In today’s episode, we’re going to explore ways smaller companies can improve their cybersecurity posture and better protect their data without necessarily breaking the bank. Joining us is Larry Veino, the chief technology officer at Boston-based Focus Technology. Focus Technology offers a range of managed services, including cybersecurity.
Watch A Little Privacy, Please! on cybersecurity tips and post-cyberattack strategies for small businesses.
Our team is often asked to make recommendations to clients that may not be large enough to have their deep bench of dedicated internal resources for recommendations about preventing cyber attacks. What can small and medium-sized organizations implement to minimize their cybersecurity risk?
We work with companies of all different sizes. But candidly, on our managed services side, it tends to be market down, and to your point, Jason, those are the folks that struggle, especially with security. They don’t typically have CISOs on the payroll, so they don’t have somebody guiding them in terms of what they must do. They don’t typically have all the tools necessary, and in many cases, they don’t know where to start.
When we get engaged, one of the first things we say is, who are you as a business? That will dictate the industry frameworks you might want to follow, like NIST and SOC. But if you’re not sure where you should go, we just talk about good old security foundation, good old security posture.
We have a framework we’ve built, we call it Security Wheel, it takes a lot of those compliance controls from the guidelines we mentioned a second ago, and allows customers to see pretty quickly where they sit, where the gaps are, and what they need to focus on to move their business forward.
Are there some easy or inexpensive steps a company can take to make them a harder target for a cyberattack?
I still see too many customers who are not controlling access to their environments. The simplest way you can do that, and it’s inexpensive in the grand scheme of things, is MFA or multi-factor authentication.
The reality is that every password that’s already been thought up, or could feasibly be thought up, has already been thought up. And it’s in some list somewhere on the dark web that the bad guys are using, you know, these brute force attack tools. So as soon as they find out what your login name is, they just hammer away. MFA prevents that because they did have the username and password, then the next thing is you have to prove who you are on a device. Now it’s not foolproof, but it is very secure, it is a very effective solution.
If you take it a step further, without buying any tools, we can look at how you handle directory services in your organization. Whether you’re using Active Directory for Windows shops or LDAP for Unix Linux shops, there are settings you can look at to make sure you lock accounts out after so many bad attempts at logins.
Password complexity is a kind of religious conversation. On one hand, people say, yes, “very complex passwords, change them all the time.” On the other hand, they’re against it because you’ll get yellow sticky notes all over your computers and keyboards. We don’t want that at all. We believe you should have a complex password; we don’t believe you need to change it every 90 days, but we do believe you have to have MFA associated with that login.
So have a strong password, have a productive MFA.
The world of cybersecurity and privacy is full of acronyms. Can you tell our audience the advantages of becoming NIST or SOC compliant?
The easiest way to think about standards like NIST, SOC, and CMMS—it’s like the answers to the test. You’re in college and the teacher says here’s the test, and here are all the answers. I’m giving you the answers, now go understand them and then take the test.
These frameworks do all the hard work for you. They tell you all the areas you need to address to be fully secure. They break them out into sections. Each of the sections has a number of what we call controls, things you have to address. Customers can go through, and they can build a roadmap for how they are going to attack those frameworks, do them little by little, and eventually be compliant.
NIST, SOC, and CMMS are just different subsets of controls. And there are some that are specific if you do business with the Fed.
There’s acronyms. There’s numbers. But really all they are, are the answers to the questions on the test. They tell you what you need to do in your environment from a control perspective.
Even with the best controls, cyberattacks still happen. What are some foundational actions a company can take after the cyberattack to make their environment more resilient?
We do a lot of incident response (IR) and remediation. IR is the forensics piece of that question. What really happened? How did they get in? What information were they able to access, what systems and what data? Sometimes, it can go from being an IT issue to a cyber insurance issue.
When you look at those engagements, and when something happens, you have to do IR. The IR tells you exactly what happened, how they got in. That’ll also tell you what a gap is right now. Any good IR and remediation engagement will not just look at where that particular incident occurred; it will also look at your security posture in general and make recommendations. We call that gap analysis.
To your point, clearly if somebody got in, however they got in, we need to fix that immediately. Moving forward, it should always be about how do we continue to move our security posture forward, how do we keep getting better.
At the end of the day, this is a game of leapfrog. I call it the 90th percentile; we’re all running to 90th percentile. That’s what we want to be in terms of protection. We’re never going to be 100%. There’s always going to be zero days. But if you get as secure as you can be, and you’re constantly learning and you’re seeing what the new techniques are, and you’re evolving your environment, then you’re going to stay as safe as you possibly can be.
You mentioned that in your view, cybersecurity is not an IT problem. Can you explain to our audience what you mean by that and why you feel that way?
If we really take a step back, IT is here to provide tooling, systems, processes, to protect our business. It was to allow folks to use applications, productivity things, and then over time security melded into that. But that doesn’t mean they’re the ones that determine the value of the data in those systems. It starts with the business of sitting down and saying, here’s our data, here’s the value of that data.
Because of that, we need to be really protected—basic good security foundation. The reality is, it doesn’t matter who you are, the bad guys are coming for you. If they can get ten grand, 50 grand, for popping a mom-and-pop company in downtown, they’re happy to get that 10, 50 grand. If they can get millions of dollars, or they can get IP that leads to millions of dollars, even better.
It just means different groups will pay different levels of attention to you. So that’s what I mean, is that it’s not an IT problem; it starts with the business, and the business owns data governance. They have to determine who the key people are in the organization, how are they going to protect their data, who’s going to have access to it, how are they going to audit that stuff. IT in turn comes around, says, now that you’ve given me that criteria, I can now build the tools right to enforce that.