Portal
Forum
Devolutions Force
Hub Business
Hub Personal
Devolutions Send
Devolutions Academy
RDM
Workspace
Launcher
Alas, another May the 4th has passed, and the celebration of all things Star Wars is over. Or…is it?
Here at Devolutions, we love Star Wars so much that we wanted to extend the party a little longer. We also wanted to shine a spotlight on a movie that has been heavily maligned and criticized over the years but is now enjoying something of a renaissance — with some fans now seeing it as among the best (and certainly the darkest and saddest) entries in the entire franchise. Yes, we’re talking about Star Wars: Episode III – Revenge of the Sith.
And that’s when an idea dawned, like the twin suns of Tatooine: what if we scoured the movie for examples of cybersecurity mistakes that small and medium-sized businesses (SMBs) often make — and then shared how to fix them? The concept was duly approved by the Devolutions Jedi Council (a.k.a. our geeky communications group).
So please get comfortable, pour yourself some Yoda Soda (yes, this really is a thing!), and join us as we glean cybersecurity warnings and insights courtesy of Anakin Skywalker, Supreme Chancellor Palpatine, Obi-Wan, and the rest of the ROTS gang.
Not managing access to privileged accounts
Revenge of the Sith is loaded with little details, and even the most ardent fan can be forgiven for overlooking something that seemed inconsequential but was actually pivotal. For example, take the epic scene when Obi-Wan battled General Grievous on Utapau. Obi-Wan was able to use the Force to retrieve the General’s fallen blaster, which he then used to destroy him. It was riveting and entertaining.
However, what if the General’s blaster had been protected by some kind of authentication mechanism designed to safeguard weapons assigned to officers — weapons that aren’t supposed to work for anyone who can just grab them off the ground? In that case, instead of pew-pewing his way to victory, Obi-Wan might have been screaming in Galactic Basic Standard, Twi'leki, Amani, Old Alderaanian, and Shyriiwook.
In the same sense, SMBs need to identify, protect, and monitor their privileged accounts. Unlike standard user accounts, privileged accounts have elevated permissions and provide access to critical data, systems, and resources within an organization. Examples include (but aren’t limited to) domain administrator accounts, local administrator accounts, emergency access accounts, system accounts, and domain service accounts.
Only specific, authorized individuals — such as SysAdmins (and perhaps Jedi Knights) — should have access to privileged accounts. But the reality is quite different. In fact, 55% of organizations don’t know how many privileged accounts they have or where they are located. What’s more, over 50% of privileged accounts never expire or get deprovisioned — and 74% of data breaches start with privileged credential abuse.
The good news? SMBs can turn this weakness into a strength with a solid Privileged Access Management (PAM) solution. For example, Devolutions PAM is an affordable cybersecurity powerhouse that controls and monitors privileged access to critical systems and data. It helps SMBs safeguard their “keys to the kingdom” and keep bad actors (the hacker kind, not the Hollywood kind) on the outside. Learn more about Devolutions PAM by checking out this FAQ.
Believing that password managers are standalone security solutions
In Revenge of the Sith, instead of embracing the Force, Anakin Skywalker turned to the Dark Side and became Darth Vader. It was a vivid and chilling reminder that things — and people — aren’t always what they seem, or what we want them to be.
The same kind of confusion exists in the password management marketplace. Unpacking this is a bit tricky (but don’t worry, it’s not nearly as complex as the lightsaber swaps between Palpatine and Anakin during the Mustafar duel).
Generally, using a good password manager is more secure than not using one — because it means end users aren’t (hopefully) storing passwords in spreadsheets, sticky notes, or other ways that keep cybersecurity pros up at night.
However, despite the label, password managers are not standalone security solutions. Rather, they are business continuity tools that enable users to share vaults containing information such as credentials, credit card numbers, remote connection info, and more.
What’s great about this is that if a user leaves the organization, the colleagues they leave behind don’t have to dig through emails or documents to find passwords — they just log into the centralized password manager, and everything is there.
What’s not great is that there’s nothing inherently secure about password managers. All a departing user has to do is copy/paste sensitive information into another file. Yes, in theory, this vulnerability would be eliminated if an organization changed all passwords whenever someone left — but that’s highly impractical. And having passwords automatically reset after each use doesn’t affect third-party apps or websites.
Thankfully, SMBs can overcome this problem by augmenting their password manager with a solution that also enables Privileged Session Management (PSM) or Privileged Access Management (PAM). This combination offers comprehensive security features such as:
- Secure credential injection
- Account discovery
- Automated password rotation
- Alerts and notifications
- Checkout request approval process
To learn more about the differences between password managers and PSM/PAM solutions, read this great article by Gabriel, our Sales Ops Manager.
Not using multi-factor authentication (MFA)
When it comes to wardrobe, one-liners, and wickedly cool heavy metal music, the Galactic Empire deserves a 10/10. But when it comes to basic cybersecurity practices, they deserve to be hit with a torrent of Force lightning — because their practices are extraordinarily, and at times comically, bad. Basically, the Empire’s networks are open to anyone who feels like plugging in. Heck, the Sith Lord’s password is probably “123456.”
Similarly, despite constant headlines about cyberattacks, many SMBs still don’t use one of the simplest and smartest ways to reduce risk: MFA.
MFA adds an extra layer of security that requires users to verify their identity by providing their login credentials plus another factor, which could be:
- Something they know (e.g., a password, a PIN, or the answer to a secret question)
- Something they have (e.g., a smartphone or hardware token)
- Something they are (e.g., fingerprint, voice recognition, or retina scan)
MFA isn’t 100% bulletproof (but it’s still stronger than whatever clonetrooper armor is made from — what is that, Styrofoam?). Still, it’s a very smart move. For Devolutions’ solutions, MFA is set at the data source level, except in Devolutions Server where it’s set at the user level. Visit this section of the Knowledge Base to learn more and find configuration steps.
Thinking they are too small to get hacked
In Revenge of the Sith, Yoda understands that his small size (a mere 66 cm) isn’t going to stop anyone from trying to send him into early retirement. Just ask Chancellor Palpatine, who defeated him in the Galactic Senate Chamber Holding Office.
Unfortunately, some SMBs aren’t as wise as Yoda. They believe they aren’t vulnerable to a data breach because hackers are too busy targeting large enterprises. This is wishful thinking. The truth is that hackers increasingly target SMBs precisely because they expect weak — or even non-existent — defenses. Consider the following:
- 43% of all cyberattacks worldwide now target SMBs
- The average data breach cost for SMBs has climbed to $2.98 million USD per incident
- 69% of SMBs have experienced at least one cyberattack in the last year
The bottom line? SMBs need to make strengthening their cybersecurity profile a top priority — or risk ending up on the losing side of a very costly battle.
Trying to do everything by themselves
In Revenge of the Sith, Obi-Wan seeks guidance from Yoda after learning about Anakin Skywalker’s turn to the dark side. It’s a clear illustration that even the most capable individuals sometimes need help.
Similarly, many SMBs need support to strengthen their cybersecurity defenses. Here are two ways to reduce the risk:
-
Choose vendors dedicated to SMBs. These vendors offer powerful yet affordable cybersecurity solutions and tools that are easy to manage. For over 15 years, Devolutions has been proud to serve, support, and strengthen SMBs worldwide.
-
Work with a Managed Services Provider (MSP) that, like Devolutions, is committed to helping SMBs in a meaningful and cost-effective way. Read this article for advice on choosing the right MSP partner.
Remember: recognizing that you don’t have the in-house specialists or technology to defend against Sith-like hackers isn’t weakness — it’s wisdom.
What’s your view?
What do you think of our look at five big cybersecurity mistakes that SMBs make — and how to fix them? Is there one mistake (or more) that you think is especially severe? Are there others you would add to the list? Please continue feeling the Force and share your thoughts below.
