You’ve probably never heard of an “access broker” but these people are in a career that is rising in popularity – that is, in the cyber-criminal ecosystem. The prime objective of an access broker is to break into a computing device and then sell that entry to another cyber-criminal. That cyber-criminal, in turn, will take the intrusion to the next step, downloading malware or moving about to collect intelligence for a targeted attack or entry to a connected system.
We might not be able to see the cyber enemies that threaten businesses every day. But we don’t have to see our attackers to understand the importance of robust cybersecurity and the reason why so many organizations have upped their security game with managed cybersecurity services.
The access brokers that we introduced you to aren’t the only bad actors that you need to be worried about when you’re trying to keep your IT systems and data safe. While cyber-criminals are using tried and true tactics like phishing, business email compromise, and denial-of-service (DDOS) attacks to break through cyber defenses they’ve also been evolving their techniques with Artificial Intelligence (AI).
Cyber defenders have evolved their tactics too. They’re using AI to detect and respond to intruders so that even if an attacker gains access to a device, they’re shut down before they can do any damage.
AI isn’t the only thing that’s changed in the cyber-crime landscape, chances are good that your company has changed the way you work. You no longer have all your employees working inside your network perimeter. Not only do you have remote workers, but you also probably have a lot more devices connected to your network.
Your connections to vendors and customers can also intertwine, increasing the digital territory that can be at risk if an intruder were to compromise your IT systems.
Clearly, what you did for security ten or even five years ago isn’t enough to keep you safe today. You need a modern strategy, and you need a comprehensive security team. That’s where managed cybersecurity services come in.
While the idea of bringing in outsourced security expertise sounds good, you might not be ready to start talking to vendors until you have a better idea of your current security posture. Maybe you should have a third-party perform a scan to find out if your defenses can be penetrated.
There are different types of scans and tests that will assess how easy or difficult it is to gain entry into your IT systems. Unless you already have a robust security strategy, a penetration (pen) test isn’t the best first step in evaluating your cyber defenses. A pen test is overkill if you have blatant gaps in security.
A vulnerability scan may not be your best first step either. A vulnerability scan looks for weaknesses that can be exploited by cyber-criminals. These weaknesses can be things like having incorrect DNS settings or misconfigured security devices. A vulnerability scan will also report that your software is not up to date but you really don’t need a scan to tell you that.
The best way to start to evaluate the security of your IT systems is to simply ask questions. The STOP-KEEP-START exercise provides questions that will reveal gaps even if you don’t have a technical background.
As you’re getting started with improving your security strategy, it’s a good idea to assess what you’re doing now. The STOP-KEEP-START exercise is a good way to get a lay of the land regarding what you’re doing with security. In this exercise you determine what practices, attitudes, or behaviors you need to stop; what you should keep doing; and then what you need to start doing.
We’ll go through each section with some examples to get you started. Use these lists as a starting point and ask your IT manager or IT support company to contribute their ideas too.
Cybersecurity is all about managing the risk of cyber-attack so the first thing that you may need to stop doing has to do with changing your attitude about risk. There is no organization too small or insignificant to be a target for cyber criminals. Yet only 5% of small business owners think that cyber-crime is the biggest risk to their business.
If your attitude about cyber risk needs to change, the attitudes of your employees probably need to change too. See if you can connect any of the following behaviors with prevailing attitudes about cybersecurity.
1. Are we enforcing our security policies?
Do your security policies live in your employee handbook and never see the light of day after employees are onboarded? Pull out your handbook and see what you have already decided to do that you’re not enforcing.
2. Are we disregarding data access permissions?
Controlling access to data starts by allowing people to touch only the data that they need to do their jobs. If this is not audited on a regular basis, then you could be giving people more access than they really need. It’s common for an employee’s permissions to increase as they add on duties. When it’s time for someone new to take over the role, permissions are copied and the new person inadvertently gets instant access to files they don’t need.
3. Are we complacent about identity management?
The usernames and passwords that your people use to access your IT systems are like the drawbridge to a castle. The moat doesn’t stop anyone when the bridge is down and if your employees have weak passwords and don’t use multi-factor authentication (MFA) then that can allow bad guys to get past your other security layers.
4. Are we thinking about our network with a set perimeter?
If you have remote workers, you’re automatically a multi-location business. Your network perimeter extends out to everything that’s connected to it and your security needs to include layers that protect your data and IT systems at the device level.
5. Is our IT team overconfident?
Your small IT team may have extensive technology expertise, but they still may not know what they need to know about cybersecurity. Cybersecurity is complex and changing all the time. Admitting that you need to outsource cybersecurity services doesn’t discount their ability. It’s just a reality that everyone needs to face before improvements can be made.
Now that you have an idea about where your security strategy is falling short, let’s find some things that you’re already doing that you should continue. The following are cybersecurity basics that you should continue to utilize.
1. Have we been upgrading our hardware on a regular basis?
Modern software, including security tools, runs best on modern hardware. Newer hardware also has more built-in security features that older models don’t have. For example, a new firewall may also have Endpoint Detection and Response (EDR) capability.
2. Is our software up to date?
Out-of-support software is a security vulnerability because there are always holes that can be exploited. When you use supported software, on the other hand, you can get patches from the developer that closes holes as they are discovered.
3. Do we require regular cybersecurity awareness training?
If you’re providing cybersecurity awareness training for employees, then you are equipping your people to be a strong line of defense. The best training is ongoing and includes simulations that present employees with scenarios that mimic what a real attack could look like.
4. Is remote access to our network always secure?
You probably know that public wi-fi isn’t safe to use but any network outside of your own (including employees’ home networks) may pose risks. Continue to provide people with a secure way to get to their programs and files whether it’s with VPN or desktop virtualization through the Azure cloud.
5. Are we maintaining good data backup practices?
A backup of your data is NOT insurance against ransomware but it’s a must-have component of your incident response plan. A good backup is one that gives you recovery parameters you can live with and is tested to make sure that backups are actually useable.
If you’re looking for specific software tools that you can start using to improve security, there are probably some advanced applications that you don’t have that would help. However, pulling a bunch of tools off the shelf doesn’t necessarily mean you have an effective strategy.
When you work with an outsourced cybersecurity services provider, they will vet various tools and weave them together into a solution that does what it needs to do. Beyond creating a tech stack, there are things you can start right now to improve security. Following are a few examples.
1. Audit and enforce data permissions
Follow the Principle of Least Privilege when it comes to giving people access to data. Figure out what permissions are needed per role, then enforce them. When onboarding new employees be careful about copying and pasting permissions from another employee in case permissions have morphed from the original.
2. Provide cybersecurity awareness training
The value that you receive from providing employees with cybersecurity awareness training exceeds its cost. Your people can negate your best technical security efforts if they inadvertently open the door to a cyber-criminal. Equip people to recognize and respond to potential intruders and you can make them a strong front line of defense.
3. Protect access to online accounts
If you’re not already using multi-factor authentication (MFA), start. Consider adding a layer of security with device level protection like Microsoft’s Intune solution. When implementing these or any security application that requires a change in behavior, utilize good change management to make it easier for people to adopt new practices.
4. Provide employees with company-owned equipment
It’s easier to protect the computers, tablets, and smartphones that your employees are using if they are company owned. When employees use their own devices for work they may feel like you’re over-stepping boundaries when you put your security on their phone. Additionally, you can’t control everything they do on the device which may create vulnerabilities.
5. Create and document an incident response plan
Security experts describe the day that you have a cyber-attack as a “cold, dark day.” If and when that happens to you, it’s not going to be fun. Being prepared for an intruder scenario makes the event less stressful because people know what to do and you may be able to minimize the damage because people can act fast.
The STOP-KEEP-START items that you just learned about are intended to open your eyes to attitudes and common practices that can help you enhance security, but they don’t constitute a complete strategy on their own. Cybersecurity strategy is made up of technical and nontechnical layers that work together to protect your data, IT systems and people from cyber predators. There are common elements that are applicable across the board, but your operations and your appetite and tolerance for risk also play into the mix.
Is your IT team thinking about all these things? Maybe another thing you need to add to the START list is to bring in cybersecurity services from a company that is experienced in creating and implementing security.
The reason why you need to augment your IT team with cybersecurity services is because there’s just too much to know and do to get security right. As cybersecurity has evolved it has become more complex and sophisticated. You need someone who has their eyes on the security landscape all the time, not just when it fits into their schedule or when a crisis happens. Better yet, you need a team.
The leader of your cybersecurity team should be an executive level strategist called a vCISO (virtual Chief Information Security Officer. When you outsource cybersecurity services you should expect to be provided with someone in this role who will guide you in the creation of an appropriate cybersecurity strategy.
A vCISO can also act as your liaison when you need to communicate about security to customers or vendors and assist you when you’re applying for cyber insurance.
Depending on the cybersecurity company you work with, the vCISO may have some oversight on security operations, but their job is focused on activities such as:
If your vCISO is leading a team, who’s on the team? The titles might differ from provider to provider but a comprehensive cybersecurity team includes professionals who are knowledgeable about the different aspects of security.
Technicians or engineers monitor and manage the toolset that is in place to defend the network and endpoints and detect potential intruders. These professionals respond to alerts and determine appropriate actions. Managers oversee the work of the technicians and assure that best practices and standards are maintained.
Automation engineers have a key role to play in cybersecurity. They create automations to speed up processes and decrease the time it takes to respond to alerts.
You may also find compliance and security analysts inside a cybersecurity department. These professionals are involved with identifying risk and interpreting regulations into security controls.
No matter the role, a big part of a cybersecurity professional’s work is keeping up with trends and new technology so they need to have space to learn built into their work day.
When you’re vetting different cybersecurity services providers, you’ll find that some companies offer cybersecurity as a stand-alone service while others offer cybersecurity only in conjunction with managed IT services. What you don’t want is a company that is merely offering you a set of software tools. As mentioned previously, you need a strategy.
One way to identify whether a cybersecurity services company can create an effective strategy is to see if they have any third-party certifications. For example, the SOC 2 Type 2 certification indicates that the company has had its security practices and processes evaluated for effectiveness over time.
Secondly, do they have a team to cover all the roles and responsibilities that we mentioned previously? Along with having a team, you can ask if they maintain a 24/7 security operations center. This is important for ensuring fast response to alerts.
Thirdly, ask how the company will support your needs for non-technical security. Will they assist with the creation of security policies? Can they offer cybersecurity awareness training? If a provider ignores the human side of cybersecurity, it’s a red flag.
The relationship that you develop with whoever you decide to work with should be a partnership. You should be able to get a feel for what that is going to look like through your discussions about the role that you play as well as what they will provide.
It’s uncomfortable to think that your organization might become the victim of a cyber-crime but using the internet comes with risks. Ignoring cyber threats or thinking that your organization is too small to be a target or that you don’t have anything that cyber-criminals want is not a sustainable mindset in the long run.
Sooner or later, you will have a cyber intruder, but your security strategy can mean the difference between the shut down of one device versus having your whole operation down for days, weeks or even months.
Here at XPERTECHS, we protect companies from cyber threats with managed security services. We partner with clients to create cybersecurity strategies that identify and assess risks; protect their assets; and detect and respond to intrusions if they occur.
Our approach to cybersecurity is based on the National Institute of Standards and Technology (NIST) framework and our practices and processes are SOC 2 Type 2 certified.
Ready to up your cybersecurity game? Submit the form to schedule a consultation.
Contact us to schedule a meeting