business continuity plans, to engage with your carrier when you have:

  • Verified a ransomware attack
  • Discovered a data breach / loss
  • Experienced a meaningful interruption of business
  • Discovered Indicators of Compromise (IOCs) found on your network

To acquire your cyber security insurance policy, it is best to first determine the right policy for your business. This process should be a cooperative effort between legal, risk management, IT, and your insurance specialists. Many Cyber Security MSPs can provide guidance to help you navigate this process. In addition, the MSPs can help you review and implement security controls in compliance with CIS, NIST, IS 27001, PCI DSS recommendations and/or requirements.

Incident Response Plan
Just how prepared is your organization to respond to a cyber-attack? Does everyone agree that you need to have a coordinated and robust plan? Are your current plans compliant with your existing cyber-security insurance policies? If not, here are some interesting findings from recent studies gauging preparedness:

  • Only 14% of small businesses view their cyber-attack and risk mitigation capabilities as highly effective.
  • More than 40% of SMBs do not have any cybersecurity plan in place.
  • One in five small companies does not use endpoint security, and more than 50% SMBs do not have in-house IT security experts.

If your company was on the receiving end of a cyber-attack, to borrow a phrase from Ghostbusters, “Who You Gonna Call?” What if you had no-phones, no-computers, no-email, no org-charts, no contacts, no help desk, no-authentication, no Zoom, no wireless, no internet. What would you do?

There’s no time like the present to build out the answers to those and many other questions through a robust, detailed, and relevant incident response plan. But where to start? Your Cyber Security MSP is a great place to start understanding the components of a robust plan.

The National Institute of Security Technology (NIST) has produced a detailed Computer Security Incident Handling Guide which outlines the key elements of an effective incident response plan, including providing a number of scenarios to consider when drafting a plan appropriate for your company, your industry, and the sensitivity of the data you are entrusted with.

The key elements of any plan are:

  • Mission (Why)
  • Strategies and goals (What)
  • Senior management approval (Who)
  • Organizational approach to incident response (What)
  • How the incident response team will communicate with the rest of the organization and with other organizations (When)
  • Metrics for measuring the incident response capability and its effectiveness (What)
  • Roadmap for maturing the incident response capability (What)
  • How the program fits into the overall organization (Why)

As you work with your team to build your response plan, you should remember to include:

  • Contacts for key people
  • Insurance contacts
  • List of planned recovery resources (spares, cloud, BYOD, Backups)
  • What order to recover systems (ERP, Payroll, Email, etc)
  • Plan to maintain forensics for analysis

Finally, it’s critical to plan table-top exercises to test the veracity of your plan. Oftentimes, when organizations have an attack and things that they assume to be true will not be true.

For example, assume you try to log into your hypervisor management console, which is dependent on Active Directory. What if Active Directory was hit by ransomware? You can't log in to start restoring servers. There may be workarounds, but they could also cause a delay and time is of the essence. If you had these and other scenarios played out via table-top exercises, you could anticipate what you would need to do.

It is important to experience the exercise once or twice to understand what roadblocks you might encounter and build them into the incident response plan. You can discover the obstacles and build the solutions into the plan before you need to use them.

Proactive MSPs can facilitate these exercises which are typically an “all hands-on deck” affair with every critical business unit and personnel involved to build out and test the plan.

Business Continuity
Planning for, protecting against and responding to cyber-attacks of any kind is not typically thought of as the “sexy part” of IT. What is sexy is a business’ ability to continue operating, generating revenue, and thriving after an attack.

That’s what this discussion is all about – helping small to medium sized businesses guard against and/or recover from malicious activity from bad actors. A disciplined commitment to business continuity solutions is a necessary “fact of life” today and into the future.

Here are some other “facts of life” to consider when evaluating your organization’s security posture:

  • More than 40% of all data breaches involve small and medium-sized businesses
  • Just over 60% of all SMBs have reported at least one cyber-attack during the previous year
  • 40% of the small businesses that faced a severe cyber-attack experienced at least eight hours of downtime.
  • 91% of organizations with Business Continuity Backup Recovery solutions in place are less likely to experience significant downtime from ransomware. The cost of downtime is nearly 50x greater than the ransom requested in many cases.

As you might imagine, we’re not just talking about backups when we say business continuity. Of course, protecting your backups is important but were also talking about making sure your organization has a plan in place to:

  • Protect your backups
    • Separate network and authentication
  • Ensure local and cloud copies
  • Protect on-premises, SaaS and cloud data
  • Identify resources for restore or spin-up
  • Activate your plan for business recovery

Recently, Beau Smithback, Chief Stakeholder Strategist and Bill Crahen, Chief Stakeholder Architect of Envision IT were asked what’s in their crystal ball when it comes to cyber security, business continuity, and what organizations should be thinking about into the future. Here’s a bit of that conversation:

Beau Smithback
“I think the thing that we've been talking about a lot lately is compliance. It really is being hyper-diligent about understanding what your assets are on the network, understanding how they've been hardened, who has access to them. Mapping all that out and implementing zero trust.

Compliance is going to be driven by cyber security companies and cyber security insurance companies. Being ahead of that, not only improves companies’ postures, but it really gives them a good framework to say here's where to start and here's what the biggest risks are. I think there are a lot of companies who are in the small and medium sized business range that really don't understand how important compliance is. And as a result, they are reluctant to say, ‘Okay, let's go and sign up for services to do that.’ But I think that's changing.

Cybersecurity insurance companies are going to absolutely demand compliance and minimum security standards and that’s important because having a policy material to so many contracts today. The C-suite is going to be pushing organizations to move really quickly on the challenges because some of these compliance exercises might take a year to accomplish. For example, if you are reacting in the last month of a policy renewal, it may be tough to make it. But again, that’s why it’s so important to focus on it diligently.”

Bill Crahen
“I would say the good news is that these are things that we have been talking about. I'd say a lot of companies get it; they know it is important. Some were budgeting for it. I think the cyber insurance mandates are forcing companies to make sure they have all the necessary controls and processes in place.

Beginning last year, we were seeing cyber insurance companies mandating multifactor authentication on email, and external access. But now this past year, we've seen requirements for multifactor internally and those can big ticket items when it comes to budget.”

Beau Smithback
“The price of cyber insurance can't be forgotten. That’s increased dramatically over the last two years. I work pretty closely with a company who said their broker told them to see if they can renew it a little bit early. Because if they wait two or three months, it's going to go from an 80% increase to probably a 100% increase. That's how quickly the premiums are increasing. That’s chewing up a big chunk of the budget.” 

Bill Crahen
“For me, I would say it is compliance. We’ve had a lot of conversations with customers, and they already had to deal with this, depending on their industry, but a lot of them haven't or haven't thought about it.

We can help those customers figure out what frameworks make sense for them. The good news is, if you pick, pick the right ones, or you don't pick the right ones, it's not wasted energy because they do map to each other. But getting started is so important, because this work can take up to a year to get through. It’s important to start now because we're seeing certain sectors, like government, that will have new compliance issues. So, if you deal with the government, you need to comply with these new frameworks. So, start early.”

Don't go IT Alone
Just like the big Fortune 500 companies that make the news, small to medium-sized organizations that leverage technology to help run their business are entrusted to handle customer data. Unfortunately, they rarely have the resources to effectively guard against the malicious activities of bad actors, who see this sector of the American economy as a soft target.

Many SMBs, for a variety of reasons including a scarcity of resources necessary to harden their networks, may be lax in their implementation of necessary controls and processes.

This struggle to balance risk and business continuity is coming to a head as many operating agreements are now including standard requirements for digital security controls. Additionally, cyber security insurance policies are mandating these controls in order to provide the necessary liability coverage.

With 100% engaged Envisioners and 97.7% awesome customer satisfaction, Envision IT is one of the best of the best MSPs delivering support and expertise in these critical areas. Specifically, we democratize enterprise-class protection by extending sophisticated and professional managed toolsets, train the ever-important Human Firewall, help companies navigate the changing complexity of Remote Connectivity, provide experienced guidance through evolving Cyber Insurance Mandates, and build robust Incident Response and Business Continuity Plans.

At Envision we maintain the health of your technology environment, strengthen your security posture, and help our clients address the ransomware crisis from “readiness to response.” Many clients credit us for peace of mind. We offer Tabletop Exercises at no charge where we walk through a possible cybersecurity scenario that enables you to identify if your organization’s current response plan has any missing links and helps prepare you to implement necessary changes.

Regardless of how businesses engage us as their technology partner, they experience our expertise and trust our care.

To learn more about us and how we can help your organization improve your security posture, visit us at www.envisionitllc.com or give us a call at 608.824.2060.

Glossary of Terms
The Cyber Security Industry is well-known for their affection for acronyms. Next time you’re at a cyber security conference...what you don’t go to those? Well, next time you’re waiting for a meeting to start, try out these acronyms on your colleagues!

AC Access Control
AES Advanced Encryption Standard
AM Asset Management
AM Asset Management
AO Authorization Official
AO Assessment Objective
APT Advanced Persistent Threat
AT Awareness and Training
AU Audit and Accountability
AUP Acceptable Use Policy
C3PAO CMMC 3rd Party Assessment Organization
CA Certification and Accreditation
CA Security Assessment
CCA CMMC Certified Assessor
CCP CMMC Certified Professional
CIS Center for Internet Security
CISA Cybersecurity and Infrastructure Security Agency
CMMC Cybersecurity Maturity Model Certification
CMMC-AB Cybersecurity Maturity Model Certification - Advisory Board
CMVP Cryptographic Module Validation Program
CSIRT Computer Security Incident Response Team
CSF Cybersecurity Framework
CTI Controlled Technical Information
CUI Controlled Unclassified Information
DC Domain Controller
ECA External Certificate Authority
HIPAA Health Information Portability and Accountability Act
HITECH Health Information Technology for Economic and Clinical Health (Act)
IOC Indicators of Compromise
IP Internet Protocol
IP Intellectual Property
IPS Intrusion Prevention System
IR Incident Response Plan
IRP Incident Response Plan
IT Information Technology
LMS Learning Management System
MFA Multifactor Authentication
MSP Managed Service Provider
MSSP Managed Security Service Provider
MTD Maximum Tolerable Downtime
NAC Network Access Control
NIST National Institutes of Standards and Technology
NTA Network Traffic Analysis
POA&M Plan of Action and Milestones
RM Risk Management
RMF Risk Management Framework
RP Registered Practitioner
RPO Registered Practitioner Organization (CMMC)
SAR Security Assessment Report
SIEM Security Information and Event Management
SSP System Security Plan
TCP Transport Control Protocol
VPN Virtual Private Network
WAP Wireless Access Point
WEP Wired Equivalency Protocol
WPA Wi-Fi Protected Access
WPS Wi-Fi Protected Setup
Tags: Business Continuity, Data, Malware, Mobility, Ransomware, Remote Work, Security, Technology