“I don’t have to worry about cybercriminals; I am a small company. Why would they care about me?” I can’t count the number of times I have heard a version of that statement. I have found that many SMBs don’t see themselves as targets. I gather that in the digital hurricane that is today’s internet, SMB leaders imagine themselves as debris that is so small, no one will notice. However, as we have seen in the Verizon data breach report, cybercrime is on the rise across all industries and company sizes, including SMBs. Couple this with the expansion of new malware types and the growth of cheap automated hacking tools; cybercriminals have it easier now than ever to search for new targets of opportunity.

With this growing threat in mind, I believe there are several reasons SMBs have increased exposure to cybercrime. One reason is that many have a minimal understanding of their company’s risk exposure to current threats. Another reason is that many SMBs are constrained by resource availability, whether that is financial resources, trained security staff, or trusted partners. One final critical reason is that many feel spending scarce resources on security services could significantly impact their profitability. They face a decision to either pay for a security service to prevent something that may happen or use the needed funds to grow the business – typically growing the company wins. These negative drivers impair the ability of an SMB to respond to and survive a business-impacting cybercrime incident, which is why I am writing this book as a primer for SMB security managers. This primer will contain basic security practices that can be used by a security manager to remediate risk exposure to critical data and business operations without having to incur high costs.

In the early morning hours, a security manager from a local SMB wakes up with her cell phone chirping. As she quickly looks at the offending device, she realizes it’s a text message from one of her organization’s vendors who provides cybersecurity services. As she rolls over and makes the phone call, she realizes she has an issue that will require her to wake up her team and start the day earlier than planned. As she speaks to her team over a hastily arranged video conference, it’s soon apparent that there is a critical security patch that must be implemented as quickly as possible. Her security team members are concerned because this patch is to fix a recently discovered zero-day attack and they are worried that if it is not addressed soon, there may be unforeseen repercussions. As her day unfolds and this issue is scheduled for change management and then later remediated by her team, she thinks about what it would be like to manage a network without standard security controls and policies. A network where standard security frameworks and industry best practices for managing risk are not followed and a simple phishing email, received by an employee, could have devastating consequences. This scenario is quite common – cybersecurity doesn’t sleep, and neither do security professionals <smile>. What is vital for you to understand from this brief view into a security professional’s life is that without standards, without basic security controls, without security hygiene, this story could have been much worse, and the security manager’s company may have been severely impacted.

In today’s interconnected world, phishing emails and malware infections caused by attachments and links to hacked web sites are just some of the digital debris that has become an everyday occurrence. However, in the disparate enterprise environments found in many small businesses, cities, and corporate networks, these types of attacks can be catastrophic due to the natural blending of old and new technologies. The repercussions of modern malware attacks on these intertwined infrastructures can result in loss of critical services to businesses and their customers. To counter these ever-evolving threats, I believe organizations, and especially SMBs, who have limited resources should focus on doing the essential security controls well. Businesses must lay the equivalent of a digital foundation on which they can then build their networks and securely provide data and applications to their employees and customers. The methodologies that businesses and their security managers would follow to do the basics are commonly referred to as “cyber hygiene.” There are numerous approaches to implementing cyber hygiene, and there are quite a few ideas for what should be considered cyber hygiene. What is essential for you to understand is that cyber hygiene isn’t hard and can be managed through six necessary steps. The steps an SMB’s security manager can use to protect the business are as follows: Count, Configure, Control, Patch, Protect, and Repeat.

Security managers and their security programs today often find themselves triaging a breach after the attack is over and analyzing digital artifacts as they try to piece together an event that happened in the past. Hopefully, the information they glean from the files, logs, and recovered data provides enough information to remediate any discovered security gaps and provide intelligence on possible future events. Unfortunately, as many security practitioners know, this can be a daunting effort where the adversaries that businesses face today are more agile and adept at making changes to sidestep attempts at stopping them. It’s this untenable situation that drives organizations and security leaders to use strategic services such as cyber threat intelligence (CTI) to provide context about the adversaries businesses face and the techniques, tools, and processes (TTPs) that are used against them.

CTI, as a strategic resource, revolves around three basic questions that security managers and their companies will need to address. The answers to these questions provide insight into why CTI is considered a valuable service when used correctly, and how businesses can be efficient in using this tool to mature their security program’s management of ongoing and future threats.

1. What is cyber threat intelligence (CTI)? – This first question may seem pretty basic, but I have found many businesses and their security teams don’t truly understand CTI or its value. In essence, CTI is a collection or grouping of information that is gathered from sources, human and electronic, both internal and external to the organization. This information is typically processed and evaluated to verify its validity. It is used to provide context about conditions necessary for a threat to exploit a vulnerability, and report whether threat actors are actively using the threat. Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets” (Gartner, 2013). For those new to CTI, this means that for threat intelligence to apply to your organization, i.e., to have “context,” there need to be deficiencies. Examples of deficiencies are such issues as immature security controls, unpatched or misconfigured hardware and software, or undocumented business processes. These deficiencies are what security professionals call vulnerabilities that can be targeted by cybercriminals for exploitation. It is the security manager’s responsibility to understand these concerns, have visibility into the risk they place on their SMB, and through the use of strategic services, such as CTI, prioritize what needs to be remediated first.

2. Where can CTI be acquired?…

Resiliency is not just for large organizations. SMBs should incorporate resiliency principles as a means of reducing risk. As a community, we continuously hear that all companies are experiencing a rise in the threats and attacks they face and that there are new evolving threats are out there waiting to strike. I don’t believe in fear-mongering; however, keeping this sense of urgency in mind, I think it’s essential for the security managers of SMBs to understand what resiliency looks like, how it can fit into their security program’s strategic plan, and how it will change an SMBs security budget. As the security manager and company start to contemplate what processes may require resiliency, don’t forget that it is also important to include methods for measuring high levels of resiliency. The end goal is to effectively blend resiliency into critical business operations and develop metrics that the SMB’s security manager can use to measure what level of resiliency equates to measurable business value, justifying the expenditure of security department resources.

The dictionary definition of resilience is the “capacity to recover quickly from difficulties.” In cybersecurity, the definition of resiliency is focused on how organizations recover from an incident that incorporates multiple domains such as cybersecurity, business continuity, disaster recovery, and organizational operations. The objective of cyber resiliency is for the SMB to be able to adapt and continue delivering services to its customers while the event is ongoing and being addressed by their security manager and team. Additionally, the business operations domain should include processes to restore standard business services after the incident occurs.

…

In Chapter 18, I discussed the considerations SMBs and their security managers should consider when they select a managed service provider (MSP) or a managed security services provider (MSSP) for external technology and security services. However, there is also another view to consider, and that is the view of the MSP itself. It is this perspective that I find interesting because each potential SMB client is unique, with technology, processes, compliance, and data requirements that can range from easy-to-manage to extensive and complex. This chapter will be a discussion between myself and an MSP about various SMB risks and how they might manage them. I want this chapter to provide SMBs and their security managers with a window into how they may be evaluated for critical services when working with potential MSP partners. I am providing this resource to you, security manager, not only to help you understand how your company is evaluated, but to help you in your professional growth as a security executive. It is good to have multiple viewpoints on business risk. With this information you can help your company negotiate a compromise when there are issues with an MSP vendor, and as the senior security leader you will be dealing with issues.

As we begin, I want to state I am not currently nor have I ever managed an MSP; however, in my previous roles I have worked with and advised many of them. It’s that experience, plus my 20 years in technology and security, evaluating the risk exposure of my organization and their strategic business operations, that provide the insight for this chapter. Please note as we begin the issues that follow are not all-inclusive. They are just issues I have seen MSPs review when selecting new clients based on the client’s current technologies, the industries they compete in, and finally, their ongoing business practices. For each issue, I shall discuss what concerns me, and hopefully that dialogue can assist actual MSPs in making better-informed decisions, and SMBs in maturing their business practices.

Some potential risks I believe an MSP would screen for are as follows…

Technology changes at a rate most businesses can’t keep pace with, and this lag introduces considerable risk to a company’s business operations. To manage this risk, many security leaders must wade into an ever-changing, turbulent network landscape and seek to establish some order through their selected security frameworks and controls. These security leaders also apply best-practice approaches to this diverse risk portfolio using traditional concepts such as zero-trust and layered security technologies and services.

I believe this approach needs to change, especially for SMBs. This approach was created for centralized, managed networks that many of us in security first started our careers with years ago. Today’s networks typically don’t have fully defined perimeters. They are designed for the mobile worker and geo-dispersed teams with numerous third-party connections to vendors and trusted partners. It’s these new network infrastructures that exist in the cloud, in shared data centers, and on mobile devices that force SMBs and their security managers to reevaluate plans for how to implement and manage the business’s cybersecurity program without impeding new business opportunities.

Strategic plans, in essence, are cybersecurity roadmaps that establish the pathways a security manager will follow to mature their risk management approach while protecting their company. These plans should describe how the security program will preserve and share information, counter new and evolving threats, and support the integration of cybersecurity as a best practice for everyday business operations. A strategic plan should note the “current state” of security practices and describe near-term objectives to be addressed in the next 12 months, midterm goals in the next 18-24 months, and long-term objectives over the next 36 months. The security manager and critical stakeholders usually develop this plan and it should be considered a living document. The vision, goals, and objectives of this plan should be reviewed at least annually by the security manager and the SMB’s executive leadership team, with changes incorporated and new initiatives scheduled accordingly.  

To begin, security managers must understand the current security state of their SMB. This effort will require an inventory and continuous scanning of assets such as hardware, software, network configurations, policies, security controls, prior audit findings, etc.