Blogs
Eight Ways to Bolster Your Cybersecurity Resources Without Blowing Your Budget
By Karen Lambrechts, LanSweeper
November 9, 2023
As IT security breaches continue to grow more frequent, there isn't a CISO around that doesn't wish they had a bigger budget to spend on IT security. The tools to help your security team to do their job more efficiently are out there. However, getting them approved in the budget is not guaranteed and takes time. Here are some ways you can improve your IT security without spending a fortune.
1. Recruit More Staff
Yes, we know there is a global skills shortage at the moment but bear with us.
Hiring senior IT security specialists for your team can be expensive. However, there is a benefit to hiring less experienced staff. Cybersecurity is a team sport after all and there are plenty of cybersecurity team roles that don't require years of experience. Mixing in some junior staff to support the day-to-day tasks will ease some of the pressure on the rest of your team.
On top of that, it gives you a pool of fresh talent you can train to fit the needs of your team. More people means more room for everyone to focus on their dedicated tasks. A full cybersecurity team, where every role is filled will make operations run more smoothly. And it never hurts to have an extra pair of eyes around when it comes to looking out for security risks.
2. Upskill Your Team
In order for an IT security team to be effective, they need to be equipped with the right skills. It could be that your team could work more efficiently if time was set aside once a month for training. A solid progression plan for your cybersecurity staff will help you determine which skills and knowledge your team needs.
The playing field of IT is always changing so cybersecurity learning is a constant and ever-evolving need. Luckily everyone seems to understand that and cybersecurity education programs are everywhere. It's up to you to choose the cybersecurity education resources that would be worth investing in.
As well as training in core areas of IT security, you should look at developing your team's soft skills. By this we mean how to work under pressure, think on their feet, and resolve problems quickly. Your team needs to know how to respond in emergency situations, maintain a professional demeanor, and stay calm when a security breach or disaster strikes. With at least one or two members of staff possessing those skills, your team will feel much more capable in a crisis.
3. Incentivise and Monitor the Performance of Your Cybersecurity Resources
A free way of bolstering your IT security resource is to make sure that the team you have is working as efficiently as possible. A skilled and hard-working team won't cut it if their efforts are being wasted in the wrong places. The right KPIs and a robust performance management program will help keep your team focused and motivated.
Regular meetings, effective deadlines, clear objectives, and thorough evaluations with each member all serve to keep your team on track. One of the most important things you can do is incentivize staff members who are doing a great job. This will not only boost morale and encourage others to follow their lead, but it'll also give your team greater motivation to maintain a top-notch performance.
4. Invest in Smart Systems and Software
The more you know about the dangers your business is facing, the better equipped you'll be to defend against them. The right software will help you to monitor and protect everything from individual computers to mobile devices, to the entire network infrastructure.
You can't protect what you don't know you have. Today, there are tools available that will give you a complete overview of your IT estate by eliminating blind spots and creating a complete and comprehensive inventory of your IT assets. On top of that they can also help you find vulnerabilities, apply patches and upgrades, and comply with industry-leading cybersecurity frameworks.
5. Can You Outsource Some IT Services?
If you don't have the cybersecurity budget for additional staff or software, why not outsource some of your security responsibility? IT outsourcing companies like MSPs and MSSPs can bring great value by taking some of the workload of your own IT security team and helping you conquer your IT challenges. By outsourcing some of your team's day-to-day responsibilities to a trusted third party, you can save time and focus on core business activities.
6. Evaluate Your Cybersecurity Suppliers
With all this talk of expanding and optimizing your team, and looking for tools and outsourcing opportunities it can be easy to overlook the importance of managing the suppliers you already have. There may be some opportunities there where you can reduce your cybersecurity spending.
By doing a full cybersecurity review, you can weigh each service you have against the cost and maybe look for a cheaper or more worthwhile alternative. Ask your team what value they are getting from your current suppliers, and compare them to other options. Alternatively, ask your existing supplier what more they could offer. You may end up with a better service, boosting your overall IT security.
7. Get the Whole Workforce to Follow Cybersecurity Best Practices
Truly, IT security is a company-wide responsibility. The better your workforce is informed about cybersecurity, the easier the job will be for your IT security team. Training your entire workforce may seem like a big investment. However, knowing that the average cost of a cyber attack in 2022 was $4.35 million, it would probably be worth it.
Make IT security an important part of employee onboarding and introduce regular training sessions for staff members. Focus on the essentials like strong passwords, phishing emails, keeping software updated, suspicious links, and multi-factor authentication. Involve the whole workforce in keeping your company safe. This should help minimize damage and disruption to your business and make everyone more accountable for IT security.
8. Give Your Team More Time to Do What Matters
It's important to focus your IT security team's time and effort on the tasks that really matter. Find the tasks that take up the most time and automate these processes. This will give your team more time to spend on more important things. The expense of cybersecurity automation may be more than you think you can fit into the budget. However, once you compare the cost of automated cybersecurity tasks with that of the labor required to do everything manually, it should be a no-brainer.
Transforming MSPs and MSSPs into Cyber Resilience SafeHouses: A Game-Changing Opportunity
By Alan Gin, Cofounder and CEO, ZeroDown Software
November 2, 2023
Introduction
In today's digital age, the cybersecurity landscape is evolving at an unprecedented pace. Small and medium-sized businesses (SMBs) are increasingly becoming prime targets for cyberattacks, and the need for operational resilience is more critical than ever. This blog post aims to shed light on a groundbreaking opportunity for Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) to reshape their business models, drive industry innovation, and contribute significantly to the cyber resilience of SMBs. We'll explore the SafeHouse Initiative.ORG and its potential to empower MSPs and MSSPs to educate and safeguard 54 million SMBs through the implementation of NIST Controls, ultimately bolstering the importance of cyber insurance.
The SafeHouse Initiative.ORG: A Beacon of Cyber Resilience
The SafeHouse Initiative.ORG is a visionary platform committed to enhancing the operational resilience of SMBs during cyber security breaches. This initiative recognizes that SMBs often lack the resources and expertise to fend off sophisticated cyber threats. That's where MSPs and MSSPs come in.
MSPs and MSSPs: Natural SafeHouses
MSPs and MSSPs are perfectly positioned to become SafeHouses within this initiative. They already possess the technical expertise, infrastructure, and experience needed to deliver robust cybersecurity solutions. Here's why they should consider embracing this transformative role:
1. Expertise in NIST Controls: MSPs and MSSPs are well-versed in the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Leveraging NIST Controls, they can help SMBs fortify their cybersecurity postures, ensuring compliance with industry standards.
2. Educational Powerhouses: These service providers have the capacity to educate SMBs about the importance of operational resilience and the role of NIST Controls in achieving it. By becoming SafeHouses, they can deliver much-needed cyber awareness and training.
3. Proactive Cyber Defense: MSPs and MSSPs can offer tailored NIST Control-based solutions that actively protect SMBs from cyber threats. This proactive approach helps prevent breaches and minimizes potential damage.
Why NIST Controls Matter
The implementation of NIST Controls is central to the success of the SafeHouse Initiative.ORG and the broader goal of enhancing SMB cyber resilience. Here's why NIST Controls are essential:
1. Standardization: NIST Controls provide a standardized framework for cybersecurity, ensuring that best practices are followed consistently across organizations.
2. Risk Mitigation: Implementing NIST Controls helps identify vulnerabilities and mitigate risks, reducing the likelihood of successful cyberattacks.
3. Compliance and Cyber Insurance: Many cyber insurance providers look favorably upon organizations that adhere to NIST Controls. This can lead to more affordable and comprehensive coverage for SMBs, incentivizing compliance.
Support from the Insurance Industry
The involvement of the insurance industry is a critical piece of the puzzle. Insurers play a pivotal role in encouraging businesses to adopt robust cybersecurity practices. They can:
1. Offer Incentives: Insurance providers can offer premium discounts and incentives to SMBs that implement NIST Controls through MSPs and MSSPs.
2. **Risk Assessment**: Work closely with MSPs and MSSPs to assess the cyber risk landscape, helping them tailor NIST Control-based solutions that align with insurance requirements.
3. Collaboration: Foster collaboration between insurers and MSPs/MSSPs to develop cybersecurity insurance policies that reflect the evolving threat landscape.
Conclusion: A Win-Win-Win Scenario
In conclusion, the SafeHouse Initiative.ORG presents an extraordinary opportunity for MSPs and MSSPs to evolve their business models, contribute to the cyber resilience of 54 million SMBs, and strengthen the importance of cyber insurance. By embracing their roles as SafeHouses and leveraging NIST Controls, these service providers can create a win-win-win scenario: safer SMBs, more robust cybersecurity industry standards, and a thriving business landscape in the face of ever-evolving cyber threats.
It's time for MSPs and MSSPs to step up, champion the cause of cyber resilience, and become the guardians of the digital realm for SMBs across the nation.
What is Cyber Asset Attack Surface Management (CAASM) and What Are the Keys to Success?
By Lucia Dochita, LanSweeper
October 26, 2023
A recent study conducted by Trend Micro discovered that 43% of global organizations say the cyber asset attack surface is "spiraling out of control." This statement sounds like a quote from a dystopian novel about the end of the world. The reality is, if enterprises don't find a way to properly manage the cyber asset attack surface, disaster is indeed inevitable.
Here's why: CyberCrime Magazine reports that Cybercrime has increased by 600% since the onset of the pandemic. By 2025, it will cost companies worldwide about $10.5 trillion every year. This isn't news to most organizations - and that's why they're investing heavily in Cybersecurity solutions. In fact, the market is exploding - growing at a CAGR of 13.4%, it stands to reach $376.32 billion by 2029. In the first half of 2022 alone, companies invested $12.5 billion of venture capital into securing their IT estates.
Unfortunately, all of this money will be wasted if companies fail to do one thing: know what hardware and software assets they need to protect in the first place.
In this blog post, we'll answer some important questions about cybersecurity in 2022 and beyond, including:
· What is the Cyber Asset Attack Surface?
· What is Cyber Asset Attack Surface Management (CAASM)?
What is the Attack Surface - and Why Is It Growing?
The cyber asset attack surface encompasses all points of entry that can serve as attack vectors for unauthorized users to gain access to a system for the purpose of stealing information or launching a cyber attack. And it's growing - fast. In the wake of the pandemic and trends like remote working, digitization, mobility and cloud computing, the attack surface has expanded exponentially, and organizations grapple with keeping track of the broad mix of physical and virtual assets, operational technology (OT) and Internet of Things (IoT) devices that now comprise the IT estate.
Shadow IT adds to the problem - the addition of unsanctioned assets consumes up to 40% of IT spending according to CIO Magazine. This means there are many software and hardware assets IT knows nothing about. What's more, with the majority of organizations offering or planning to offer a hybrid work model, it's more common than ever for employees to sign onto the corporate network using personal, often unprotected devices. As a result, 70% of organizations don't know what assets they have, which makes them impossible to protect.
What Is CAASM?
CAASM stands for Cyber Asset Attack Surface Management, and it's just what it sounds like - the process of understanding, protecting and managing the growing attack surface.
CAASM technology solutions help IT teams detect and identify any and all software, hardware and cloud assets connected to the network, and uncover vulnerabilities in those assets that could open the door for a cyber attack. CAASM solutions are able to discover what assets have outdated or unpatched software, encryption issues or weak credentials, misconfigurations or other problems that increase cybersecurity risk. They provide visibility across the entire IT estate, giving IT teams better IT governance and control, and the information they need to manage the attack surface, or act quickly to stop the bleeding should an attack occur.
But to work properly, CAASM solutions need access to complete and accurate technology asset data. This data must also be readily accessible so that IT security professionals can isolate assets that pose a threat and take rapid corrective action.
What to look for in tools to assist with CAASM?
The first step to assessing the attack surface area is knowing what technology assets you have to protect. You’ll want to select tools and that use agentless deep scanning engines and credential-free device recognition (CDR) technology to automatically and continuously discover and recognize all IT assets across your infrastructure -- servers, laptops, desktops, virtual machines, operating systems, software, OT and IoT assets -- to create a comprehensive inventory with detailed IT asset data without the need to install any agent on the devices before you can get started. Leading tools work without agents -- and can do an initial scan without the need for credentials – making it fast and easy to implement.
However, with networks becoming increasingly mobile and complicated, certain assets become harder to reach. Think for example of laptops out on the road, devices at remote locations or machines in protected zones (DMZs). You’ll want to investigate solutions that can reach and keep track of those devices where an agentless approach just can't reach, offering you the best of both worlds.
Another important capability is to aggregates the technology asset data gathered from other sources, providing an always-accurate single source of truth to inform all business and IT scenarios and enable strategic decision-making. Importantly, IT security professionals can leverage this system of record to analyze the attack surface, pinpoint vulnerabilities and security gaps, and strengthen an organization's security posture to prevent cyber attacks.
Finally, you’ll want to use tools that extract data from the "bare metal," making it more accurate. Some solutions ingest data from a variety of sources before assembling an inventory, and those sources may be outdated. Extracting from “bare metal”, delivers data with higher levels of accuracy and reliability which makes it possible to analyze the attack surface with confidence, pinpoint and eliminate vulnerabilities and security gaps, and strengthen your organization's security posture.
Strengthening Cybersecurity Resilience: How the SafeHouse Initiative Can Empower Insurance Companies and SMBs
By Alan Gin, Cofounder and CEO, ZeroDown Software
October 19, 2023
Introduction
In an era defined by digital transformation, the insurance industry has found itself at the forefront of protecting businesses from the ever-evolving threats of cyberattacks. Approximately 54 million Small and Medium-sized Businesses (SMBs), which account for a significant portion of the economy, are increasingly susceptible to cyber risks. In light of this, the SafeHouse Initiative (SafeHouse Initiative.ORG) emerges as a powerful resource that can help insurance companies educate and support SMBs in enhancing their operational resilience during cyber security breaches. In this blog post, we will explore how insurance companies can leverage the SafeHouse Initiative to promote NIST Controls adoption among SMBs and explain why implementing these controls is crucial for obtaining cyber insurance.
Understanding the Cyber Threat Landscape
The digital age has brought countless benefits, but it has also given rise to new and sophisticated cyber threats. SMBs, often considered easy targets, are particularly vulnerable due to their limited resources and expertise in cybersecurity. Cybercriminals are quick to exploit weaknesses, which can lead to data breaches, financial losses, and reputational damage. This reality underscores the importance of both prevention and preparedness in the realm of cybersecurity.
SafeHouse Initiative.ORG: A Beacon of Cyber Resilience
The SafeHouse Initiative is a non-profit organization dedicated to improving cyber resilience across industries. Their mission aligns closely with the insurance sector's interests, as they offer valuable resources and guidance that can empower SMBs to safeguard their operations effectively. Here's how insurance companies can harness the SafeHouse Initiative to foster cyber resilience among their clients:
1. Education and Awareness: Insurance companies can partner with SafeHouse Initiative.ORG to provide SMBs with educational materials and training programs focused on cyber risk awareness, NIST Controls, and operational resilience. This proactive approach can help SMBs better understand the importance of cybersecurity.
2. Risk Assessment Tools: SafeHouse Initiative offers assessment tools that SMBs can use to evaluate their current cyber risk posture. Insurance companies can encourage their clients to utilize these tools to identify vulnerabilities and prioritize necessary security measures.
3. NIST Controls Adoption: The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a comprehensive set of guidelines and controls to enhance cybersecurity. SafeHouse Initiative can assist SMBs in implementing these controls systematically, reducing their exposure to cyber risks.
Why Implementing NIST Controls Matters for Cyber Insurance
1. Risk Mitigation: Insurance companies can make it clear to SMB clients that implementing NIST Controls is a proactive step toward mitigating cyber risks. By reducing vulnerabilities, businesses can minimize the likelihood of cyber incidents.
2. Lower Premiums: Businesses that demonstrate strong cybersecurity practices, including NIST Controls implementation, are often rewarded with lower cyber insurance premiums. This financial incentive encourages SMBs to invest in cybersecurity.
3. Coverage Assurance: When SMBs adhere to NIST Controls and other best practices, they are more likely to meet the underwriting criteria of insurers. This can lead to smoother and more comprehensive cyber insurance coverage.
4. Faster Recovery: In the unfortunate event of a cyber incident, SMBs with NIST Controls in place are better equipped to respond swiftly and effectively. This can minimize downtime and financial losses, making the recovery process more manageable.
Conclusion
In an era of persistent cyber threats, insurance companies play a vital role in helping SMBs protect themselves against potential risks. The SafeHouse Initiative.ORG stands as a valuable partner in this mission, offering resources and expertise to educate SMBs about cyber resilience and NIST Controls. By promoting these practices, insurance companies not only enhance their clients' cyber readiness but also strengthen the foundation for a robust cyber insurance market. In the face of evolving cyber threats, proactive measures and partnerships with organizations like SafeHouse Initiative.ORG are essential steps toward a more secure digital future for businesses of all sizes.
The Crucial Role of Multimodal Communication Channels in Cyber Outages
By David Lewis, Nteraction
October 12, 2023
Introduction
In today’s digital age, organizations and individuals rely heavily on technology for communication, data storage, and business operations. However, this increased dependence on technology comes with a significant risk - cyber outages. These outages can disrupt operations, compromise data security, and damage an organization's reputation. To mitigate the impact of cyber outages, it is essential to have a wholistic approach to cyber continuity and event mitigation along with a multimodal outside communication channel to inform, instruct, and educate your stakeholders and constituents. In this blog post, we will explore the importance of having an outside communication channel in responding to cyber outages and provide insights into how organizations can establish and maintain effective multimodal communication strategies.
Understanding Cyber Outages
A cyber outage refers to a disruption in an organization's digital infrastructure caused by various factors, such as cyberattacks, hardware failures, software glitches from upgrades, bugs, or other errors, or even natural disasters. These outages can have far-reaching consequences for your business, including:
· Disruption of Operations: Cyber outages can bring an organization's operations to a standstill, affecting productivity and causing financial losses. 40% of small businesses experienced eight or more hours of downtime due to a cyber breach, costing, on average, $1.56 million in losses.1
· Data Loss or Theft: Cyberattacks can result in data breaches, leading to the loss or theft of sensitive information, including customer data and intellectual property. An Australian Health Insurer, Medibank, had nearly 10M health insured’s medical data hacked and is now on the Dark Web.2
· Reputation Damage: One of the “long tail” impacts of a cyber attack is damaging your company’s reputation. Public perception of an organization can be tarnished if it fails to respond effectively to a cyber outage, eroding trust among customers, partners, and stakeholders. Publicly traded companies that have had a cyber breach (especially those that have had critical data stolen) suffered an average decline of 7.5% in their stock values after a data breach, coupled with a mean market cap loss of $5.4 billion.3
· Legal and Regulatory Consequences: Another “long tail” impact of a cyber outage is the legal and regulatory issues and resulting fines. Data breaches and cyber outages can lead to legal and regulatory penalties, further escalating the financial impact. Cyber intrusions, further enabled by weak security, cover-ups or avoidable mistakes (i.e. human error) have cost companies a total of nearly $4.4 billion in 2023 in fines and penalties.4
Given the potential consequences, it is imperative for organizations to have robust strategies for dealing with cyber outages, and a critical component of these strategies is establishing effective Communication Plans that include outside communication channels.
The Importance of Multimodal Communication
Multimodal communication involves using multiple channels and methods to convey information. Relying solely on one communication channel in a cyber outage is risky. Here's why a cyber incident communication plan that includes multimodal communication is so crucial:
· Redundancy: A single communication channel can be vulnerable to the same cyber threats that caused the outage. There are multiple examples where cyber attackers targeted communication equipment to gather sensitive information including conversations or to simply shut down the service completely. By having multiple channels, organizations reduce the risk of losing all communication capabilities during an outage.
· Resilience: Different communication channels may have varying degrees of resilience. Some may be more resistant to cyberattacks or physical damage than others. This diversity enhances an organization's ability to maintain communication during an outage.
· Accessibility: Not all stakeholders prefer the same communication methods. Having a variety of channels ensures that information reaches a broader audience, accommodating diverse preferences and needs.
Establishing a Multimodal Outside Communication Channel
Creating an effective multimodal outside communication channel for cyber outages requires careful planning and consideration. Here are the steps to get started:
· Identify Key Stakeholders: Begin by identifying the stakeholders who need to be informed during a cyber outage. This may include employees, customers, partners, agents, regulatory authorities, the press and the general public. Categorize these stakeholders, according to the type and severity of cyber occurrence, each should be contacted.
· Select Communication Channels: Choose a variety of communication channels that are suitable for reaching different stakeholder groups. These should include email, text messaging(SMS/MMS), social media, instant messaging like WhatsApp, Telegram, Microsoft Teams, and others, website announcements, phone hotlines, and even physical mail.
· Implement Redundancy: Within each selected channel, implement redundancy where possible. For instance, use multiple email servers, ensure mobile networks have backup power, and employ geographically dispersed data centers for website hosting.
· Establish Protocols: Develop clear communication protocols and procedures for each channel. Specify who is responsible for sending updates, how frequently updates should be provided, and the type of information to include.
· Train Personnel: Ensure that employees responsible for communication during an outage are trained in the use of all selected channels and are aware of their roles and responsibilities.
· Test the System: Regularly test the multimodal communication system to ensure it functions as intended. Simulate cyber outage scenarios and evaluate the effectiveness of your communication strategies.
The Role of Automation
In today's fast-paced digital environment, automation plays a critical role in responding to cyber outages. Automated systems can quickly detect an outage, trigger predefined communication protocols, and disseminate information to stakeholders. Here are some ways automation can enhance multimodal communication during cyber outages:
· Monitoring and Detection: Automated monitoring tools can detect cyber outages in real-time and automatically initiate the remediation as well as the communication process.
· Message Templates: Predefined message templates can be used to ensure that accurate and consistent information and instructions are disseminated across all communication channels.
· Alert Escalation: Automation can facilitate the escalation of alerts. For example, if an initial communication attempt fails, the system can automatically try alternative channels.
· Data Backup and Recovery: Automated backup and recovery systems can help safeguard critical data and minimize downtime during an outage.
· Incident Response: Automation can be integrated into incident response plans to streamline communication and decision-making processes.
Case Studies: Multimodal Communication in Action
To illustrate the effectiveness of multimodal communication channels during cyber outages, let's explore two real-world case studies:
Case Study 1: Equifax Data Breach (2017)
In one of the most significant data breaches in history, Equifax, a credit reporting agency, suffered a cyberattack that exposed sensitive information of over 147 million people. Equifax faced severe backlash for its initial response, which was criticized for being slow and ineffective.
Lesson Learned: Equifax's case underscores the importance of having a well-established communication plan and multimodal outside communication channel. A more proactive, complete and efficient response could have mitigated the damage to its reputation.
Case Study 2: Colonial Pipeline Ransomware Attack (2021)
The Colonial Pipeline ransomware attack disrupted fuel supply along the East Coast of the United States. Colonial Pipeline utilized a multimodal communication approach to keep stakeholders informed, including the public, during the outage.
Lesson Learned: Colonial Pipeline's response demonstrated the value of transparency and timely communication. Their multimodal approach helped mitigate panic (to some degree) and informed the public about the situation. Even though Colonial Pipeline used a multimodal communication approach, the result demonstrated the need for further tuning, enhancement and training.
VI. Conclusion: Embracing Multimodal Communication
In an age where cyber outages are a constant threat, organizations must prioritize the development and maintenance of effective multimodal outside communication channels. These channels serve as a lifeline during crises, ensuring that stakeholders receive timely and accurate information, thus reducing the negative impact of cyber outages.
In summary:
Cyber outages can have severe consequences for organizations, making proactive communication essential.
Multimodal communication channels offer redundancy, resilience, and accessibility.
Establishing these channels involves identifying stakeholders, selecting communication methods, implementing redundancy, setting protocols, training personnel, and testing the system.
Automation plays a crucial role in detecting outages, disseminating information, and streamlining incident response.
Real-world case studies highlight the significance of effective communication during cyber outages.
By embracing multimodal communication and automation, organizations can better navigate the challenges posed by cyber outages and protect their operations, reputation, and stakeholders. As technology continues to evolve, so too must our strategies for communicating during crises.
Sources
1 The 15 biggest data breaches of the 21st century, by Michael Hill and Dan Swinhoe, CSO Online, Nov 08, 2022
2 Medical data hacked from 10m Australians begins to appear on dark web, by Ben Doherty, The Guardian, Nov 11, 2022
3 The Devastating Business Impacts of a Cyber Breach, by Keman Huang, Xiaoqing Wang, William Wei, and Stuart Madnick, Harvard Business Review, May 04, 2023
4 The biggest data breach fines, penalties, and settlements so far, by Michael Hill, CSO Online, Sep 18, 2023
The Crucial Role of Multimodal Communication Channels in Cyber Outages
By David Lewis, Nteraction
October 12, 2023
Introduction
In today’s digital age, organizations and individuals rely heavily on technology for communication, data storage, and business operations. However, this increased dependence on technology comes with a significant risk - cyber outages. These outages can disrupt operations, compromise data security, and damage an organization's reputation. To mitigate the impact of cyber outages, it is essential to have a wholistic approach to cyber continuity and event mitigation along with a multimodal outside communication channel to inform, instruct, and educate your stakeholders and constituents. In this blog post, we will explore the importance of having an outside communication channel in responding to cyber outages and provide insights into how organizations can establish and maintain effective multimodal communication strategies.
Understanding Cyber Outages
A cyber outage refers to a disruption in an organization's digital infrastructure caused by various factors, such as cyberattacks, hardware failures, software glitches from upgrades, bugs, or other errors, or even natural disasters. These outages can have far-reaching consequences for your business, including:
· Disruption of Operations: Cyber outages can bring an organization's operations to a standstill, affecting productivity and causing financial losses. 40% of small businesses experienced eight or more hours of downtime due to a cyber breach, costing, on average, $1.56 million in losses.1
· Data Loss or Theft: Cyberattacks can result in data breaches, leading to the loss or theft of sensitive information, including customer data and intellectual property. An Australian Health Insurer, Medibank, had nearly 10M health insured’s medical data hacked and is now on the Dark Web.2
· Reputation Damage: One of the “long tail” impacts of a cyber attack is damaging your company’s reputation. Public perception of an organization can be tarnished if it fails to respond effectively to a cyber outage, eroding trust among customers, partners, and stakeholders. Publicly traded companies that have had a cyber breach (especially those that have had critical data stolen) suffered an average decline of 7.5% in their stock values after a data breach, coupled with a mean market cap loss of $5.4 billion.3
· Legal and Regulatory Consequences: Another “long tail” impact of a cyber outage is the legal and regulatory issues and resulting fines. Data breaches and cyber outages can lead to legal and regulatory penalties, further escalating the financial impact. Cyber intrusions, further enabled by weak security, cover-ups or avoidable mistakes (i.e. human error) have cost companies a total of nearly $4.4 billion in 2023 in fines and penalties.4
Given the potential consequences, it is imperative for organizations to have robust strategies for dealing with cyber outages, and a critical component of these strategies is establishing effective Communication Plans that include outside communication channels.
The Importance of Multimodal Communication
Multimodal communication involves using multiple channels and methods to convey information. Relying solely on one communication channel in a cyber outage is risky. Here's why a cyber incident communication plan that includes multimodal communication is so crucial:
· Redundancy: A single communication channel can be vulnerable to the same cyber threats that caused the outage. There are multiple examples where cyber attackers targeted communication equipment to gather sensitive information including conversations or to simply shut down the service completely. By having multiple channels, organizations reduce the risk of losing all communication capabilities during an outage.
· Resilience: Different communication channels may have varying degrees of resilience. Some may be more resistant to cyberattacks or physical damage than others. This diversity enhances an organization's ability to maintain communication during an outage.
· Accessibility: Not all stakeholders prefer the same communication methods. Having a variety of channels ensures that information reaches a broader audience, accommodating diverse preferences and needs.
Establishing a Multimodal Outside Communication Channel
Creating an effective multimodal outside communication channel for cyber outages requires careful planning and consideration. Here are the steps to get started:
· Identify Key Stakeholders: Begin by identifying the stakeholders who need to be informed during a cyber outage. This may include employees, customers, partners, agents, regulatory authorities, the press and the general public. Categorize these stakeholders, according to the type and severity of cyber occurrence, each should be contacted.
· Select Communication Channels: Choose a variety of communication channels that are suitable for reaching different stakeholder groups. These should include email, text messaging(SMS/MMS), social media, instant messaging like WhatsApp, Telegram, Microsoft Teams, and others, website announcements, phone hotlines, and even physical mail.
· Implement Redundancy: Within each selected channel, implement redundancy where possible. For instance, use multiple email servers, ensure mobile networks have backup power, and employ geographically dispersed data centers for website hosting.
· Establish Protocols: Develop clear communication protocols and procedures for each channel. Specify who is responsible for sending updates, how frequently updates should be provided, and the type of information to include.
· Train Personnel: Ensure that employees responsible for communication during an outage are trained in the use of all selected channels and are aware of their roles and responsibilities.
· Test the System: Regularly test the multimodal communication system to ensure it functions as intended. Simulate cyber outage scenarios and evaluate the effectiveness of your communication strategies.
The Role of Automation
In today's fast-paced digital environment, automation plays a critical role in responding to cyber outages. Automated systems can quickly detect an outage, trigger predefined communication protocols, and disseminate information to stakeholders. Here are some ways automation can enhance multimodal communication during cyber outages:
· Monitoring and Detection: Automated monitoring tools can detect cyber outages in real-time and automatically initiate the remediation as well as the communication process.
· Message Templates: Predefined message templates can be used to ensure that accurate and consistent information and instructions are disseminated across all communication channels.
· Alert Escalation: Automation can facilitate the escalation of alerts. For example, if an initial communication attempt fails, the system can automatically try alternative channels.
· Data Backup and Recovery: Automated backup and recovery systems can help safeguard critical data and minimize downtime during an outage.
· Incident Response: Automation can be integrated into incident response plans to streamline communication and decision-making processes.
Case Studies: Multimodal Communication in Action
To illustrate the effectiveness of multimodal communication channels during cyber outages, let's explore two real-world case studies:
Case Study 1: Equifax Data Breach (2017)
In one of the most significant data breaches in history, Equifax, a credit reporting agency, suffered a cyberattack that exposed sensitive information of over 147 million people. Equifax faced severe backlash for its initial response, which was criticized for being slow and ineffective.
Lesson Learned: Equifax's case underscores the importance of having a well-established communication plan and multimodal outside communication channel. A more proactive, complete and efficient response could have mitigated the damage to its reputation.
Case Study 2: Colonial Pipeline Ransomware Attack (2021)
The Colonial Pipeline ransomware attack disrupted fuel supply along the East Coast of the United States. Colonial Pipeline utilized a multimodal communication approach to keep stakeholders informed, including the public, during the outage.
Lesson Learned: Colonial Pipeline's response demonstrated the value of transparency and timely communication. Their multimodal approach helped mitigate panic (to some degree) and informed the public about the situation. Even though Colonial Pipeline used a multimodal communication approach, the result demonstrated the need for further tuning, enhancement and training.
VI. Conclusion: Embracing Multimodal Communication
In an age where cyber outages are a constant threat, organizations must prioritize the development and maintenance of effective multimodal outside communication channels. These channels serve as a lifeline during crises, ensuring that stakeholders receive timely and accurate information, thus reducing the negative impact of cyber outages.
In summary:
Cyber outages can have severe consequences for organizations, making proactive communication essential.
Multimodal communication channels offer redundancy, resilience, and accessibility.
Establishing these channels involves identifying stakeholders, selecting communication methods, implementing redundancy, setting protocols, training personnel, and testing the system.
Automation plays a crucial role in detecting outages, disseminating information, and streamlining incident response.
Real-world case studies highlight the significance of effective communication during cyber outages.
By embracing multimodal communication and automation, organizations can better navigate the challenges posed by cyber outages and protect their operations, reputation, and stakeholders. As technology continues to evolve, so too must our strategies for communicating during crises.
Sources
1 The 15 biggest data breaches of the 21st century, by Michael Hill and Dan Swinhoe, CSO Online, Nov 08, 2022
2 Medical data hacked from 10m Australians begins to appear on dark web, by Ben Doherty, The Guardian, Nov 11, 2022
3 The Devastating Business Impacts of a Cyber Breach, by Keman Huang, Xiaoqing Wang, William Wei, and Stuart Madnick, Harvard Business Review, May 04, 2023
4 The biggest data breach fines, penalties, and settlements so far, by Michael Hill, CSO Online, Sep 18, 2023
Achieving Operational Resilience: NIST Controls for Small and Medium-Sized Businesses in the Face of Cybersecurity Breaches
By Alan Gin, Cofounder and CEO, ZeroDown Software
October 5, 2023
Introduction
In an increasingly digital world, small and medium-sized businesses (SMBs) are prime targets for cyberattacks. These breaches can disrupt operations, damage reputations, and drain financial resources. To navigate these challenges and ensure operational resilience, SMBs must adopt a proactive approach to cybersecurity. One invaluable resource for achieving this resilience is the National Institute of Standards and Technology (NIST) Cybersecurity Framework. In this article, we'll explore how SMBs can utilize NIST Controls to bolster their cybersecurity measures and maintain operational resilience in the face of cyber threats.
1. Understanding Operational Resilience
Operational resilience refers to an organization's ability to maintain essential functions during and after a cybersecurity breach. It's not just about preventing attacks but also about minimizing their impact when they occur. Operational resilience encompasses cybersecurity, business continuity, and disaster recovery efforts. For SMBs, who may have limited resources, achieving operational resilience can be particularly challenging.
2. The NIST Cybersecurity Framework
The NIST Cybersecurity Framework provides a structured approach to cybersecurity that is adaptable for organizations of all sizes. Its foundation lies in five core functions: Identify, Protect, Detect, Respond, and Recover (IPDRR). SMBs can utilize these functions and associated controls to bolster their operational resilience.
3. Identify: Know Your Assets and Risks
The first step in building operational resilience is to identify and understand your organization's assets and the associated risks. For SMBs, this often means starting with limited resources but scaling up gradually.
- Asset Inventory: Document all hardware, software, data, and personnel involved in your operations.
- Risk Assessment: Identify potential cybersecurity threats and vulnerabilities specific to your organization.
- NIST Controls: NIST Special Publication 800-53 provides a comprehensive list of controls for asset management and risk assessment.
4. Protect: Safeguard Your Assets
Once you've identified your assets and risks, it's time to protect them from cyber threats. SMBs can adopt cost-effective security measures to ensure protection.
- Access Control: Limit access to sensitive data and systems to authorized personnel.
- Data Encryption: Encrypt sensitive data both at rest and in transit.
- Employee Training: Educate your staff about cybersecurity best practices.
- NIST Controls: NIST SP 800-171 offers controls for access control and encryption.
5. Detect: Identify Threats Early
Detecting threats in their early stages is crucial for minimizing damage. SMBs can implement monitoring and detection mechanisms to achieve this.
- Continuous Monitoring: Implement tools and processes for continuous monitoring of network traffic and system activities.
- Anomaly Detection: Utilize intrusion detection systems to identify unusual behavior.
- Incident Reporting: Encourage employees to report any suspicious activities promptly.
- NIST Controls: NIST SP 800-137 provides guidelines for continuous monitoring, while NIST SP 800-94 covers intrusion detection.
6. Respond: Act Swiftly and Effectively
When a cyber incident occurs, it's essential to respond swiftly and effectively. SMBs can create an incident response plan to streamline their response efforts.
- Incident Response Team: Establish a team responsible for managing incidents.
- Communication Plan: Define how you will communicate internally and externally during an incident.
- Containment and Eradication: Quickly isolate affected systems and eliminate the threat.
- NIST Controls: NIST SP 800-61 outlines incident handling procedures.
7. Recover: Bounce Back Stronger
Recovering from a cybersecurity breach is about more than just restoring systems. It's about learning from the incident and improving your organization's resilience.
- Backup and Restore: Regularly back up critical data and systems.
- Business Continuity: Develop a business continuity plan to ensure essential functions continue during and after an incident.
- Post-Incident Analysis: Analyze the incident to identify weaknesses and areas for improvement.
- NIST Controls: NIST SP 800-34 covers contingency planning, while NIST SP 800-53 Revision 5 offers controls for system recovery.
8. Building a Culture of Cybersecurity
Achieving operational resilience goes beyond implementing controls; it involves creating a culture of cybersecurity within your organization.
- Employee Training: Continuously educate your staff on the latest threats and best practices.
- Security Awareness: Foster a culture where employees understand their role in cybersecurity.
- Regular Testing: Conduct tabletop exercises and penetration testing to evaluate your organization's readiness.
- NIST Controls: NIST SP 800-50 provides guidelines for establishing a security awareness program.
9. Compliance and Reporting
SMBs should be aware of compliance requirements specific to their industry and region. NIST controls can help in meeting these requirements.
- Documentation: Maintain records of your cybersecurity efforts for compliance reporting.
- Third-Party Assessment: Consider third-party assessments to validate your cybersecurity measures.
- Regulatory Alignment: Align your cybersecurity program with industry-specific regulations.
- NIST Controls: NIST SP 800-53 Revision 5 can guide you in aligning with various compliance frameworks.
10. Conclusion
In today's cyber-threat landscape, achieving operational resilience is not an option but a necessity for SMBs. Utilizing the NIST Cybersecurity Framework and its controls provides a structured and adaptable approach to bolstering cybersecurity measures and ensuring operational resilience. By identifying assets and risks, protecting against threats, detecting incidents early, responding effectively, and recovering with resilience, SMBs can navigate the complex world of cybersecurity and emerge stronger in the face of adversity. Building a culture of cybersecurity and staying compliant with industry regulations will further fortify their defenses and protect their future.
Modern Operational Resilience (MOR) is an ongoing journey, and SMBs must continually adapt and improve their cybersecurity practices to stay ahead of evolving threats. Embracing the NIST Controls is a proactive step towards securing your business in an increasingly interconnected and digital world.
An SMB’s Guide to Cybersecurity Monitoring, Detection and Response
By Aaron Branson, Netsurion 🔗
October 3, 2023
There’s no debating that safeguarding your business's digital assets and data from cyber threats is just a cost of doing business. Cybersecurity monitoring, detection, and response solutions are like the digital equivalent of a home security system. They provide continuous protection, early threat detection, and rapid response to potential breaches. However, the marketplace for these cybersecurity solutions is overrun with complex terminology, redundant categorization, and over-hyped “must have” technology. This short guide will help you break through this confusion and feel confident in making the right choice for your business.
Why must small businesses invest in cybersecurity monitoring, detection, and response?
Many small-medium businesses (SMBs) underinvest in cybersecurity and are left at high risk by the growing indiscriminate nature of cyber-attacks.
Software Supply Chain Risk: With the explosion of Software-as-a-Service (SaaS) subscriptions and cloud infrastructure, SMBs are incredibly connected to the software supply chain. It’s a mischaracterization to think “I’m too small to be targeted” because you don’t have to be targeted at all to be attacked. The well-known SaaS subscriptions (i.e. Salesforce, Quicken, Microsoft 365, etc.), remote monitoring tools (i.e. GoTo, ConnectWise, etc.) and cloud infrastructure (i.e. Azure, AWS) may be the target and their customers greatly impacted.
Cybercrime-as-a-Service: Just as the SaaS model has brought powerful functionality down-market to any size business, the SaaS model has brought powerful malware down-market to any size hacker. No longer does a hacker need to be an extremely talented software programmer to create malware or ransomware. They can simply buy the toolkit on the Dark Web and deploy it. This makes it possible, even practical, for the local low-skilled criminal to target local businesses.
In fact, according to Coveware, 82% of ransomware attacks in 2021 were against companies with fewer than 1,000 employees.
Why is acquiring cybersecurity monitoring, detection, and response complicated?
Driven by the seriousness of cyber threats, the market is awash in vendors to choose from. In addition, due to the speed at which cyber threats have evolved, cybersecurity technologies and techniques are ever changing as well. The result has been comparable to the Tower of Babel. With a massive number of vendors in the market, each fighting to standout, companies and industry analysts have coined many terms and categories to make sense of them all. However, without any standardization or consolidation, these cybersecurity monitoring, detection, and response solutions go by many names. It’s important that you are aware of them so that you can translate the techno-babel and identify what really matters when choosing a solution. You’ll come across the following terms in your hunt for the right solution:
SIEM (Security Information & Event Management): This software ingests, correlates, and normalizes all sorts of network data and system logs ultimately to alert you to any suspicious activity. Without expert implementation and ongoing tuning, these systems are notoriously noisy and thus historically only practical for enterprise businesses with the wherewithal to run them.
EDR (Endpoint Detection & Response): This software is installed on laptops, workstations, and servers (aka endpoints) to monitor these systems at a more granular level (i.e. processes, executables) and also not only alert but take preventative measures to block malicious activity.
XDR (Extended Detection & Response): With the explosion of available security tools, this software has recently come onto the scene to reduce the need for some tooling and provide a single pane-of-glass for others. There is still a wide-range of capabilities between vendors of this category, but the expectation is an XDR solution should complete your IT estate coverage by accounting for networks, endpoints, cloud infrastructure, SaaS applications, and other security tools.
In all these cases above, we’re speaking about products – technology only. Similarly, there are services you can purchase to avoid running the technology yourself.
Managed SIEM: As described above, SIEM platforms require expert skill and bandwidth to be effective. A Managed SIEM service promises to provide that skill and bandwidth. In some cases, the provider may also be the owner of the SIEM platform. In other cases, they may license the platform from another vendor.
Managed SOC (Security Operations Center): The team that provides 24x7 monitoring, detection and response services is known as a SOC. Therefore, Managed SOC, to put it in simple terms, is a subscription-based service in which you may acquire a fractional SOC service sized to meet your needs. However, what is unstated is what technology this service is using – a SIEM, EDR, XDR, or who’s – yours, theirs, or another vendor.
MDR (Managed Detection & Response): This category initially rose from the need for managed EDR services. However, today, what scope of detection and response is provided can vary. There isn’t truly much difference in definition between MDR and Managed SOC. It’s debatable, but one may suggest that MDR is more narrowly focused on threat detection and response while Managed SOC is more broad to include more security and compliance support.
Managed XDR: As you may have suspected at this point, this service grew out of a need to couple XDR technology and SOC expertise as a more encompassing cybersecurity monitoring, detection, and response solution. A buyer should beware that “extended” detection is a relative term and one should inspect the coverage of each XDR option to ensure they support your assets and data that make up your IT estate. Some XDR vendors are considered Native XDR in that they offer extended coverage of all security tools and telemetry owned by that vendor. Some XDR vendors are Open XDR in that they are not in the business of creating any other tools than the XDR platform and thus their mission is to openly integrate with as many third-party vendors as is useful.
Where do you go from here?
Armed with this back story as to not be thrown by the many solution categories you’ll come across, here is a more controlled approach to finding the right solution.
To help simplify things, compare cybersecurity monitoring, detection, and response to home security monitoring. Think of the components – technology and service – of a provider such as ADT.
1. Assess Your Needs
Just as ADT customizes home security solutions to fit your specific needs, it's vital to assess your organization's unique security requirements. Consider factors like the size of your business, the industry you operate in, your budget, and your existing security infrastructure.
2. Choose Your Monitoring Level
ADT offers various monitoring levels, from basic to advanced. Similarly, cybersecurity monitoring levels include which systems will be monitored (servers, endpoints, cloud, network), when will they be monitored (24x7x365 or not), and how will they be monitored (logs only, anomalous behavior too, proactive threat hunting). Determine which level aligns with your threat detection and response needs.
3. Installation and Integration
Just as ADT integrates with your existing home security infrastructure, cybersecurity monitoring solutions should seamlessly integrate into your current IT environment. Ensure compatibility with your existing tools and systems for smooth implementation.
4. Round-the-Clock Monitoring
ADT's 24/7 monitoring service is analogous to cybersecurity continuous, real-time monitoring. Look for a solution that offers 24/7 threat detection and response capabilities, providing peace of mind that your organization is always protected.
5. Threat Detection
ADT's motion sensors and alarms detect intruders, while cybersecurity monitoring solutions use continuously changing threat intel feeds, advanced algorithms, and AI to detect anomalous activities, potential threats, and vulnerabilities within your digital environment.
6. Alerting Mechanisms
ADT alerts homeowners and emergency services when a security breach occurs. Likewise, cybersecurity solutions should provide rapid alerts to your security team when a potential threat is detected, allowing for immediate action.
7. Incident Response
Just as ADT dispatches security personnel when needed, cybersecurity solutions should have an incident response plan in place. Evaluate their response time, incident handling procedures, documentation, and the expertise of their security analysts.
8. Data Protection
Ensure that cybersecurity solutions prioritize data protection and compliance with industry regulations. Your data is valuable, and it should be safeguarded accordingly.
9. Scalability
Consider your organization's future growth. Like ADT can be scaled up to accommodate larger properties, choose a cybersecurity solution that can grow with your business without compromising its security posture.
10. Cost Considerations
ADT offers various pricing packages, and cybersecurity solutions vary in cost. Understand the pricing structure, including any hidden fees, to ensure that the solution aligns with your budget.
11. Customer Support
ADT provides customer support for any issues or questions. Similarly, cybersecurity solutions should offer robust customer support, including a dedicated support team and clear communication channels.
12. Reviews and Recommendations
Just as you might ask for recommendations before choosing ADT over another provider, seek referrals and read reviews from other organizations that have used the cybersecurity solution you're considering. This can provide valuable insights into the solution's effectiveness.
Selecting a cybersecurity monitoring, detection, and response solution for your organization is as important as choosing a home security system. It’s an important decision and you need to make an informed decision that ensures the safety and security of your digital assets and operations. It can seem complicated on the surface, but ultimately it isn’t much different than choosing a security provider for your home or office building.
Threat Intel vs. Adversary-Generated Threat Intel : What’s the Difference?
By Marti Buckley, Head of Marketing, Counter Craft Security
September 26, 2023
Threat intelligence used to be the domain of a few cybersecurity analysts who spent their time tracking global bad actors and piecing together knowledge of their tactics, techniques, and procedures (TTPs). Today, any organization can subscribe to threat intelligence services and feeds, using the data to predict and identify threats targeting their business. The numerous threat intel products on the market all promise to reduce risk, prevent loss, and increase efficiency—yet attacks continue to rise and security teams just are not getting the results they were promised and expected.
Generic Doesn’t Cut It — Close the Expectation Gap with Adversary-Generated Threat Intel
The Gartner report, Use Adversary-Generated Threat Intelligence to Improve Threat Detection and Response, attributes this expectation gap to the fact that most threat intelligence offerings are based on “generic” threat intel[1]. This includes intel about general attack vectors, indicators of compromise (IOCs), and TTPs. Generic threat data is gathered globally, interpreted widely, and applied broadly to a wide range of organizations and environments. Having some threat intelligence is better than having none, but for most organizations, it isn’t specific enough to make important security decisions. Worse, it leaves vital questions unanswered, like:
Are my existing controls effective against nation-state-level attackers? Have we prioritized defenses correctly for our most critical assets?
Should we defer planned projects or take budget from another area to strengthen our defense or response capabilities?
And, gravest of all, is there already someone targeting us or operating covertly in our environment?
“Most threat intelligence offerings are based on “generic” threat intel, but this is not enough for organizations to make important security decisions”
For these reasons, Gartner analyzed the value of gathering adversary-generated threat intel. Adversary-generated threat intel is a type of threat intelligence delivered directly to you by the attackers themselves as they target assets and operate in your environment. While they test tools and attempt to move through your network, every action is seen, documented, and analyzed. Adversary-generated threat intel is uniquely useful because it:
is unique to your attack surface.
can be delivered in real time.
provides you with operational intelligence, such as IOCs and malicious IP addresses, as well as attacker TTPs—enabling you to detect and respond to adversary threats faster.
Cyber Deception Delivers Adversary-Generated Threat Intelligence
How can you gather this revolutionary type of threat intelligence, and do so safely?
Deception technology enables you to detect threat actors before they attack or in the midst of an attack. Cyber deception is the deliberate deployment of highly credible—but fake—digital assets. Digital “breadcrumbs” lead adversaries to these fake assets, which they begin to interact with as they test their tools against your defenses. Unbeknownst to them, every move and every decision is captured in deception environments that allow you to observe and collect this adversary-generated threat intelligence.
“Adversary-generated threat intelligence can be fed directly into your existing tech stack.”
Cyber deception, when done correctly, confuses and misdirects attackers. They don’t know they’re operating in an instrumented environment, even if they test assets for credibility to ensure that they aren’t in a sandbox or emulated environment. As the actor interacts with deceptive assets, their activities generate real-time intel. That intel can be fed into Security Information and Event Management (SIEMs), Endpoint detection and response (EDR), Extended detection and response (XDR), and other tools to improve detection capabilities and enable a rapid, targeted response.
Deception-based solutions can deliver the adversary-generated threat intel described by Gartner. Organizations of all sizes and levels of security maturity can benefit from deception’s fast, accurate detection and prevention capabilities, automation, high-fidelity alerts, and a lack of false positives.
If SIEM, EDR, or XDR solutions are in place, a deception-based solution is even more effective at providing adversary-generated threat intelligence, providing a cost-effective way to deploy campaigns that map attackers before they get into the network. Deception enables them to fuse prevention with detection for a single, in-depth solution.
It’s not just cutting-edge systems that can generate this type of threat intel. Solutions can be deployed in operational environments (SCADA, OT, IoT) where traditional security tools are not viable options. Automated deception campaigns can help teams map adversary behavior and objectives to gather data on multiple threat types for making decisions that reduce costs and risks.
Faster Detection of Real Threats: Here’s What Happened at one Financial Institution
World-renowned financial institutions, government bodies, pharma, retail, industrial, and law-enforcement agencies are defending their organization with adversary-generated threat intelligence. One Financial Institution used a deception based solution and resulting intel to detect lateral movement in a SWIFT network.
Using the deception-based solution, the Financial Institution was able to detect and respond to an adversary quickly—before any other internal systems detected it. Current IT controls, EDR, and intrusion detection systems (IDS) can’t detect an adversary already moving laterally in the network. Within two weeks of deploying the deception-based solution, it alerted teams to a red team and unauthorized users accessing a SWIFT portal five times within an hour. However, this SWIFT portal was a decoy, allowing the security team to gain adversary-generated threat intel that was specific to the bank’s actual environment—TTPs, intentions, and motivations. With this valuable data, they were able to respond quickly. The data enabled them to review policies, harden security in their SWIFT environment, and provide strategic communications to bank executives and board members.
Adversary-generated evidence is the best intel available. Deception enables you to detect and respond to adversary threats faster with highly specific, actionable intelligence. You can begin using deception immediately to reduce the risk of a damaging intrusion.
If you’d like to learn more about deception-based solutions and best practices, reach out to the SafeHouse Initiative organization.
Strengthening Cybersecurity Resilience: A Guide for SMBs with the SafeHouse Initiative
By Alan Gin, Cofounder and CEO, ZeroDown Software
September 22, 2023
Introduction
In today's digital age, the threat of cyberattacks is an ever-present concern for businesses of all sizes. Small and medium-sized businesses (SMBs), in particular, are increasingly becoming targets due to their many vulnerabilities. To help SMBs enhance their cybersecurity defenses and mitigate risks, the SafeHouse Initiative.ORG offers a valuable resource that focuses on educating businesses about operational resilience during cyber security breaches. In this blog post, we'll explore how SMBs can leverage the SafeHouse Initiative and the importance of implementing NIST Controls for cybersecurity and cyber insurance.
The SafeHouse Initiative.ORG: A Beacon of Cybersecurity Knowledge
The SafeHouse Initiative.ORG is a nonprofit organization dedicated to promoting cybersecurity awareness and education, especially among SMBs. It provides a wealth of resources and guidance to help businesses strengthen their cybersecurity posture. One of the key aspects of their initiative is to educate businesses on operational resilience during cyber security breaches, utilizing the NIST (National Institute of Standards and Technology) Cybersecurity Framework.
Understanding NIST Controls
The NIST Cybersecurity Framework is a comprehensive set of guidelines that businesses can follow to manage and reduce cybersecurity risks. It consists of a series of controls, which are specific measures and safeguards designed to protect against cyber threats. Implementing NIST Controls involves a structured approach to:
1. Identify: Recognize and understand cybersecurity risks, assets, and vulnerabilities within your organization.
2. Protect: Put in place safeguards to mitigate risks, such as access controls, encryption, and security training for employees.
3. Detect: Implement mechanisms to identify and respond to cybersecurity incidents promptly.
4. Respond: Develop an incident response plan to contain, mitigate, and recover from cybersecurity breaches effectively.
5. Recover: Ensure business continuity and facilitate recovery after a cybersecurity incident.
Why Implementing NIST Controls Matters
For SMBs, implementing NIST Controls is crucial for several reasons:
1. Risk Mitigation: NIST Controls provide a structured approach to identifying and mitigating cybersecurity risks, helping businesses reduce the likelihood and impact of security breaches.
2. Compliance: Many industries and regulations require businesses to adhere to specific cybersecurity standards. Implementing NIST Controls can help SMBs meet these compliance requirements.
3. Cyber Insurance: Cyber insurance is becoming increasingly important as businesses seek protection against financial losses due to cyberattacks. Insurance companies often assess a business's cybersecurity posture before providing coverage. Implementing NIST Controls demonstrates a commitment to security, potentially leading to lower insurance premiums and better coverage terms.
The Role of the Insurance Industry
The insurance industry plays a significant role in promoting cybersecurity best practices. Here's how the industry supports SMBs in implementing NIST Controls:
1. Risk Assessment: Insurers often conduct cybersecurity risk assessments for policyholders. These assessments can identify vulnerabilities and areas where NIST Controls can be applied.
2. Incentives: Insurers may offer incentives, such as reduced premiums or coverage enhancements, to businesses that demonstrate robust cybersecurity practices, including NIST Controls implementation.
3. Cybersecurity Education: Insurance providers can offer resources and guidance to help SMBs understand and implement NIST Controls effectively.
Conclusion
In an era of increasing cyber threats, SMBs must take cybersecurity seriously to protect their operations and financial well-being. The SafeHouse Initiative.ORG provides a valuable resource for SMBs looking to enhance their operational resilience during cyber security breaches, with a focus on NIST Controls. By implementing these controls, businesses not only reduce their cybersecurity risks but also position themselves favorably for cyber insurance coverage. The insurance industry, in turn, supports these efforts by encouraging and incentivizing sound cybersecurity practices. As SMBs continue to embrace these strategies, they will not only protect themselves but also contribute to a more secure digital ecosystem for all.
Zero Trust is a concept that has gained popularity due to the ongoing evolution of the cyber-threat landscape. These attacks are now persistent, they're sophisticated, and, in many cases, because of the blurring of the perimeter, difficult to detect or distinguish an “insider” versus an “outsider”. Remote access has become a must, and this has made for complex IT environments.
Traditionally, it was assumed that there was a well-defined network perimeter. Either you were inside the company, inside the firewall if you like, or you were on the outside. And once you're in, you have free access to all the resources inside the network. And this was appropriate for a simpler time where remote access was not so common and necessary. But since then, zero-trust architecture has come into vogue.
Now, you should authenticate and authorize every interaction. So regardless of whether it's a user or it's a device, there is really no concept of an “inside” or an “outside”. If that user or that device wants to access a network resource, authentication authorization is a must.
Cyber-attacks can originate from inside or outside. Today, you can’t necessarily tell what's inside or what's outside.
The Differences Between Traditional Architecture and Zero-Trust Architecture
The traditional architecture is static and based on the existence of a perimeter. The zero-trust architecture (ZTA) is dynamic changes and is not dependent on any perimeter.
In the traditional model, once you're identified, you've got implicit trust inside the perimeter. In ZTA, even if you're in, it doesn't matter. Anytime you try to access something, we must confirm your user identity and authenticate you.
In the traditional model, you authenticate once when you're connecting to the network. With ZTA, you connect every time you're accessing any network device.
In the traditional model, once you're in, you're in and so internal traffic is unencrypted. Whereas in zero-trust architecture, I don't care if you're in or you're out. There is no “in” and there is no “out”. If it's a network session, it is encrypted end-to-end.
How Does Zero-Trust Architecture Work?
Well, the way it works is by using a security policy which you define, which gets applied by a trust algorithm which will ultimately grant or deny access to a resource by either a user or a device.
In addition to the algorithm, you need an identity credential system where you have identified “who's who in the zoo” and what can they do. You need security analytics. This means you're collecting logs; you're looking at user and entity behavior analytics (UEBA), and you're considering threat intelligence. Of course, you have endpoints and so endpoint security as well. And then as I mentioned, all traffic inside is in fact encrypted.
How Does Zero-Trust Benefit My Business?
What's the upside of a zero-trust architecture coupled with the aforementioned security monitoring? Well, for the one thing you will limit the blast radius. You know that an attack is inevitable, right? Assume breach is the paradigm, so when it occurs you will confine the security incident to the smallest possible blast radius. And this is very important because perfect protection is simply not practical.
The second benefit is improved situational awareness. Even if no blast has occurred, you know, because of the continuous monitoring that goes on, what's normal, what's occurring, what's and happening inside your network. And this is very important to identify what's out of ordinary or first time seen.
And thirdly, your data confidentiality is improved as it is less likely that your data is going to end up on the dark web. Hopefully, this sheds a little more light on the basics of Zero-Trust Architecture and why its important to your business.
One of the most overlooked components of a complete and effective Cyber Incident Response Plan is the Communication Plan. How and when you communicate with your employees, customers, partners and suppliers can be the difference between your business operations being down for months or not down at all. The Communication Plan is crucial for effectively managing and responding to cybersecurity incidents of all types while minimizing their impact on an organization's reputation, operations, and stakeholders. The plan outlines the steps to be taken when a cyber incident occurs and ensures consistent, clear, and timely communication with all the key stakeholders. Here are 18 key requirements for a comprehensive Cyber Incident Communication Plan:
1. Define Clear Objectives and Goals
Define the purpose of the Communication Plan as part of the Indicident Response Plan. Outline the primary objectives. This can include items like minimizing damage, informing stakeholders and setting expectations, instructing stakeholders on what to do and what not to do, instructing stakeholders on how to continue business operations during this period, and maintaining transparency. Be sure to include how to get more answers or help.
2. Designated Business Continuity Communication Team
Identify a team responsible for managing communication during a cyber event. This team should consist of representatives from across your organization and include IT, Legal, Public Relations, senior management, and other relevant departments. This team should be empowered to be responsible to manage and execute the Communication Plan in the event of a cyber incident. This team should be the individuals that ultimately trigger communication, using appropriate tools, with all stakeholders.
3. Define Roles and Responsibilities
Clearly define the roles and responsibilities of each team member involved in communication. This helps ensure a coordinated response, efficient decision-making, and eliminates duplication and redundancy. The roles and responsibilities of each team member will likely vary based on their departmental expertise, skill set, and area of focus during the crisis.
4. Incident Categorization and Notification Levels
Classify cyber incidents based on type, severity and impact. Establish notification levels that trigger specific communication actions defined in the Plan. This helps determine when to escalate communication to higher level management and stakeholders, and defines the type (method and content) of communication to take place. For example, a ransomware cyber indicent may require that all employees be notified immediately through digital mechanisms like SMS/MMS text, WhatsApp, or even personal email. Their instructions may include details of what systems they should connect to and those they should not, and who to contact for help. This can limit the spread of the ransomware infection and impact, and can help keep a business operational, while it works to combat and eliminate the ransomware. Compare that to a System Down situation due to an upgrade that went awry or caused a subsequent related issue. Here you may want to simply send out a company email notification with instructions and updates on expected ETA for correction. Both are valid cyber incident situations but need completely different responses.
5. Identify all Stakeholders and their Contact Information before a Cyber Incident
Identify the various stakeholders, both internal (employees, executives, departments) and external (customers, partners, suppliers, regulators), who need to be informed during an incident before the incident occurs. It is absolutely critical that all of your stakeholders are loaded into your contact tools including their work and personal email, mobile phone number(s), WhatsApp numbers, etc. before a cyber incident. All too often, people are left scrambling to call individual stakeholders, or looking for their contact details after an incident occurs. Every minute that goes by where a stakeholder hasn’t been made aware of the cyber incident costs your company money and can promote the spread of a malware virus or expand the reach of a ransomware infection.
6. Contact Lists and Communication Channels
In addition to pre-loading all contact information for all stakeholders be sure to identify the primary and alternate methods of communication. As mentioned above, this includes phone numbers (mobile and landline), email addresses (work and personal), and alternative methods and alternative individuals. This could also include websites, social media and other forms of notification and communication.
7. Personalized Message Development
Prepare templates with key message points for various scenarios, ensuring accuracy and clarity. Include all types of content including documents, video’s, graphics, images and text in order to communicate clear and complete instructions. Provide appropriate links to “safehouse vaults” in order to continue to conduct business with explicit instructions on how to connect using approved hardware and methods. Develop messages that address the incident's impact, actions being taken, preventive measures, and set expectations of what to expect next.
Messages may be a series of communications that provide deeper level instructions, or status updates, etc. This enables a company to continue to reassure employees, customers and other stakeholders that you are working on the situation and we haven’t forgotten about them. It can also be concluded with a communication that indicates an “all clear” and to resume normal business operations.
8. Legal and Regulatory Compliance
It is essential that all communication aligns with legal and regulatory requirements. Consulting with legal experts ahead of time to avoid inadvertently disclosing sensitive information, and ensuring compliance with regulations while not creating overreaction by outside organizations (i.e. media), is essential. Be sure to walk through each type of cyber event and the communication messages with legal in order to ensure compliance.
9. Communication Timelines
Establish and define specific timeframes for initial alerts, updates, and resolution notifications. Timely communication helps manage expectations, belay fears and maintain transparency with your stakeholders. Depending on the type of cyber event, this can be critical to effectively managing the crisis, versus having chaos and confusion.
10. Internal Communication Strategy
Perhaps the most important communication in your Plan is to identify how you will communicate within your organization. While with a “system down or unavailable” situation this may be minor, a full blown malware or ransomware attack makes this a critical step. Informing employees about what to do and critically, what not to do during a cyber attack can keep your business operational. Ensuring the alignment of departments, and providing them with guidance on their roles during the incident, ensure that you continue smooth, albeit disturbed, operations until you can return to normal operations.
11. External Communication Strategy
Detail how you will communicate with all appropriate external stakeholders. This could include customers, partners, agents, brokers, or suppliers. It will also include media. Providing appropriate communication on what you’re doing to address the issue, when to expect correction or further communications, and how to continue to do business with you will address their concerns and convey accurate, timely information. Managing media inquiries or notifications at the right time can allay concerns and show that the issue is under control and being handled professionally.
12. Media Relations Plan
If appropriate, having a Media Relations Plan as part of your Communications Plan is important. Be sure to prepare strategies for dealing with the media. Designate a spokesperson and provide them with media training to ensure consistent, controlled, and appropriate messaging. Deliver appropriate content to the media to convey that the situation is under control and is being addressed while showing that business operations are continuing.
13. Social Media Management
Define guidelines for managing social media channels during the incident. Determine who on the Cyber Response Team will be responsible for monitoring social media, responding to comments, providing updates, and addressing misinformation.
14. Post-Incident Communication
In addition to providing updates, delivering the Post-Incident Communication is critical to return to normal operations. Once the incident is resolved, notify and instruct all stakeholders on the resolution and what they should now do to resume normal operations. In addition, follow on communications can take place including sharing lessons learned, actions taken to prevent future incidents, and any necessary updates.
15. Escalation Procedures and Help
Define clear escalation paths for incidents that require higher-level management or executive involvement in the Communication Plan. This ensures timely decision-making and communication. In addition, include in your communications to your stakeholders, clear contact information for individual escalation and where to go for help.
16. Simulation and Testing
A key and critical element of your Communication Plan and your entire Cyber Incident Response Plan is regular simulation and testing. Exercising each cyber event scenario and testing the Communication Plan is critical to ensuring its effectiveness, identifying and correcting shortcomings and ensuring team readiness.
17. Ensure Continuous Improvement
As part of your Cyber Incident Response Plan, after each cyber incident, conduct a thorough review of the response process including the communication plan and processes. Identify areas for improvement and update the plan accordingly.
18. Training and Awareness
A crucial element of your Cyber Incident Response Plan and Communication Plan is to train employees and relevant stakeholders on their roles and responsibilities during a cyber event. Ensuring your internal and even potentially external stakeholders know what to do and what to expect in a cyber event helps create a culture of cybersecurity awareness to minimize the risk of incidents, and their impact.
Each company’s Communication Plan should be tailored to its specific needs, industry, and risk profile. Regularly updating and performing Tabletop exercises to simulate and test the plan will help your organization effectively respond to and recover from cyber events, minimize their impact to your business operations, while maintaining trust and transparency.
How to Align Your Cybersecurity Posture and Cyber Risk Tolerance
By Aaron Branson, Netsurion 🔗
August 16, 2023
Your business’s IT network is constantly connected to the Internet, includes countless SaaS applications and API connections, and is accessed by employees and vendors located anywhere in the world. As a result, your business is always exposed to cyber-risk, some of which is avoidable, but also some of which is unavoidable. Your cyber-risk tolerance, the types and amount of risk, on a broad level, an organization is willing to accept in its pursuit of value, governs your cybersecurity spend and correspondingly your cybersecurity posture. In simpler times, deploying a firewall to guard the network and installing signature-based anti-virus at the endpoints was considered appropriate to get a medium level of cybersecurity. The evolution of the threatscape makes such a posture antiquated and consequently exposes the organization to very high levels of cyber-risk.
Avoidable risks are those you can address by implementing standard cybersecurity practices (i.e. patch management, multi-factor authentication, strong password policies, least privilege access, security awareness training, and more). The big question to ask yourself and your organization is “what is acceptable exposure to unavoidable risk (our cyber-risk tolerance) and how do we best align to it (our cybersecurity posture)?
What Are These Unavoidable Cyber Risks?
They basically fall into these three camps:
Infrastructure risks: The average organization runs more than 450 different software applications and gives 182 partners and vendors some type of access to its IT environment on a weekly basis according to Privileged Access Threat Report | BeyondTrust. These risks are unavoidable in a world where tool standardization and connectivity are necessary for doing business.
Industry-centric risks: It is not possible to avoid the risks that are inherent to operating in your industry. For instance, electronic health records (EHR) are an attractive target for threat actors due to the high values they fetch on the black market. No healthcare organization can completely eliminate these risks. What is your industry’s inherent risk?
Human-centric risks: People make mistakes. The possible existence of insider threats (both malicious and unintentional) cannot be eliminated.
Mitigating these risks essentially require:
Coverage: A means by which you can identify and enumerate these risks – network, endpoint, and application activity as well as user behavior.
Monitoring: Both the technology to ingest telemetry and the expertise to configure the system for continous reliability and effectiveness; and conduct threat hunting.
Detection: Leverage machine learning and threat intelligence to correlate seemingly innocuous events and identify real cyber threats.
Response: With actionable intelligence on priority threats, employ automated incident response to triage a breach and contain an attack while security experts complete full remediation and forensic investigation.
What’s the Best Way To Improve Your Cybersecurity Posture?
Managed Detection & Response (MDR) services are enjoying high rates of acceptance with organizations that accept that such services are a must for modern threat defense.
Not to be confused with simply Managed Endpoint Detection & Response software, MDR services can have a wider scope of coverage.
The global MDR market size is expected to grow from an estimated value of USD 2.6 billion in 2022 to USD 5.6 billion by 2027, at a Compound Annual Growth Rate (CAGR) of 16.0% from 2022 to 2027. Some of the factors that are driving the market growth includes addressing the shortage of skilled cybersecurity professionals and budget constraints, government regulations, and strict regulatory compliance.
What benefits do MDR services provide in terms of risk reduction? In a nutshell, this service reduces unavoidable cyber-risk.
Is There a Scalable MDR Approach for Your Business’s Needs Today and Tomorrow?
Your organization is not static. It’s always changing – and hopefully growing. As organizations grow, typically their cyber-risk tolerance shrinks. How do you invest in a proper MDR solution to solve for today’s risk tolerance while avoiding a future rip-and-replace to meet a more stringent risk tolerance in the future?
There are two axes on which your MDR solution should flex with your organization’s cyber-risk tolerance to deliver an aligned cybersecurity posture.
Breadth of coverage: Use a risk-based approach to prioritize your assets and start with largest risk assets amongst your network, endpoints, servers, SaaS, and cloud infrastructure, etc. Your MDR solution should be able to scale-up and scale-down in terms of how many and which assets are covered.
Depth of protection: Take a defense-in-depth approach to prioritize the basics and most impactful security controls such as 24x7 security monitoring, a cadence of cybersecurity alert reviews from monthly to weekly to daily, a vulnerability management program, proactive threat hunting, etc. Your MDR solution should integrate with or offer many of these and allow you to enable/disable them as necessary.
What Other Characteristics of MDR Can Impact Cyber Risk Tolerance and Cybersecurity Posture Alignment?
There are three primary characteristics to dive into when selecting an MDR solution:
Will it cover my specific IT assets? Is it Extended Detection & Response (XDR)? XDR (Extended Detection & Response) is an evolution of threat detection and incident response (TDIR) that successfully breaks down the traditional data and environment silos of legacy SecOps platforms to deliver wider attack surface visibility, deeper threat detection – and ultimately, faster incident response. XDR does not necessarily mean other security controls are rendered obsolete. Rather, XDR platforms must ingest, normalize, and correlate telemetry from all sources such as SIEM, EDR, and UEBA to reduce noise, identify true Indicators of Compromise (IoCs), trigger appropriate automated response, and deliver actionable alerts.
Will it scale with my business? Is it Open? Open XDR is a class of XDR that is vendor-agnostic in terms of its protection scope. Open XDR, sometimes called Hybrid XDR, is designed to integrate with other security technologies to avoid ripping and replacing them – thus they are “open” to ingest anything and everything the platform can. The key, however, is to inspect the quantity and quality of data source integrations the Open XDR platform provides.
Am I getting a tool or outcomes? Is it Managed? Managed XDR delivers this platform as-a-service combined with our 24×7 SOC (Security Operations Center) to not only provide platform hosting and tuning, but also a jointly defined SecOps Runbook, an IR Playbook, around-the-clock security monitoring, proactive threat hunting, and guided remediation support.
Protecting Against Advanced AI-Driven Password Theft: Comprehensive Measures and Cybersecurity Insights
By Sarah Illig, Marketing Director, TechGuard Security ✉️
August 15, 2023
In our rapidly evolving digital landscape, the marvels of technological advancements are often shadowed by emerging threats. One such concern is AI-driven password theft, a method that ingeniously uses artificial intelligence to decode passwords by analyzing the subtle sounds of keystrokes. This technique's sophistication means that even if you're typing away on a secure keyboard or surrounded by ambient noise, you're not necessarily safe.
A study from Cornell University has unveiled the startling efficacy of this technique, with an accuracy rate nearing 95%. This suggests that if someone with malicious intent is close enough to hear you type, there's a significant chance they could use AI to decipher your password. https://arxiv.org/abs/2308.01074
Understanding the AI Mechanism: The foundation of this method lies in the intricate process of data collection. Every keystroke produces a unique sound. To the human ear, these sounds might blend together, but to a finely calibrated AI, they're distinctly different. By gathering extensive data on these sounds, researchers can capture the subtle nuances of each key press and the rhythm of individual typing patterns. This data is then transformed into waveforms, revealing the intensity and progression of sound waves. The AI's prowess doesn't just rest on recognizing these sounds; it delves deeper, focusing on the force and timing of each keystroke. Through rigorous training using deep learning and neural networks, the AI sharpens its ability to match specific sound patterns with the corresponding keys. Once this model is honed, it's deployed in real-world scenarios. Devices equipped with microphones, when placed near someone typing, can capture these sounds, allowing the AI to attempt to reconstruct the typed content. However, while impressive, this method isn't foolproof. External factors like ambient noises or the type of keyboard can influence the AI's accuracy.
By understanding the mechanics behind AI-driven threats and implementing protective cybersecurity measures, you can navigate the digital world with greater confidence and security.
Key Cybersecurity Measures:
Leverage a Robust Password Manager: These tools assist in generating and storing strong, unique passwords, making it challenging for attackers to deduce them, even with AI tools.
Enable Two-Factor Authentication: This additional layer of security requires more than just a password, adding an extra hurdle for potential intruders.
Diversify Your Typing Locations: Typing in noisy environments can mask the sound of your keystrokes.
Stay Vigilant: Always be conscious of your surroundings, especially in public settings.
Regularly Update Passwords: Periodically changing your passwords ensures limited potential damage if one gets compromised.
By integrating these cybersecurity measures into your routine, you can effectively counter the risks posed by advanced AI-driven password theft.
Why Today No Business is "Too Small to be Hacked"
By A.N. Ananth, Cybersecurity Strategist, Netsurion 🔗
August 15, 2023
Today we're going to take on a fallacy that is popular among small and medium businesses, that they're simply too small to be hacked. Why is this wrong, and how can you address this fallacy on a budget?
“I’m too small to be interesting to attackers”
The argument goes, I've got nothing of interest to attackers, little old me. Why would anyone care? The answer is that if you are in North America, you've got stuff that's of interest and you always have high speed Internet and so that's very interesting indeed. The other argument is security is already solved by my vendor, Microsoft, Cisco. I paid money to them; they've taken care of it. I've got news for you that is simply not true.
A third argument is, look, I mean the users are the weakest link, but my users are pretty smart. They don't click on foolish e-mail that says some prince in Africa is going to give them $50,000. They know not to do stupid things. Well, the bad news is that you're staying away from danger. Doesn't mean the danger stays away from you, especially when all of your assets are plugged into always on high-speed Internet. And you know what you're using? Things like Office 365 or Dropbox or Google Docs or even just e-mail. And who doesn't have e-mail these days? Guess what? You are a target. It's because of how the cybercrime economy works.
Cybercrime Economy
It's based on attacking small and weak targets. You've seen the National Geographic Channel, right? What does the predator chase? They don't chase the big old elephant. They chase in fact, the slowest gazelle in the back and you see them coming down. That's just the way it works.
Big companies have the ability to mount serious defenses, and while it would be nice to get one of them down, it's unlikely to happen. The wolves and the cheetahs are chasing after that slowest gazelle. They know that a small company, if they get ransomware for instance, probably not going to hire a data recovery specialist. That they're probably not going to file lawsuits, which big companies might.
Instead, they will feel intense pressure to get back to business because survival depends on it. Every day that goes by that you can't run your network becomes a question mark whether you will survive this episode at all. Therefore, you're much more likely to pay a ransom or do what the attacker wants you to do. We used to see this in the whole movie. It's a mafia tactic for protection, right? How the racket went was the guy would show up and say nice business you have here to the mom and pop be ashamed of it, burned up and extort them for protection money. This is that way.
So, what’s an SMB to do?
Well, first, before you spend another penny, why don't you optimize a small IT team and maximize what you've already paid for and have? For instance, if you've purchased Windows 10, Windows 11, guess what? Microsoft has built in a bunch of security tools. They're free. They just need to be enabled. Or they may be already enabled. Make sure you use that. If you're using Office 365, for example, you can enable multifactor authentication.
Yes, it's a problem. Every time you need to log in, you have to also look at your phone and put in a 6-digit code. Maybe, but that's very important to improve your security. If you're using Office 365, you also happen to have free of charge Azure Active Directory. Are you still depending on that old rickety Active Directory machine that you have back at the office or why? Why not take advantage of what it is that Microsoft has already given you? Much more hardened and kept up to date, no extra cost to you if you've paid for firewalls and network devices, all those vendors provide guidelines on how to harden them. Please do follow those. But you know what? In 2023 you cannot stop here simply because all the bad guys know that this is par for the course and so you need to think about just a few additional things. For example, vulnerability assessment, a good way to identify if patches are missing so that you can do it. All the bad guys are looking for weaknesses and so if you look for those weaknesses yourself. And that would be a good thing.
Adopt and assume breach paradigm. That means you know that despite all the defenses you laid down, at some point there is going to be a successful attack. Are you performing detection? Do you have some mechanism for response? Are you able to perform mitigation? All of these are expected outcomes of a Managed Detection & Response (MDR) service, and this would put you in the middle of that pack of gazelles. You don't want to be toward the end, because those are the guys that get picked off.