From the 2017 Ponemon Institute Study, more than 61% of SMEs have been breached in the last 12 months versus 55% in 2016. Even though many SMEs are well aware that compromises are more of an issue of when than if, they are finding it difficult to get effective security measures in place.
Common challenges faced by SMEs
The Verizon Data Breach Investigation Report highlights the common cyber security challenges for SMEs.
• Lack of resources: SMEs don’t want to invest in something that might necessitate updating the whole infrastructure, updating storage or updating the operating system.
• Lack of expertise: IT is becoming more and more complex. Organisations today need to use security solutions that extend to remote locations and cover roaming and mobile users.
• Lack of information and training: Most SMEs don’t have a large IT team.
• Lack of time: Smaller businesses are understandably focusing on being operational from day to day, so they can serve customers to keep the business going and pay the staff working.
Because of this, most SMEs focus on establishing “best-effort” protection – AV, endpoint protection, email scanning, etc. – and hope the solutions will do what they claim, all in an effort to minimise the threat potential. There’s nothing wrong with this.
These are obvious protection and prevention steps you should take, but it’s not enough to just put the barriers up. Attackers today are aware of the solutions in use and work tirelessly to find ways to avoid detection – from evasive malware, to the use of employee credentials as part of an attack.
But likewise spending all your (limited) time trying to monitor every last bit of the network, looking for anything that looks out of place is a failing proposition. They can’t be watching over the myriad of potential attack vectors by which attackers enter in, compromise your systems, and move laterally within the network.
So how does an SME build an approach that safeguards their organisation?
Here are 3 SME-friendly criteria that achieve maximum impact for minimum effort:
1. Automated controls that take action before damage is done
All SMEs battle against lack of time and resources. They are therefore far better off running and monitoring solutions that offer automated controls in addition to threat identification and real time response.
In short, should something fall outside a set of established restrictions, your solution should automatically take action before the damage is done – not only when IT intervenes.
2. Easy adoption
If security overwhelms and stifles productivity, users can’t do their job and the solution is already dead on arrival. Security should be behind the scenes, protecting the users and the environment until the moment the user is truly conflicting with security protocol.
3. Limited administration
Most small and medium sized businesses do not have a sizeable IT team. Security solutions with ‘stickiness’ tend to be simple to implement and intuitive to manage.
With this in mind, where should an SME place their efforts?
There are a number of ways an SME can start watching for compromise but in the end, one foundational truth helps to narrow your focus of where to start – an attacker is powerless to do anything in your organisation unless they are able to compromise a set of internal credentials.
Simply put: no logon, no access.
In fact, 81% of hacking-related breaches leveraged either stolen or weak passwords, making logons the one common activity across nearly all attack patterns. By assuming the logon to be a key indicator of compromise, you can identify a breach before key actions, such as lateral movement and data access, take place.
An indicator of compromise includes the following logon abnormalities:
• Endpoint Used – The CEO never logs on from a machine in Accounts Payable, right?
• When Used – A user with a 9-to-5 job function logging in on a Saturday at 3am? Yeah, that’s suspicious.
• Frequency – A user normally logs on once in the morning and logs out in the evening that suddenly is logging on and off in short bursts could indicate a problem.
• Concurrency – Most users log on to a single endpoint. Seeing a user like that suddenly logged onto multiple endpoints simultaneously is an obvious red flag.
What’s more, when the monitoring of logons are tied to automated responses (using third-party solutions) to take actions such as logging off users and implementing account usage restrictions, this makes logons one of the true preceding indicators that will out-rightly stop an attack and protect company data.
SMEs today are under attack from malware, ransomware, external threats and data breaches but with the right strategy they can start to improve their security stance.
Learn more about how logon security help protect the SME from attack