Cybersecurity Threats in SMBs + Best Practices on 5 Principles & Policies

Last week, we began taking a closer look at the Devolutions State of IT Security in SMBs in 2022 Survey report (download the report here).

We highlighted some key cybersecurity trends and issues, such as that 67% of SMBs are more concerned about threats this year vs. last year. We also shared practical and effective recommendations to help SMBs develop a defense strategy that:

• Limits a bad actor’s ability to move freely within the environment.
• Enables visibility and response capabilities.
• Prevents unnecessary exposure.
• Implements a robust and efficient recovery of operations.

Today, we continue this important discussion by highlighting five principles and policies that help SMBs significantly reduce cybersecurity risks, while increasing visibility, governance, and control.

1. Principle of Least Privilege

Principle of Least Privilege (POLP) is when end users only get the access they need to carry out their day-to-day activities.

We recommend that SMBs adopt these best practices for implementing and enforcing POLP:

• Explain the purpose of POLP to all end users, so they understand and accept that this policy is not meant to frustrate them or block their productivity. The goal is to protect the company from a breach that could be very costly.
• Evaluate each role to choose the right access level. Do not assume that historical levels are appropriate. Privileges that a role (or specific end user) may have needed three years ago may not be valid today. When determining access levels, the default should be “least privilege,” and greater access should only be granted as required.
• When temporary privileged access is required, use one-time-use credentials that are granted at the last possible moment, and then revoked immediately after use. This approach, which is known as privilege bracketing, can be implemented for individual users, as well as processes and systems.
• Separate administrator accounts from standard accounts, and separate higher-level system functions from lower-level system functions.
• Establish full visibility to see what end users do, and when they do it.
• Regularly audit end user privileges to ensure that access is appropriate.
• Immediately remove access for end users who leave the organization (click here for additional best practices for dealing with employee departures).
• Have the capacity to automatically revoke privileged access in the event of an emergency.

2. Zero Trust

Zero trust compliments POLP, and is rooted in the understanding that nobody is automatically trusted from the outset. Instead, access management is evaluated based on end user context, behavior and location vs. authentication secrets provided at login. For this reason, some might say that a better label for this policy (and one that is probably more agreeable to non-IT end users!) is “trust, but verify.”

While zero trust has been an important policy for many years, it has become even more crucial and relevant in today’s work-from-home (WFH) reality, which blurs the boundary between the corporate network and cloud usage.

We recommend that SMBs adopt these best practices for implementing and enforcing zero trust:

• Use multi-factor authentication (MFA) in real-time to verify trust when attempting to access new network resources or when context changes.
• Extend identity controls to the endpoint, in order to recognize and validate all devices.
• Organize users by group/role to support device policies.
• Use automatic de-provisioning, and have the capacity to wipe, lock, and un-enroll stolen/lost devices.
• Regularly update end-user rights based on changes to roles/jobs, as well as changes to security policies and compliance requirements.
• Monitor behavior and allow alerts when unusual or suspicious activities are detected.

3. Segregation of Duties

Segregation of duties is based on the fundamental understanding that when two or more people are involved in a sensitive workflow, then there is a lower risk of misuse or manipulation than if a single individual carries out the activity.

We recommend that SMBs adopt these best practices for implementing and enforcing segregation of duties:

• Establish and assign roles in a manner that minimizes risk and prevents conflicts of interest (real or apparent), wrongful acts, fraud, and abuse when assigning one or multiple roles to an employee.
• Align tasks with roles by configuring permissions and access rights to align with task and role segregation, which should be based on the POLP (as discussed above).
• Analyze access levels for escalation to ensure that no single individual could combine multiple accesses to promote himself or herself to a higher (and unauthorized) access level on a system or domain.
• Integrate HR policies to support a comprehensive program. This includes training supervisors and managers to recognize when a subordinate (or any other colleague) has been assigned, or has assumed, tasks involving the use of organizational resources that should be transferred to another, more appropriate role.

4. Defense-in-Depth

Defense-in-depth uses multiple layers of protection to slow hackers down, as they attempt to snake their way to the perimeter, and from there to mission-critical assets.

We recommend that SMBs adopt these best practices for implementing and enforcing defense-in-depth:

• Design control layers as if a breach has already happened (i.e., answering the “what if?” question), and implement defenses to prevent or contain a hacker’s next move.
• Combine security principles and strategies to generate synergies. For example, segregation of duties and POLP contain threats to a subset of the entire business environment, which creates an ideal opportunity to implement control layers between them.
• Implement the four-eyes principle (discussed below) for privileged access using an approval workflow to prevent/detect unauthorized access attempts.
• Implement cybersecurity solutions that function differently and represent dissimilar controls. For example, while an anti-malware network filter, a whitelisting app, and an email attachment scanner are all anti-malware tools, they do different things, and as such can cover a wider area of the attack surface.
• Analyze access levels for escalation to ensure that no single individual could combine multiple accesses to promote himself or herself to a higher (and unauthorized) access level on a system or domain.

It is also extremely important for SMBs to monitor access and usage! Slowing a hacker down with multiple prevention controls is important, but it is not enough if unauthorized access or attempts to elevate are not monitored and detected.

5. Four-Eyes Principle

The four-eyes principle (sometimes referred to as the two-person principle/rule) requires that any activity by an employee that involves material risk must be reviewed and confirmed by a second employee who is independent and competent.

We recommend that SMBs adopt these best practices for implementing and enforcing the four-eyes principle:

• Implement dual authorization workflows to access sensitive information or perform elevated actions (see segregation of duties, above).
• Review audit trails of actions performed on risky systems or data.
• Assign business roles that involve high-risk procedures or access to multiple employees.
• Record actions performed on systems when external users access corporate resources. These recordings should be reviewed to ensure that no suspicious actions were attempted.

Looking Ahead

In our next deep dive into the Devolutions State of IT Security in SMBs in 2022-23 Survey report, we will highlight key elements of a Privileged Access Management (PAM) solution to help SMBs bridge the gap between authentication and authorization.