In the Devolutions’ State of IT Security in SMBs in 2022-23 survey [report now available!], we asked executives and decision-makers in SMBs worldwide to describe their overall perspective on IT security, covering subjects such as: what they have experienced in the last year, what concerns them the most today, and what they are doing to protect themselves.
Here is a summary of what we learned:
- 67% of SMBs are more concerned about cybersecurity threats this year vs. last year, while 28% have the same level of concern, and 5% are less concerned.
- The top 3 cybersecurity threats that SMBs are most worried about are: ransomware, phishing, and malware.
- In the past year, 18% of SMBs experienced more than 5 cyberattacks, while 42% experienced 1-5 cyberattacks, and 40% did not experience any cyberattacks.
- The 3 most common measures that SMBs rely on to protect themselves from external hackers are: implementing the principle of least privilege, regularly auditing account privilege, and implementing segregation of duties.
- The 3 most common measures that SMBs rely on to protect themselves from insider threats are: implementing the principle of least privilege, continuously monitoring all privileged accounts, and implementing segregation of duties
In the report, we provide commentary on the likely reasons for various tactics and trends — some of which are positive, while others are negative.
In the remainder of this article, we focus on what SMBs can do to protect themselves against cybersecurity threats rather than take a wait-and-see approach, or assume that they are “too small to be attacked.” This assumption may be comforting, but it is false. Hackers are increasingly targeting SMBs (read this article to discover the top reasons why).
Recommendations for SMBs
The first thing to acknowledge is that preventing all possible cyberattacks is ideal — but unrealistic. There are too many threat types (including an endless stream of variants). On top of this, the size of the attack surface is vast, and getting bigger all the time, especially with the rise of remote/hybrid work.
The good news, however, is that the impact of ransomware and other cyberthreats can be significantly reduced through effective preparation. Specifically, we advise SMBs to develop a defense strategy that achieves the following core objectives:
- Limits a bad actor’s ability to move freely within the environment.
- Enables visibility and response capabilities.
- Prevents unnecessary exposure.
- Implements a robust and efficient recovery of operations.
Limiting a bad actor’s ability to move freely within the environment.
Once initial access is obtained, hackers will try to seek (if they do not already have) high value credentials to gain administrative access in the environment. This attempt at vertical elevation typically requires moving from system to system. Strong account hygiene, along with suitable privileged access control and governance, makes it harder for hackers to remain undetected. Key action items that SMBs should adopt include:
- Fully deploy a comprehensive, but easy-to-use and manage privileged access management (PAM) solution.
- Implement dual authorization — also known as the “four eyes principle” — in which any activity by an employee that involves material risk must be reviewed and confirmed by a second employee who is independent and competent.
- Establish relevant approval workflows, in which individuals must approve data or tasks at specific points in a process.
- Implement the Local Administrator Password Solutions (LAPS), which provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by an access control list (ACL), so that only eligible users can read/request a reset.
Enabling visibility and response capabilities.
Endpoint detection and response (EDR) solutions are essential for detecting and preventing known and unknown malware. Other measures that SMBs should adopt include:
- Behavioral analysis, which uses machine learning, artificial intelligence, big data, and analytics to identify malicious behavior by analyzing differences in normal, everyday activities.
- Containment capability, which is a method whereby access to information, files, systems, and networks is controlled via access points.
- Centralized monitoring, in which cybersecurity processes are managed across the organization using a single, centralized set of tools, procedures, and systems. This approach eliminates silos between cybersecurity departments and uses a centralized network to put everything under one umbrella.
- Outsourcing some or all IT security tasks to a Managed Service Provider (MSP).
Preventing unnecessary exposure.
Reducing the size of the attack surface is critical for blocking initial access, elevation, and lateral movement (connecting on other systems) within the environment. Systems that are not required for business operations, or are not patched in a timely manner, may expose vulnerabilities. Systems that are unnecessary, or that are unavailable for patching, should be managed in such way that hackers will not have the opportunity to exploit them.
Implementing a robust and efficient recovery of operations.
A robust backup and recovery plan should be put in place to facilitate rapid recovery from highly disruptive ransomware. We recommend that SMBs adopt the following best practices:
- Increase backup frequency! Due to ransomware, only backing up data once a night is no longer sufficient. All data sets should be protected multiple times per day.
- Align backup strategy to service-level demands. For example, if the service level is 15 minutes, then backups should be performed at least every 15 minutes.
- Adhere to the “3-2-1 backup rule.” This involves keeping three complete copies of data: two of which are local but on two different types of media (or two different local on-premises backup storage systems), and one copy stored off site.
- Exercise caution when moving data to the cloud. Scrutinize a vendor’s claim of offering disaster recovery as a service (DRaaS). While there are significant advantages of DRaaS, it is not a magic wand. SMBs need to remember that “push button” disaster recovery does not necessarily mean “instant” recovery.
- Automate disaster recovery runbooks. This involves pre-setting the recovery order and executing the appropriate recovery process with a single click. This approach can be highly beneficial for SMBs with multi-tier applications using interdependent servers, as it helps ensure recovery where and when it is most needed.
- Don’t use backup for data retention. Remember that most recoveries come from the most recent backup, and not from a backup that is several months — or possibly years — old.
- Protect endpoints and SaaS applications. Laptops, desktops, smartphone, and tablets can contain unique and valuable data, which is never stored in a data center storage device unless it is specifically and deliberately backed up.
In our next deep dive into the Devolutions State of IT Security in SMBs in 2022-23, we will highlight best practices to help SMBs implement five core principles and policies (some of which are mentioned above) that significantly reduce cybersecurity risks: the principle of least privilege, zero trust, segregation of duties, defense-in-depth, and the four-eyes principle.