By John Ford, Chief Information Security Officer, ConnectWise
It seems as if every couple of weeks or so, a major news story flashes across our screens detailing a massive data breach where thousands, sometimes millions, of users’ personal information has been stolen or exposed. What each of these has in common is that they all involve large companies. Apple, Target, Marriott, British Airways – these are just a few of the more high-profile cases over the past couple of years. Just last month, Capital One was hacked and had 100 million records stolen by a former employee.
But what about the ones that don’t make the news? I’m talking about small- and medium-sized businesses (SMBs), which have increasingly come under attack in recent years. While they may not dominate the headlines, 43% of cyber-attacks target small businesses, according to the Verizon 2019 Data Breach Investigations Report.
When you think about it, this shouldn’t be all that surprising. Fortune 500 companies spend tens or even hundreds of millions of dollars every year on cybersecurity. And yet, they still have security incidents to report. What chance then do SMBs, many of which do the bare minimum in terms of protection, have? Small wonder they find themselves targets.
However, there are some relatively simple steps SMBs can take to protect themselves without breaking the bank.
The Importance of Risk Assessments
Perhaps because of the intense media attention given to massive data breaches, many SMBs operate under the impression that cyber-attacks only happen to large corporations. Believing they are in no real danger, most SMBs are completely unprepared to deal with cyber-threats. Results of more than a thousand risk assessments performed by ConnectWise’s managed service provider (MSP) partners show that 69% of SMBs – and in some cases, the MSPs themselves – have not identified and documented cybersecurity threats. Two-thirds (66%) have not identified and documented cybersecurity vulnerabilities.
Similarly, SMBs are ill-prepared to deal with a cyber-attack if impacted by one. Among those thousand-plus assessments cited above, almost half (48%) did not have a response plan for a cybersecurity incident, while 43% lacked a recovery plan. But SMBs need to consider the risks associated if an attack were to take place. The damage to their business can be financially and reputationally devastating, and in the worst cases could even shut them down completely.
Performing a cybersecurity risk assessment – or working with an MSP to perform one – is an absolutely crucial first step any SMB should take when it comes to threat protection. The old adage, “you don’t know what you don’t know” is apt here. How can you protect yourself if you don’t know what your risks are, where your vulnerabilities lie, and how to mitigate them?
If working with an MSP on a risk assessment, SMBs should make sure the MSP is aligning the assessment with a well-known framework, such as the Cybersecurity Framework written by the National Institute of Standards and Technology (NIST). The Cybersecurity Framework provides a way for organizations, including SMBs, to assess security risks and provide guidelines for identifying, protecting, detecting, responding to and recovering from cyber-threats.
There’s No Substitute for Good Training
Something I continue to be surprised by (and not in a good way) is the lack of adequate cybersecurity training among so many organizations. The results of our MSP partners’ risk assessments show that an alarming 57% of SMBs have not informed and trained all of their users on cybersecurity. That means either they are not doing the training themselves, or their MSPs are not performing the training for them. In some cases, the MSPs themselves may not be adequately trained.
Needless to say, this is not a good trend. When companies train their employees, or their customers, on cybersecurity, they are doing them a service, and hopefully, that knowledge will be passed on. In that way, effective cybersecurity training can almost be considered a social good.
When I speak to organizations about cybersecurity, I often ask, “Were you breached yesterday?” Inevitably, I get the response, “no.” But that’s not the right answer. Unless you actually were breached, the smartest answer is “To the best of my knowledge, no.”
This is more of a societal problem than anything. We have become too trusting of technology to protect us, or we let our own perceived technical knowledge get in the way of common sense. It’s why phishing attacks remain a common problem. The only way to get past it is to continually educate ourselves, our employees, our customers, on the latest cybersecurity threats. And it’s not like learning algebra in high school, resting assured that knowledge will always remain the same. Being proficient in cybersecurity means regular, remedial training to keep up with the latest threats because they are ever-evolving.
Using Multifactor Authentication for Good ‘Security Hygiene’
There’s an analogy I like to use when talking to customers about cybersecurity. In the eighteenth century, doctors began to discover something we all take for granted these days. They learned that washing their hands before performing surgeries and other medical procedures prevented infection and saved lives. It seems so simple, right? You don’t have to be a physician to understand that washing your hands is an easy way to prevent infection and disease. And yet, not everyone does a very good job of it.
So it goes with cybersecurity. We don’t always practice good “security hygiene.”
The simplest thing SMBs can do to protect themselves from cyber-threats is to enable multifactor authentication. Essentially, that means having more than just a password. Most people use it all the time and never even think about it. For instance, when logging into your bank account from something other than your primary computer, and the bank sends a text message to your phone with a code. You enter the code and you’re in. That’s all multifactor authentication is. In cybersecurity, we call it “something you have and something you know.”
While there are all kinds of complex products and technologies companies use to protect themselves – many of them excellent – the fact is, most ransomware attacks can be prevented by this easy-to-deploy process. Yet, multifactor authentication has only recently become widely adopted, despite having been around close to 20 years.
Closing Open Ports like Remote Desktop Protocol
Many SMBs are supported by MSPs via remote desktop protocol (RDP), which is a TCP connection allowing remote execution on a machine accepting credentials from the remote user. This is a good thing from a support perspective and allows MSPs to fully manage their SMB clients proactively and rapidly. But like many good things, there are some risks. Unfortunately, the bad actors in the world have tools that scan for open TCP ports, and when using an unencrypted channel, they can see when an MSP is connecting to a client via RDP.
It does not take much from there for bad actors to obtain the credentials that the MSP is using to access the client. At that point, they can completely take over the client machine and disable any endpoint protection that was in place. They can then install ransomware or other malicious code to execute their bad intentions. What can be done to prevent this? For certain, MSPs should have multi-factor authentication enabled. But they should also be using a secure connection to the client environment to ensure that all communication between the MSP and client is encrypted.
In fact, if an SMB were to do only two things to improve their security posture, multifactor authentication and closing open ports like RDP are what I would recommend. These steps are easy yet effective – just like washing your hands and locking your doors.
About the Author
John Ford is the chief information security officer for ConnectWise. His responsibilities include ensuring security education, products and services enable ConnectWise partners to own and deliver secure solutions to their customers. John, who has more than 22 years of security and technology experience, joined the ConnectWise team in 2018. Prior to that, he served for six years as founder and CEO of Sienna Group, a leading data-centric managed security services provider that was acquired by ConnectWise. John also has held CISO and CCO roles at several large healthcare, technology and government organizations, including MCS and WellCare Health Plans. He is a board member of the Tampa Bay Cloud Security Alliance Chapter. John earned a bachelor’s degree in information systems from the University of South Florida.John can be reached online at LinkedIn and at our company website http://www.connectwise.com/
