back to article Cyber-crooks think small biz is easy prey. Here's a simple checklist to avoid becoming an easy victim

One of the unpleasant developments of the last decade has been the speed with which IT security threats, once aimed mainly at large enterprises, have spread to SMBs – small and medium businesses. Today, SMBs are no longer secondary targets, and are up against exactly the same cyber-threats with the same level of sophistication …

  1. Claptrap314 Bronze badge

    Umm...

    My step #1 is to run Linux & non-windows office software. That seems to cover about 90% of what is mentioned.

    Not a cure-all at all, but let's start with a system that actually has a chance to be secured.

    1. LDS Silver badge
      Facepalm

      Re: Umm...

      Do you believe Equifax was running a Windows server?

    2. Anonymous Coward
      Anonymous Coward

      Re: Umm...

      Your step #2 is being hacked because is evident you have not a clue about real protection. Linux systems are routinely pierced because they are not secure per se, and people believing they are more secure just because they don't use Windows usually have a bad awakening.

      Especially since a lot of issues are at the application level, not the system level. And bad setup and management are big issues on *any* system. False sense of security only adds to risks.

      1. Drs. Andor Demarteau (ShamrockInfoSec)

        Re: Umm...

        Precisely, Linux system (MacOS as well) have the name of being more secure or better securable.

        Whilst this, as specially towards Windows, was true a decade ago, Microsoft have actually quite stepped up their game in this area.

        And no I'm not a Windows fan, but that has a different reason.

        Any IT system can be as secure or insecure in measurement of the security competents of the people who are managing them in alignment with the requirements of the business itself.

    3. Walter Bishop Silver badge
      Mushroom

      Re: Umm...

      Two down votes, how dare you criticize MICROS~1

    4. c1ue

      Re: Umm...

      Sadly, wrong. Windows has more vulnerabilities than Linux, true, but the highly effective SMB attackers aren't using "spray and pray", they're doing targeted intrusions, then recon, then ransomware as the final monetization step.

      In this respect, Linux is no better than Windows because neither is really the issue. It is routers, firewalls, phishing emails, poor passwords, etc which are used.

  2. Ken Moorhouse Silver badge

    Re: ...should be limited by Microsoft Office, for example by using...

    ...LibreOffice or OpenOffice instead.

  3. Version 1.0 Silver badge

    Good recommendations but...

    Sure, lock and bolt all the doors ... but all it takes is one employee checking their home email from work, browsing for entertainment during lunch hour or bringing a USB stick in to share/copy something.

    The safest thing you can do, as an SMB, is assume that you will be infected and make sure that you have backups of your backups everyday. One backup isn't any good, and two backups are only twice as good as nothing. Daily backups every day every week to a read-only source might just save your business one day.

    1. jake Silver badge

      Re: Good recommendations but...

      "Sure, lock and bolt all the doors"

      That does no good. The crooks are getting in through the windows.

    2. LDS Silver badge

      Re: Good recommendations but...

      Cloud is not more secure - as we see the large number of AWS or other services left wide open with default credentials and not secured at all. Maybe, they can even generate a false sense of security "it's in the cloud, so it's secure". While the cloud layer could be better managed (hope so, but I'm not still sure there's not a lot of "mechanical Turks" taking care of that....), whatever is customer-specific above that may still be badly configured and managed.

      While any breach in local machines can still give away the keys to data residing elsewhere - and it could be even faster to download data from the cloud that from the slower local internet connection.

      It looks there's still a misconception hackers will go directly for the big target, using a single powerful assault able to break powerful defenses at once. While it happens when someone leaves big holes available, more often a far less protected system will be targeted first, and then data are gathered to reach valuable targets. And in many SMBs you'll find users with a lot of powerful credentials they often should not have - and more mixed roles.

      1. Drs. Andor Demarteau (ShamrockInfoSec)

        Re: Good recommendations but...

        Correct.

        Cloud is by default not "more secure" than local system.

        All comes down to proper security and identity management, something the cloud providers don't do for you.

    3. Fred Daggy

      Re: Good recommendations but...

      Yeah. Backups are good. But it's only half the story. And that's where it gets complicated.

      You need a strategy. Most SMBs don't put the resources in to a strategy, many don't even recognise the risk.

      Backup is central to the strategy. Testing restores is another key part. Then there is Business Continuity Planning, Encryption, Compliance, etc. You can see why this goes over the head of most punters and even people paid to pay attention to this stuff.

    4. Alex Walsh

      Re: Good recommendations but...

      I've read plenty of stories about USB sticks/SD cards being "lost" in car parks or by offices purely on the off chance that someone will be curious and pick it up and plug it in to their office computer. Scary.

  4. David Roberts Silver badge
    Trollface

    Cloud simplifies security

    Eggs, meet one basket.

  5. Roger Greenwood

    Size matters

    Businesses with 2.5, 25 and 250 employees are all often described as SMBs but will require quite different levels of support. We are bombarded with offers to provide us with "support" but the targeting is way off sometimes - the number of staff actually using computers (with a keyboard) in a business can vary widely.

    @Claptrap314 It's quite difficult to get folks to drop windows after growing up with it and being dependent on it for critical bits of kit you have no control over (if you are a SMB). By comparison dumping MS Office was easy.

    1. Drs. Andor Demarteau (ShamrockInfoSec)

      Re: Size matters

      Effectively the number of employees may say very little on how juicy the SME target actually is.

      The level of data available within the company may be a far better measurement of this in the end.

      With a lot of processes now partially being automated, smaller companies can actually have larger juicier data sets than larger ones with a more traditional business model.

    2. LDS Silver badge

      Re: Size matters

      You're right.

      Usually, the definition is "small" companies < 100 employee and < $50M revenues, "medium" < 1000 employees and < $1Bn.

      From an IT perspective, very, very different needs within each category. Even with less than 100 people you can have high-tech companies, or lawyers/accountant/physicians (highly confidential data), or low tech business, with very different type of users, and needs.

      Many "medium" business may have the IT needs of larger enterprises, depending on the sector they work.

      A believe a different categorization is needed, the old ones are not very useful.

      1. Paul Crawford Silver badge

        Re: Size matters

        To some degree the main difference is a "larger" organisation will typically have some or all IT support in-house and as a result typically will have policies for networking, patching, backups, etc, that are planned around good practice.

        I say "typically" as we regularly see the big boys being shafted and often due to lax practices...

        But the SME lot usually have no real IT support internally, maybe some bod whose job it is to arrange support/purchase, etc. And as already pointed out, you get many differing categories of user and business with the vast majority being based around folk with no real computing expertise. And no, being able to use an excel macro is not computer expertise! Hence solutions of using differing software, OS, network segmentation, etc, that would be argued about by the legions of commentards means absolutely nothing to them.

        Most of what is needed to get SME in to a safer area therefore requires such expertise and that means paying folk to help set up stuff, train staff, deal with incidents, etc. Sadly that is seen as a pointless expense by many until they get shafted.

    3. Baldrickk Silver badge

      Re: Size matters

      @Claptrap314 It's quite difficult to get folks to drop windows after growing up with it and being dependent on it for critical bits of kit you have no control over (if you are a SMB). By comparison dumping MS Office was easy.

      Bar needing it for specific tasks where software and hardware is unsupported on other OSes (whether or not you can get it to work, as a business, you probably want the support) I would have thought moving to another OS would be fairly easy, as long as it still has a task-bar and some sort of launcher that is not too dissimilar to the start menu. - In fact, many Linux distros have window managers with launchers that are closer to old Windows in style and functionality than new Windows...

      Failing that, there is always the shortcuts on the desktop approach.

  6. Walter Bishop Silver badge
    Linux

    The cybersecurity challenge for SMBs

    The cybersecurity challenge for SMBs is to find a computer that can't be compromised by opening an email or clicking on a weblink.

  7. Mark C 2

    You missed and obvious one...

    ..User Training and Education.

    Security is not all about technical controls, there are Administrative and Physical ones as well.

    1. GnuTzu Bronze badge

      Re: You missed and obvious one...

      "User Training and Education"

      Sadly, vigilance is not innate to the human condition, and social engineering seeks out the lazy and impulsive. So, yes (voted up), and do the homework to get a really good training program.

  8. Pascal Monett Silver badge

    A bit disappointing

    I started reading this article hoping to find some sort of checklist of software to have and things to do. Instead, I found an article that, while well written, was light on specifics and rather vague, limited to generalizations and common-sense counsel. I'm not knocking the content that was there, I'm unhappy about what was missing.

    What I was hoping to find was concrete references to SMB-level products that could reliably help me, a freelancer, to ensure that my connection is all right and my laptop secure. I have obviously installed anti-virus and monitoring software, but I would have liked to get confirmation that I made the right choice, or a list of products that I might check out to ensure that I can change for something better.

    As for the software I have installed, I need every bit of it. I very much doubt that SMBs have loads of useless software licenses just lying around. They don't have the money for that. Well I don't.

    1. jake Silver badge

      Re: A bit disappointing

      "As for the software I have installed, I need every bit of it."

      Do you really? Every bit of it? Did you use Linux From Scratch, Gentoo, Crux, or something else as the base? Or did you roll your own, perhaps a BSD varietal? Because you sure as hell won't be using one of the commercial kitchen-sinkware options if what you say is true ...

  9. c1ue

    Cyber security today is simply not meant for SMBs. If you have a $10M budget or more and have reasonable execution capability, you can have a fairly decent cyber security setup in the sense of preventing attacks.

    However, cyber security in a more holistic sense isn't about preventing attacks. It is about preventing attacks from destroying your business.

    Backups are fine from a business recovery perspective - but that assumes that the business can withstand a 1 or 2 week recovery cycle. Many can not.

    What every SMB truly must address is business continuity: what must be done in order to ensure that the business will survive if it is attacked by ransomware? By DDoS?

    The tools to mitigate these impacts are *not* actually prevention of attack, rather they need to be resilience focused.

    Similarly, what is the impact on the business from a whaling expedition? an HR PII theft? A data or IP theft?

    The answers to these scenarios are mostly process. Two factor authentication as in calling to confirm whenever a new payee is requested. Never sending more than XX records of HR data unless independently confirmed by 2 or 3 real people in authority. Not putting all your data/IP in one spot, and locking away portions that aren't actually used frequently to specifically be hard to access.

    1. jake Silver badge

      True enough.

      "Cyber security today is simply not meant for SMBs."

      This is true. Cyber security is for boardroom bingo and headlines. Nobody with a clue who is actually involved in computer and network security uses the word "Cyber" in that context, especially not with the CAP initial letter.

  10. WaveyDavey

    I don't get it

    Sure, the scams of fake invoicing, fake Data Protection registration etc are fairly old, as are payments to banks accounts that are not who they claim to be, but isn't the problem getting a fake bank account ? As far as I am aware, it is really difficult to get a "fake" bank account these days, thanks to crime prevention and anti- money-laundering measures. Can't the police simply track who owns the account money was paid to, then arrest the buggers ?

    1. c1ue

      Re: I don't get it

      No, because you don't use a "fake" bank account. You use a person's real bank account who thinks their helping an offshore trading company process invoices.

  11. Potemkine! Silver badge

    The essential part is missing

    That one: educate your users, again and again and again - They are the first defense line. Technical solutions can only compensate.

  12. Anonymous Coward
    Anonymous Coward

    Our entire organisation got sent an email from someone well known for *not* being part of the IT department (quite the opposite) saying they must click on an email to ensure continued email delivery. Around 15 of 250 got suckered in and clicked on the link, a worry proportion of those happily put their O365 credentials in. Almost an entire department of supposedly well educated users handed over their details without hesitation whereby the computer illiterate receptionist recognised it as a scam and discarded.

    User education is sadly never going to stop stupid. All you can really do is respond quickly and respond well.

  13. elvisimprsntr

    1. Start with a good enterprise class firewall (pfSense) - Done

    2. Configure firewall to route ALL DNS requests through OpenDNS, even if the host manually enters a DNS IP - Done

    3. Configure OpenDNS to filter traffic you don't want clients accessing - Done

    4. Use a professional mail hosting provider which which employs virus scanning and filtering. - Done

    5. Disable USB interfaces on ALL clients - Done

    6. Have a company policy which prohibits use of company resources for personal use which can result in suspension or termination. - Done

    7. Mandatory employee training - Done

    8. On site backup strategy (GF,F,S) with offsite/remote for disaster recovery - Done

  14. baggins84

    I've been involved in the aftermath of multiple cyber security incidents and they have nearly always originated from human error/poor judgement/lack of training.

    An attack may take advantage of a weakness in a system but quite often that is exploited through some form of social engineering approach.

    I firmly believe that as long as a company has some information security, one of the best things they can do is educate people. By having a clear strategy and ensuring people comply with policies (be that automated or manually checked) you close the door on a lot of possible attacks. By educating and raising awareness to all staff, you instil the 'what-if' thought process in people and that can be all it takes for someone to question a phishing phone call or flag an email that may be trying to get information. Early identification is key to these situations and prevents further infection. Teaching people how to handle the pushy telephone calls, how to spot emails that may have been spoofed is always part of my information security awareness training. I keep groups small so that you can engage with people instead of doing large blanket company wide sermons.

    Then you have the infosec strategy in the background, ensuring that everything is protected properly from a systems and monitoring point of view.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019