One of the most important truths we’ve discovered since opening the doors here at Security 7 Networks is that Small-to-medium sized businesses (SMBs) and enterprises (SMEs) are more vulnerable to cyber attack than their bigger counterparts.
Cynet’s 2022 Survey of CISOs with Small Cyber Security Teams report really helped drive that point home to us. It made us wonder why that was and what could be done to not only explain the situation but offer some guidance regarding how to avoid being an easy target going forward.
Why are SMEs and SMBs more vulnerable?
This question is easier to answer than one might believe.
Think of cybersecurity as a wall surrounding a castle. Your business is is the castle itself. For this case, you can defend your castle by building the walls taller or thicker, you can’t do both. Or, you can chose to not build a wall at all.
The taller the walls, the more imposing the castle might seem to those passing by. The average individual might think the castle is well defended. But remember, no matter how tall the wall gets, it never gets any thicker.
Let’s say the height of the wall is determined by the number of security products the castle’ king might think are necessary to protect their business. They’re placed in position and left to their own devices.
The stouter castle’s walls aren’t as imposing when looking at it from ground level but they run deep. Even if the walls were scaled with a ladder, the rampart walkway is just as wide as the wall below it is. There’s a sizable surface area between the outer perimeter to the castle keep.
The thickness of the wall is representative of the castle architect’s knowledge regarding potential threats and cyber attackers rather than just the king’s willingness to buy more bricks. The thicker the wall, the more expensive it can be to build, in contrast to the taller wall
And then there’s the castle that decides not to build a wall at all. The king says the area where the wall was to be built is good grazing land for the royal cows. Nothing is going to come between his cows and their grass. Kidding aside, maybe they can’t afford to build a wall. Maybe they think they don’t have anything worth stealing and a wall isn’t needed. The point is there’s no wall at all. Maybe a guard tower or two, maybe not. Still, no wall.
An attacker will always take aim at the lowest hanging fruit. They’re not afraid of cows. Once they’ve ransacked that castle they’re going to move on to its neighbors; the castle with the tall thin walls and the castle with the stouter yet thicker walls.
A good attacker knows that the best target they can aim for is the castle with the thinner wall no matter how tall it is, or the castle with no wall at all. An attacker’s primary goal is to go unnoticed for as long as possible, or for as long as it takes to get their job done. The more time it takes to get through a wall the more exposed they are and the more likely they are to get caught.
The tall imposing wall is the better target because it’s thin. A good attacker can navigate around a security product or two. The stouter wall takes longer to successfully breach, even if they’ve made it to the top. The attacker’s exposure is magnified almost from the start.
You’re probably wondering what point I’m trying to make and it’s this: not every SMB or SME can afford to build a wall or is interested in building a wall at all. Other SMBs or SMEs might think they’ve done enough by making their wall tall and the thickness doesn’t matter. And then there are other SMBs and SMEs who do build a wall, understand the importance of depth when it comes to defense, and are reasonably well protected.
Unfortunately we see a lot of SMBs and SMEs who aren’t protecting themselves the way they should. Their walls are tall but flimsy or there are no walls at all. There’s really no point in asking why this happens. What’s important is asking how an SMB or SME can take responsibility for their current situation and start building a strong cybersecurity posture.
Here’s what Security7 recommends:
- Identify your information assets
- Identify the asset owners
- Identify risks to confidentiality, integrity, and the availability of the information assets
- Identify the risk owners
- Analyze the identified risks and assess the likelihood and potential impact if the risk were to materialize
- Determine the level of risk
- Prioritize the analyzed risk for treatment
Darrin Maggy, Security7’s Practice Manager offered some insight to help us dive in a little deeper.
STEP 1: IDENTIFY YOUR INFORMATION ASSETS
An information asset is any information or asset that is valuable to your business and contributes to its ability to operate and its profitability. Typically you need to look for things like paper or electronic documents, applications, databases, infrastructure, even key people. That’s an information asset.
“Generally what we do to start the asset identification process is issue a questionnaire,” Maggy said. “It’s brief, and it’s meant to prompt people through the process of understanding exactly what we’re looking for and how to find it.”
STEP 2: IDENTIFY THE ASSET OWNERS
After you’ve identified your information assets, Security7 determine who within the business is responsible for those assets. Maggy said the recipients of the questionnaire typically exist at the layer directly below the CEO on the org chart.
“Finance, Operations, HR, Sales, etc., these folks are typically aware of which corporate assets they’re responsible for and which assets are most critical to the business,” he said.
Maggy said it’s important to identify asset owners as they are the best source of knowledge regarding the potential vulnerabilities and threats to the assets and they can also help assess the likelihood and impact of the identified risks were to materialize.
STEP 3: IDENTIFY RISKS TO CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY OF THE INFORMATION ASSETS
“Confidentiality, Integrity, and Availability of information are the foundation of information security,” Maggy said. “Let’s use an analogy to help explain this.”
Maggy said imagine you’re doing business with your bank. You’re going to make a deposit, log into your account to make sure the deposit has posted to your account, and then withdraw the money.
You expect confidentiality when you deposit your money. That transaction is between you and your bank. “It’s nobody’s business that you’ve just conducted that transaction,” Maggy said. “The bank shouldn’t advertise the fact that you just deposited $50 or $5000 into your account.”
Integrity comes into play when you log into your account only to find the transaction hasn’t been posted. “Say you deposited $50 and only see $10 or nothing at all,” Maggy said. “Something’s happened regarding the integrity of that transaction, the integrity of the information.”
Availability comes about when you go to an ATM and try to withdraw that $50 and you’re unable to do so, now you have an availability issue.”
Maggy said all three of these things apply to data as well any breach of Confidentiality, Integrity, and Availability is considered a security incident. “Let’s apply these concepts to business.
“If somebody in sales needs to access Salesforce.com and they’re unable to do so, that’s an availability issue. If somebody from HR goes into Salesforce.com and they alter a major account record, making substantial changes to the record, and ultimately those changes alter the way that client is handled in the organization then you’ve just had a breach of integrity,” he said.
“Overall, confidentiality is identifying the processes, the assets, the information, the things in the organization that need to be kept private,” Maggy said. “Whether its existential data that you don’t want your competitors to find out about such as information related to M&A activity or new product development, financial information, or other sensitive data. That’s confidentiality.”
STEP 4: IDENTIFY THE RISK OWNERS
Remember when we said you might bounce around between the steps? Well, here’s an example of that.
“Oft times we’ll determine that the asset owner ends up being the risk owner as well,” Maggy said.
Maggy said risk owners are those with the accountability and authority to manage risk. “The asset owner is the person responsible for the asset within the company. A risk owner is a person who is both interested in resolving a risk and is positioned high enough in the organization to do something about it.”
However, the risk owner isn’t always the asset owner. “it has to be someone who is closely related to processes and operations where the risks have been identified – it must be someone who will feel the “pain” if the risks materialize – that is, someone who is very much interested in preventing such risks from happening. However, this person must be also positioned high enough so that his or her voice would be heard among the decision-makers because without obtaining the resources this task would be impossible.”
STEP 5: ANALYZE THE IDENTIFIED RISKS AND ASSESS THE LIKELIHOOD AND POTENTIAL IMPACT IF THE RISK WERE TO MATERIALIZE
Maggy said it’s important to always provides Risk Assessment training directly to the people who are going to be involved in the Risk Assessment process.
“We do this to bring everyone involved in the process up to speed,” he said. “It helps them understand the methodology, the terminology, and the risk identification and treatment process so we can better assure a high quality, refined output.
STEP 6: DETERMINE THE LEVELS OF RISK
Security7 Networks has assembled a collection of Risk Catalogs to help the participants on their journey. The catalogs help identify specific threats and vulnerabilities and allows them to walk organizations through the likelihood and consequence scenarios.
“We give the potential impact and likelihood of these threats occurring a numerical value in our risk matrix.”
The total of these values ultimately determines which risks will require treatment.
“Then you have to decide how you’re going to reduce those risks to a level that the organization is willing to accept or is comfortable with, no more no less,” he said.
STEP 7: PRIORITIZE THE ANALYZED RISKS FOR TREATMENT
The primary risk treatment options an organization has to consider are risk mitigation, risk transfer, risk avoidance, and risk acceptance.
“Maybe you’re going to put a security control in place from Annex A or SP 800-153 or another control catalog. That’s risk mitigation,” Maggy said.
“Risk transfer is when you transfer the risk through outsourcing to a contract supplier or insuring a particular asset.”
“Risk avoidance is when you discontinue the activity that’s associated with the risk,” he said.
“Risk acceptance is where an organization says ‘you know what?’ The treatment would cost more than the potential impact was the risk to materialize. We accept this risk. It’s been signed off on by our executive suite,’” he said. “Then they file the risk acceptance memo within their information security management system”