Managing Cybersecurity is expensive, we all know that. But not managing it is also more expensive. Given my experience, an SME recovers from a critical Cyberattack in 5-10 days, if it can recover (yes I also personally know companies that lost everything because of a Cyberattack).

So how we can conjugate an SME with a minimal effective Cybersecurity strategy?

To plan a strategy, we need to fully understand common Cyberattacks and Threat actors.

SME, Threat Actors, and Cyberattacks

First, let’s try to describe an SME:

• privately owned (I often find a single owner);
• manufacturing sector;
• a maximum of 150 employees (most of them are working in production);
• a maximum of $50 million annual receipts;
• very small or outsourced IT department;
• low IT budget;
• low Cybersecurity awareness (management often doesn’t want to be bored with security topics);
• increasing security compliance requirements.

SMEs need to protect:

• production;
• CRM;
• intellectual property.

Threat actors targeting SMEs probably want to:

• compromise and ask for ransom (usually);
• steal intellectual properties (seldom);
• sabotage them (rarely).

Based on the above assumptions, the most frequent type of Cyberattack is a ransomware-based attack.

Lifecycle of a ransomware attack

The New Zealand CERT describes the Lifecycle of a ransomware attack .

In short, we have 4 ways the attacker gets inside organizations:

• Phishing
• Password guessing
• Exploit vulnerability
• Email

We should notice that 3 out 4 are person based attacks: attackers, using social engineering techniques, try to:

• steal valid credentials persuading people to insert them in malicious web portals;
• guess the password using a public data breach and assuming people reuses passwords;
• persuade people to download and execute malware to take control of computers inside the organization.

Designing an effective Cybersecurity strategy

Based on the most probable attack, we can now design an effective Cybersecurity strategy to reduce the risk. Always remind that we are talking about SMEs, so our budget is limited.

We can mitigate the risk of an attacker getting inside the organization as following:

• Techincal measures:
  • Multi-Factor Authentication: we want MFA for email access and remote access VPNs (mitigate Phishing, Password guessing).
  • Antispam: we want to filter out malicious emails (mitigate Phishing, Email).
  • Logging: we want to detect invalid login attempts (mitigate Password guessing).
  • Security Assessment: we want to detect vulnerabilities via VA, DAST, and PT (mitigate Exploit vulnerability).
  • Patching: we want up-to-date applications and because the IT department is very small we want it to happen automatically (mitigate Exploit vulnerability).
  • Endpoint Detection Response: we want a good EDR to stop malware (mitigate Email);
  • Segregation: we want well-configured network/host-based firewalls which drop incoming and outgoing malicious connections (mitigate last attack phases);
  • Data Protection: we want that in the worst-case scenario, we can get our data back (mitigate the last attack phase);
• Organizational measures:
  • Policies and procedures: we want to enforce password security (mitigate Password guessing).
  • Training: we want to test how employees are good at detecting social engineering attacks (mitigate Phishing, Email).

Conclusions

I think that is the minimal set of technical and organizational measures that any organization should implement to reduce the risk of Cyberattacks. Even very small organizations should evaluate the security controls described above.

Referecense

• Lifecycle of a ransomware attack

References