“I don’t have to worry about cybercriminals; I am a small company. Why would they care about me?” I can’t count the number of times I have heard a version of that statement. I have found that many SMBs don’t see themselves as targets. I gather that in the digital hurricane that is today’s internet, SMB leaders imagine themselves as debris that is so small, no one will notice. However, as we have seen in the Verizon data breach report, cybercrime is on the rise across all industries and company sizes, including SMBs. Couple this with the expansion of new malware types and the growth of cheap automated hacking tools; cybercriminals have it easier now than ever to search for new targets of opportunity.

With this growing threat in mind, I believe there are several reasons SMBs have increased exposure to cybercrime. One reason is that many have a minimal understanding of their company’s risk exposure to current threats. Another reason is that many SMBs are constrained by resource availability, whether that is financial resources, trained security staff, or trusted partners. One final critical reason is that many feel spending scarce resources on security services could significantly impact their profitability. They face a decision to either pay for a security service to prevent something that may happen or use the needed funds to grow the business – typically growing the company wins. These negative drivers impair the ability of an SMB to respond to and survive a business-impacting cybercrime incident, which is why I am writing this book as a primer for SMB security managers. This primer will contain basic security practices that can be used by a security manager to remediate risk exposure to critical data and business operations without having to incur high costs.

In the early morning hours, a security manager from a local SMB wakes up with her cell phone chirping. As she quickly looks at the offending device, she realizes it’s a text message from one of her organization’s vendors who provides cybersecurity services. As she rolls over and makes the phone call, she realizes she has an issue that will require her to wake up her team and start the day earlier than planned. As she speaks to her team over a hastily arranged video conference, it’s soon apparent that there is a critical security patch that must be implemented as quickly as possible. Her security team members are concerned because this patch is to fix a recently discovered zero-day attack and they are worried that if it is not addressed soon, there may be unforeseen repercussions. As her day unfolds and this issue is scheduled for change management and then later remediated by her team, she thinks about what it would be like to manage a network without standard security controls and policies. A network where standard security frameworks and industry best practices for managing risk are not followed and a simple phishing email, received by an employee, could have devastating consequences. This scenario is quite common – cybersecurity doesn’t sleep, and neither do security professionals <smile>. What is vital for you to understand from this brief view into a security professional’s life is that without standards, without basic security controls, without security hygiene, this story could have been much worse, and the security manager’s company may have been severely impacted.

In today’s interconnected world, phishing emails and malware infections caused by attachments and links to hacked web sites are just some of the digital debris that has become an everyday occurrence. However, in the disparate enterprise environments found in many small businesses, cities, and corporate networks, these types of attacks can be catastrophic due to the natural blending of old and new technologies. The repercussions of modern malware attacks on these intertwined infrastructures can result in loss of critical services to businesses and their customers. To counter these ever-evolving threats, I believe organizations, and especially SMBs, who have limited resources should focus on doing the essential security controls well. Businesses must lay the equivalent of a digital foundation on which they can then build their networks and securely provide data and applications to their employees and customers. The methodologies that businesses and their security managers would follow to do the basics are commonly referred to as “cyber hygiene.” There are numerous approaches to implementing cyber hygiene, and there are quite a few ideas for what should be considered cyber hygiene. What is essential for you to understand is that cyber hygiene isn’t hard and can be managed through six necessary steps. The steps an SMB’s security manager can use to protect the business are as follows: Count, Configure, Control, Patch, Protect, and Repeat.

Security managers and their security programs today often find themselves triaging a breach after the attack is over and analyzing digital artifacts as they try to piece together an event that happened in the past. Hopefully, the information they glean from the files, logs, and recovered data provides enough information to remediate any discovered security gaps and provide intelligence on possible future events. Unfortunately, as many security practitioners know, this can be a daunting effort where the adversaries that businesses face today are more agile and adept at making changes to sidestep attempts at stopping them. It’s this untenable situation that drives organizations and security leaders to use strategic services such as cyber threat intelligence (CTI) to provide context about the adversaries businesses face and the techniques, tools, and processes (TTPs) that are used against them.

CTI, as a strategic resource, revolves around three basic questions that security managers and their companies will need to address. The answers to these questions provide insight into why CTI is considered a valuable service when used correctly, and how businesses can be efficient in using this tool to mature their security program’s management of ongoing and future threats.

1. What is cyber threat intelligence (CTI)? – This first question may seem pretty basic, but I have found many businesses and their security teams don’t truly understand CTI or its value. In essence, CTI is a collection or grouping of information that is gathered from sources, human and electronic, both internal and external to the organization. This information is typically processed and evaluated to verify its validity. It is used to provide context about conditions necessary for a threat to exploit a vulnerability, and report whether threat actors are actively using the threat. Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets” (Gartner, 2013). For those new to CTI, this means that for threat intelligence to apply to your organization, i.e., to have “context,” there need to be deficiencies. Examples of deficiencies are such issues as immature security controls, unpatched or misconfigured hardware and software, or undocumented business processes. These deficiencies are what security professionals call vulnerabilities that can be targeted by cybercriminals for exploitation. It is the security manager’s responsibility to understand these concerns, have visibility into the risk they place on their SMB, and through the use of strategic services, such as CTI, prioritize what needs to be remediated first.

2. Where can CTI be acquired?…