From Colonial Pipeline to Solar Winds, Facebook, Instagram, LinkedIn, and T-Mobile (just to name a few) digital security breaches and ransomware attacks have made big news in 2021. While these widely publicized incidents with large multi-national companies have made the headlines, an often-underreported story is the impact cybercrime has on small to medium sized businesses (SMBs) and the role that managed service providers (MSPs) can play in protecting and guiding this increasingly vulnerable segment.
In its most recent Internet Crime Complaint Center (IC3) Report, the FBI reported an increase of almost 300% of reported attacks in 2020. We often hear about the big business breaches in the news, but small and medium sized businesses are not out of the woods. In fact, of all reported ransomware attacks in 2020 more than 55% were targeting SMBs with less than 100 employees.
Improving your organization’s security posture to prevent, prepare for, or minimize the effect of a security breach requires a layered approach with a particular focus on five essential areas:
Let’s look at each of these security posture elements individually and explore how they work together to build a more secure environment for your business.
Automation, Expertise, and the Human Firewall
Bad actors are relentless and leverage AI and automation to constantly search for a door into your environment. To combat the complex and creative attempts into your business, you need to match the sophistication to defend against the barrage of attacks. The security industry is producing contextually aware tools to protect and detect malicious behavior at multiple layers within an environment to stay steps ahead of the cybercriminal networks. It’s important that you continually evaluate platforms and then implement and proactively manage them to effectively protect their business. The challenge for small and medium-sized businesses is that these platforms are priced for large enterprises and require highly trained security professionals to maintain them. This is where Managed Services Providers (MSP) can help. They have teams dedicated to evaluating and maintaining the best-of-the-best platforms and can apply the economies of scale across multiple customers. This model helps democratize enterprise-class tools and expertise to all-size organizations and defend your business against today’s complex threat landscape.
An MSP will take a layered approach to toolsets protecting from the end-user device through to the data at the systems level including protecting your data in case of a successful breach. Most often the right combination of honed technologies, security expertise, and processes enable the MSP to address issues and breach attempts before they become disruptive for your employees or your business.
An important element to an effective defense strategy is your employees. Afterall people are the livelihood of every business. The bad actors know that too and target them for access to your network. With that, more than 90% of successful data breaches start with spear phishing attacks originating with an ill-prepared employee. That makes for a terrible day for that employee and the business. It’s critical to prepare employees to be that first line of defense. An MSP should provide end-user education in the form of consistent training and reinforcement helping people within organizations be sensitive to threats and not take the bait. This helps employees be vigilant against cyber criminals both at work and at home. It’s an essential piece of an effective cybersecurity threat protection strategy and a meaningful way to care for your employees.
Prior to training it is common for a minimum of 60% of employees to fail a phishing test. Once the initial training is complete, it is not unusual for that failure rate to drop to nearly zero. However, after five to six months – if the training is not consistent – that failure rate starts to go up to 10% or more. This points out the need for the training to be consistent. It doesn't have to be extensive but should serve as reminders that vigilance is important.
There is a lot of flexibility in both format and delivery of this type training. The curriculum can be delivered through pre-produced video modules that are designed to guide the employee through the learning and prepare them for their critical role in the company’s cybersecurity defenses.
The key to an effective training strategy is to build Familiarity, Curiosity and Trust. That includes helping the users understand:
This type of training serves a number of purposes. The first is the training itself and the value of having an aware and vigilant workforce. This training should be designed to help your employees become aware of social engineering tactics that do not have as much cybersecurity awareness such as Baiting, Pretexting, Smishing or Tailgating to name a few.
The second purpose is auditing. This platform of continuous testing provides the company the ability to monitor users’ ability to spot suspicious emails. Whether it’s for new hires or existing employees, this type of automated training allows companies to identify gaps or problem areas that can be addressed proactively with additional training.
Industry best practices indicate that this level of training should be continuous and regular. Once a year is not enough. Remember, the bad actors are relentless. The Cybersecurity Infrastructure Security Agency (CISA) has reported that in 60% of the attacks profiled, initial access was via a phishing link, or a phishing attachment. If you can solve that one problem, you've solved a lot of the security breaches that occur.
Training and testing can identify next steps in strengthening your defenses. SMBs should work with their MSPs to implement other security platforms tools and meet at least quarterly to reinforce security protocols. This leads to the development of a roadmap that identifies high priority issues. Those issues, effectively and rigorously addressed, will keep the Human Firewall strong.
Remote Connectivity
With the nature of work evolving (in-office, remote, hybrid, fractionalized, out-sourced, etc.) many companies now know that the need to manage and secure their networks must evolve as well. A recent Gartner study found that 74% of businesses will offer permanent work-at-home arrangements and environments to their employees post-pandemic. This evolution is forcing companies to evaluate their work from home strategies to optimize security without compromising user experience.
As mentioned previously, bad actors are relentless. They also can be both patient and opportunistic.
They’ll be patient if they determine the environment is safe for them to do a little exploring. Once a bad actor gains access to a company’s network, they can sometimes “hang out” for up to four to six months before they decide to do something. They're taking advantage of that time to do reconnaissance. They are mapping out the network, figuring out how many servers and workstations and printers, etc., basically building an asset list. Then they can then start prioritizing and determining high value targets, and when to strike.
They can also be opportunistic. They think of it as an ROI exercise. What is the best way to extract the most value at the least cost? The trend is that it's taking less time for them to go in and execute an attack. As MSPs become more sophisticated threat hunters, the bad actors are executing quickly before they lose access.
Remote work has added tremendous complexity to the job of maintaining network security. The old thinking was to secure the office, the data center, and all internet edge appliances. Essentially secure the castle and all the assets inside. Now, all the assets are dispersed. The internet edge is now outside the castle.
Without the appropriate tools and expertise, many companies have lost their ability to manage those endpoints in a meaningful way, or even deploy software to them to try to solve the problem.
In addition, many companies have to deal with the lack of a firewall. Initially the quick fix was the deployment of VPNs. That proved to be problematic for a number of reasons. In the last year, the approach has been refined to “ditch the VPN” and figure out more secure ways of providing that level of protection to a dispersed work force. Solutions such as Citrix provide significant support in addressing this issue.
There are a number of “new normal” rules that should be followed when planning your organization’s remote connectivity and security plan, however, the simple rule to remember is “The Castle and Moat are Not Sufficient.”
Going forward, organizations must explore solutions that:
Cyber Insurance
Is your organization financially able to withstand a cyber-attack? What if you had to shut down for a week or a month? What kind of financial impact would that have on your company? These are important questions to ask yourself as you weigh investing in cyber-security insurance.
First a few data points from recent studies:
There are many reasons to invest in cyber insurance if you haven’t already. First, it can assist in the timely remediation of cyberattacks and incidents and help cover the financial losses that result from these events. Second, and perhaps most importantly, it will be increasingly difficult to operate your business in the future without it as more contracts that your business enters into will require that you have it and some may even dictate a minimum set of controls to be in place.
Cyber insurance is a specialty insurance intended to protect businesses from Information Technology risks related to technology infrastructure, data privacy, and data governance liabilities. It is often excluded from a general liability policy.
It covers losses due to:
Other benefits include:
There are limitations however and they may include:
Like technology itself, the future of cyber insurance is ever evolving and there are many factors to consider when you are planning your investment:
It is vitally important, as part of your detailed incident response and business continuity plans, to engage with your carrier when you have:
To acquire your cyber security insurance policy, it is best to first determine the right policy for your business. This process should be a cooperative effort between legal, risk management, IT, and your insurance specialists. Many Cyber Security MSPs can provide guidance to help you navigate this process. In addition, the MSPs can help you review and implement security controls in compliance with CIS, NIST, IS 27001, PCI DSS recommendations and/or requirements.
Incident Response Plan
Just how prepared is your organization to respond to a cyber-attack? Does everyone agree that you need to have a coordinated and robust plan? Are your current plans compliant with your existing cyber-security insurance policies? If not, here are some interesting findings from recent studies gauging preparedness:
If your company was on the receiving end of a cyber-attack, to borrow a phrase from Ghostbusters, “Who You Gonna Call?” What if you had no-phones, no-computers, no-email, no org-charts, no contacts, no help desk, no-authentication, no Zoom, no wireless, no internet. What would you do?
There’s no time like the present to build out the answers to those and many other questions through a robust, detailed, and relevant incident response plan. But where to start? Your Cyber Security MSP is a great place to start understanding the components of a robust plan.
The National Institute of Security Technology (NIST) has produced a detailed Computer Security Incident Handling Guide which outlines the key elements of an effective incident response plan, including providing a number of scenarios to consider when drafting a plan appropriate for your company, your industry, and the sensitivity of the data you are entrusted with.
The key elements of any plan are:
As you work with your team to build your response plan, you should remember to include:
Finally, it’s critical to plan table-top exercises to test the veracity of your plan. Oftentimes, when organizations have an attack and things that they assume to be true will not be true.
For example, assume you try to log into your hypervisor management console, which is dependent on Active Directory. What if Active Directory was hit by ransomware? You can't log in to start restoring servers. There may be workarounds, but they could also cause a delay and time is of the essence. If you had these and other scenarios played out via table-top exercises, you could anticipate what you would need to do.
It is important to experience the exercise once or twice to understand what roadblocks you might encounter and build them into the incident response plan. You can discover the obstacles and build the solutions into the plan before you need to use them.
Proactive MSPs can facilitate these exercises which are typically an “all hands-on deck” affair with every critical business unit and personnel involved to build out and test the plan.
Business Continuity
Planning for, protecting against and responding to cyber-attacks of any kind is not typically thought of as the “sexy part” of IT. What is sexy is a business’ ability to continue operating, generating revenue, and thriving after an attack.
That’s what this discussion is all about – helping small to medium sized businesses guard against and/or recover from malicious activity from bad actors. A disciplined commitment to business continuity solutions is a necessary “fact of life” today and into the future.
Here are some other “facts of life” to consider when evaluating your organization’s security posture:
As you might imagine, we’re not just talking about backups when we say business continuity. Of course, protecting your backups is important but were also talking about making sure your organization has a plan in place to:
Recently, Beau Smithback, Chief Stakeholder Strategist and Bill Crahen, Chief Stakeholder Architect of Envision IT were asked what’s in their crystal ball when it comes to cyber security, business continuity, and what organizations should be thinking about into the future. Here’s a bit of that conversation:
Beau Smithback
“I think the thing that we've been talking about a lot lately is compliance. It really is being hyper-diligent about understanding what your assets are on the network, understanding how they've been hardened, who has access to them. Mapping all that out and implementing zero trust.
Compliance is going to be driven by cyber security companies and cyber security insurance companies. Being ahead of that, not only improves companies’ postures, but it really gives them a good framework to say here's where to start and here's what the biggest risks are. I think there are a lot of companies who are in the small and medium sized business range that really don't understand how important compliance is. And as a result, they are reluctant to say, ‘Okay, let's go and sign up for services to do that.’ But I think that's changing.
Cybersecurity insurance companies are going to absolutely demand compliance and minimum security standards and that’s important because having a policy material to so many contracts today. The C-suite is going to be pushing organizations to move really quickly on the challenges because some of these compliance exercises might take a year to accomplish. For example, if you are reacting in the last month of a policy renewal, it may be tough to make it. But again, that’s why it’s so important to focus on it diligently.”
Bill Crahen
“I would say the good news is that these are things that we have been talking about. I'd say a lot of companies get it; they know it is important. Some were budgeting for it. I think the cyber insurance mandates are forcing companies to make sure they have all the necessary controls and processes in place.
Beginning last year, we were seeing cyber insurance companies mandating multifactor authentication on email, and external access. But now this past year, we've seen requirements for multifactor internally and those can big ticket items when it comes to budget.”
Beau Smithback
“The price of cyber insurance can't be forgotten. That’s increased dramatically over the last two years. I work pretty closely with a company who said their broker told them to see if they can renew it a little bit early. Because if they wait two or three months, it's going to go from an 80% increase to probably a 100% increase. That's how quickly the premiums are increasing. That’s chewing up a big chunk of the budget.”
Bill Crahen
“For me, I would say it is compliance. We’ve had a lot of conversations with customers, and they already had to deal with this, depending on their industry, but a lot of them haven't or haven't thought about it.
We can help those customers figure out what frameworks make sense for them. The good news is, if you pick, pick the right ones, or you don't pick the right ones, it's not wasted energy because they do map to each other. But getting started is so important, because this work can take up to a year to get through. It’s important to start now because we're seeing certain sectors, like government, that will have new compliance issues. So, if you deal with the government, you need to comply with these new frameworks. So, start early.”
Don't go IT Alone
Just like the big Fortune 500 companies that make the news, small to medium-sized organizations that leverage technology to help run their business are entrusted to handle customer data. Unfortunately, they rarely have the resources to effectively guard against the malicious activities of bad actors, who see this sector of the American economy as a soft target.
Many SMBs, for a variety of reasons including a scarcity of resources necessary to harden their networks, may be lax in their implementation of necessary controls and processes.
This struggle to balance risk and business continuity is coming to a head as many operating agreements are now including standard requirements for digital security controls. Additionally, cyber security insurance policies are mandating these controls in order to provide the necessary liability coverage.
With 100% engaged Envisioners and 97.7% awesome customer satisfaction, Envision IT is one of the best of the best MSPs delivering support and expertise in these critical areas. Specifically, we democratize enterprise-class protection by extending sophisticated and professional managed toolsets, train the ever-important Human Firewall, help companies navigate the changing complexity of Remote Connectivity, provide experienced guidance through evolving Cyber Insurance Mandates, and build robust Incident Response and Business Continuity Plans.
At Envision we maintain the health of your technology environment, strengthen your security posture, and help our clients address the ransomware crisis from “readiness to response.” Many clients credit us for peace of mind. We offer Tabletop Exercises at no charge where we walk through a possible cybersecurity scenario that enables you to identify if your organization’s current response plan has any missing links and helps prepare you to implement necessary changes.
Regardless of how businesses engage us as their technology partner, they experience our expertise and trust our care.
To learn more about us and how we can help your organization improve your security posture, visit us at www.envisionitllc.com or give us a call at 608.824.2060.
Glossary of Terms
The Cyber Security Industry is well-known for their affection for acronyms. Next time you’re at a cyber security conference...what you don’t go to those? Well, next time you’re waiting for a meeting to start, try out these acronyms on your colleagues!
AC | Access Control |
AES | Advanced Encryption Standard |
AM | Asset Management |
AM | Asset Management |
AO | Authorization Official |
AO | Assessment Objective |
APT | Advanced Persistent Threat |
AT | Awareness and Training |
AU | Audit and Accountability |
AUP | Acceptable Use Policy |
C3PAO CMMC | 3rd Party Assessment Organization |
CA | Certification and Accreditation |
CA | Security Assessment |
CCA CMMC | Certified Assessor |
CCP CMMC | Certified Professional |
CIS | Center for Internet Security |
CISA | Cybersecurity and Infrastructure Security Agency |
CMMC | Cybersecurity Maturity Model Certification |
CMMC-AB | Cybersecurity Maturity Model Certification - Advisory Board |
CMVP | Cryptographic Module Validation Program |
CSIRT | Computer Security Incident Response Team |
CSF | Cybersecurity Framework |
CTI | Controlled Technical Information |
CUI | Controlled Unclassified Information |
DC | Domain Controller |
ECA | External Certificate Authority |
HIPAA | Health Information Portability and Accountability Act |
HITECH | Health Information Technology for Economic and Clinical Health (Act) |
IOC | Indicators of Compromise |
IP | Internet Protocol |
IP | Intellectual Property |
IPS | Intrusion Prevention System |
IR | Incident Response Plan |
IRP | Incident Response Plan |
IT | Information Technology |
LMS | Learning Management System |
MFA | Multifactor Authentication |
MSP | Managed Service Provider |
MSSP | Managed Security Service Provider |
MTD | Maximum Tolerable Downtime |
NAC | Network Access Control |
NIST | National Institutes of Standards and Technology |
NTA | Network Traffic Analysis |
POA&M | Plan of Action and Milestones |
RM | Risk Management |
RMF | Risk Management Framework |
RP | Registered Practitioner |
RPO | Registered Practitioner Organization (CMMC) |
SAR | Security Assessment Report |
SIEM | Security Information and Event Management |
SSP | System Security Plan |
TCP | Transport Control Protocol |
VPN | Virtual Private Network |
WAP | Wireless Access Point |
WEP | Wired Equivalency Protocol |
WPA | Wi-Fi Protected Access |
WPS | Wi-Fi Protected Setup |
Sign up with your e-mail address to receive news and updates.
8040 Excelsior Drive #402, Madison WI | 608.824.2060 | info@envisionitllc.com
Privacy Policy