Essential Cybersecurity Strategies for Small and Medium-Sized Enterprises

Episode 31 November 11, 2024 00:25:22
Essential Cybersecurity Strategies for Small and Medium-Sized Enterprises
PrOTect It All
Essential Cybersecurity Strategies for Small and Medium-Sized Enterprises

Nov 11 2024 | 00:25:22

/

Hosted By

Aaron Crow

Show Notes

In this episode, host Aaron Crow addresses the pressing issue of cybersecurity for small and medium-sized businesses. With their limited budgets and resources, these enterprises are often prime cyberattack targets.

Aaron explains why these businesses are particularly vulnerable, the potentially devastating impacts of a cyber incident, and practical measures they can adopt to strengthen their cybersecurity without incurring significant costs.

Listeners will uncover insights on establishing basic cybersecurity policies, the critical importance of monitoring, and strategies for preparing for potential breaches. 

This episode is filled with valuable tips that could ensure the survival and success of your business amid today's escalating cyber threats.

Key Moments; 

00:00 Cybersecurity challenges and solutions for small businesses.

03:24 Startups are vulnerable due to inadequate cybersecurity measures.

06:30 Use secure passwords, educate employees, and use tools.

11:26 Segregate networks to protect sensitive data.

14:46 Effective monitoring requires time, effort, and setup.

16:10 DNS filtering blocks malicious sites, prevents attacks.

20:29 Plan proactively to manage events before crises.

 

Connect With Aaron Crow:

 

Learn more about PrOTect IT All:

 

To be a guest or suggest a guest/episode, please email us at [email protected]

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: You're listening to Protect it all, where Aaron Crow expands the conversation beyond just ot delving into the interconnected worlds of IT and ot cybersecurity. Get ready for essential strategies and insights. Here's your host, Aaron Crow. [00:00:19] Speaker B: Hey, thank you for joining me. This episode, I want to dive into cybersecurity for small and medium sized businesses. And before I do that, I just want to say today I'm recording this on Sunday, November 10th, which happens to be Veterans Day weekend. But also today specifically is the birthday of the Marine Corps. So want to do a shout out to all my veteran friends and all those who served. Thank you very much. I appreciate your service. All that you stood up to, stepping up and you know, taking that call. So thank you very much. With that said, want to dive into, to like I said, cyber security for small business. In this episode, I'm going to dive into specific cyber challenges faced by small and medium sized enterprises. Unlike large companies. You know, those, those small, medium sized companies, they, they oper, they many times operate with limited budgets and resources which really makes them a target, makes them a target for cyber criminals not because they are a small company, but because they don't have the resources and the skill set to really protect their environment. By the end of the episode, the goal is, is to gain a deeper understanding of the steps you can take to improve your cyber posture without breaking the bank because you don't have to have, you know, huge budgets and teams of people to, to do, you know, simple basic things that can really, you know, drastically improve your cyber posture. So with that said, let's dive in. You know why businesses are prime targets for cyber attacks? Statistics at the scene. According to Verizon data breach Investigations report, over 43% of cyber attacks target small business. The national security, I'm sorry, National Cybersecurity alliance found that 60% of small businesses that suffer a cyber attack will go out of business within six months. That, that statistic is huge. Right? You cannot afford to have a cyber attack in these small and medium sized businesses. They'll literally put you under. I did an assessment not too long ago of a not so. I mean when we say small, we don't mean, you know, it's just not the size of Amazon. Right? So I, I did a, an assessment on a, a company manufacturing facility and it doesn't matter what they manufacture but you know, they're, they're in their first year of, of this company now. It's a pretty good sized company, you know, hundreds of employees and big factory and you know, multiple millions of dollars of revenue and if they had a cyber event they would absolutely close, close office. Right? They can't sustain it. They're, they're still in that process, they are profitable. But I guarantee you if they were impacted more than, you know, very limited. If they, if they were a day or two or definitely a week or more of without production and revenue, they would close shop. They wouldn't be able to continue. So that's why it's so important in these small and medium sized businesses that you, you do have some kind of focus on it. Again you don't the same budget but it needs to be, you can't just say hey, I'll do that later. We see that there was an article here recently around you know, startups and how all these startups don't necessarily put their put budget toward cyber security and it can be the detriment to that company. You can have a great product but you know, you get hit with cyber, cyber incident, ransomware, anything like that and you know, your, your great idea just went out the window because you can't sustain. So why are they vulnerable? Lack of dedicated security staff or budget, use of outdated Systems and or SoftW I would add on to that even just lack of integration. And maybe you're using the best stuff, Office 365 and GitHub and GitLab and all the different things. But if you don't know how to configure them and you're not an expert, there's things you can miss and you can misconfigure something or just forget to lock something down and that can be the door in, not to mention a lot of these small businesses, people are bringing their own devices and that's fine, but you have to know that's a risk and what to do about that, right? So if, if you are allowing those things, you've got to have other controls and mitigations around those things to make sure it limits the impact backups and all that kind of stuff. Right. So what's at stake is, you know, loss of customer trust could be regulatory fines, significant downtime. We talked about the other one that could shut down. Even just a minor breach can impact production, the ability to sell your product. And not to mention that, you know, if your customer PII type information gets out, you know, that could be just a loss that customer trust could go away. And again, it doesn't matter that you have a great product. There's many, many examples of products that are really good that you know, get Hit with, with ransomware or you know, customer data get stolen and it doesn't matter, customers don't trust you and they'll go to an inferior product potentially that their information isn't going to get leaked. So call to action. You know, really the importance of cyber awareness, cyber security awareness, even for small businesses. I've heard it a lot that people think, oh, I'm too small, nobody would target me. Why would a bad actor come after me? They don't care. Like they, they are literally looking at showdown and places like that and just seeing can I get in? They don't care if it's, I can get 5,000 from you, I can get $10,000. Whether it's ransomware, it doesn't matter, right? They, they will go after everyone. You don't have to be, it's not all nation state, you know, North Korea and other company countries that are going after you. A lot of times it's just, you know, criminals going after money. So what, what are basic cyber security measures? I say this a lot, but it's not all technology and fancy and whiz bang and blinky lights sometimes it's many times it needs to start with, with just a cyber policy, right? Establishing basic cybersecurity policies, understanding even if it's just a single page, like hey, we're gonna have dual factor authentication if we're gonna use secure, you know, complex passwords and you know, we're gonna, you know, not put our customer data into ChatGPT and any number of example, right? And then educate your employees on things, phishing activities and you know, where can I download software from and what information can I put where? And you know, really just having a policy and a procedure around those things. Things. Where is it safe to store my data? Can I, can I put it in my Dropbox? Is there a company location to have those things? Right? And then, you know, there are affordable tools, DNS filtering, right? Open DNS, cloudflare, they can act, they can really block your malicious sites. Use a password manager. I tell, tell people in your home, in your personal life, but also at work, right? You should use tools, password managers that can, can help you generate and store complex passwords. And you should do that in a way, especially if you think about, you know, an IT person, assistant administrator in a small company. If that person gets hit by a bus, wins the lottery, you know, whatever, if they leave and they have all the passwords, you're having to recover that, right? You're having to assuming that they don't do a Good transition. Then, then you're, you're struggling, you're trying to find the piece of paper or dive through their documentation if there is any to, to figure those things out. So again, that's not even a cyber incident. That's just good operational, you know, running right is understanding all those, right. And the other piece to this is, is also just knowing what your systems, how your systems are critical. Really mapping out all the systems that you have. You know, whether you're, you're a production company and, and you're, you're building widgets, right? You're, you're manufacturing things like you, you need to understand that, that, that process but also the back office stuff, right? What, how is my payroll done? Like how is my banking done? How is my email? Like all those integrations, how do I do, you know, remote access? Like all those things matter and really understanding what those pieces are and which ones are critical to your business. There, there's pretty easy steps with these that you can do to really impact dual factor, you know, two factor authentication is definitely another one. You know, the easy quick wins are, you know, make sure that all of your software and systems are updated to known patches and vulnerabilities. You know, use antivirus software, make sure your back backing up your systems, that you have an offline backup, you know, break glass in case of emergency. If one of your devices or multiple of your devices get hit with ransomware, how can you recover? Do you have your proprietary information someplace, you know, in a vault that you can get to if you need to. How long can you be down and still function? And what is that process to go from? I'm down to back up whether it's, I've got a spare machine, I've got my stuff backed up and I've tested that process a little bit deeper dive in the architecture of thing and it really depends on the type of business. But network segmentation like we've, we've done this for years and it's, it's really, really important. I have network segmentation on my home network that I'm at now. Like I have my, my corporate, my business stuff separate from my kids network, separate from my IoT network. And there's a reason for that, right Is as I'm plugging in all these smart devices and you know, I've got a guest network, I don't want my guests production network, I don't want my guests in my Iot network. I don't want my guests on my kids network, right. I want to have separate environments it just maintains each of these environments and if one environment gets, gets impacted, if it's one big network, then everything can pivot. You can pivot from one device to the next. Whereas if I have network segmentation, yes it's a little bit more complex but that complexity also makes it more difficult for things to propagate through your environment. It Right. So really separating your business network into different segments and understanding again it doesn't have to be, you don't have to have 50 and you don't have to have a whole bunch of really complex hardware. Again my home network has it. Right. And I'm using, you know, simple home use products that support that. Right. And yes it takes a little bit configuration and maybe you don't have the in house capability. It's vastly cheaper to fix this now especially as you're growing for your small business. If you design it right in the beginning, it's really easy to expand it. Whereas it's harder down the road to redo everything. Right. To go out and change configurations and really dive that up down later is more difficult. You know, creating guest network for visitors and employees. Right. That is, that is crucial. Like you're going to have people that are coming from outside of your company in and they're going to want Internet access. Well that's, you can easily give them that, but you don't want to give them, put them on your corporate network. You don't want them having access to your printers, you don't have access to your file shares, you don't have access to your, you know, production line, whatever those things are. And then even beyond that really segregating critical systems, financial data, you know, even locking down if I have a share share environment like I don't want my janitor having access to the accounting data, people's salary and, and customer information. Right. If you run a small business or a small retail business, you know, segmenting the network so your point of sale systems are isolated from your employee WI fi that's isolated from, you know, your guest WI fi that prevents attacks like the target breach. Again target, the target attack targets a big company and they were breached but it wasn't through their corporate enterprise front, it was from a vendor back, you know, back door. So somebody had access to that target network and they hit that, that vendor that then got them into the target network and that's how they, they expanded. Right. So a few changes to your network setup can greatly reduce potential impact to your cyber incident. It's not a matter of if you cyber attacks are coming. It's really a matter of when you're going to be impacted. The, the real question is, is how big is the impact? How quickly can you respond? How quickly can you recover? And, and honestly, like we said earlier in businesses, can you survive? It's, it's literally that critical. Can you survive if you got hit with a, with a cyber incident? Monitoring is, is the next piece. So once you've gotten all those base things, I've got a, I've got some kind of policy and procedure. I've done some basic network segmentation. I'm not allowing guests onto my corporate network. I'm not, you know, my, my employees are segmented. So you know, accounting and financials are separate from, you know, engineering and you know, my sales force monitoring is kind of that next step. Importance of monitoring tools, utilizing tools and there's, I'm not going to list out tools, but there's an unlimited number of tools, both paid and open source, that, that you can monitor network activity. So speaking really quick on, on paid versus open source. Open source is great. There's a lot of free tools out there. And when I say free, I mean you don't have to pay for a license that said they're not free. And what do I mean by that? Well, you have to spend a lot of time to implement, to architect, to stand up, to support all that kind of stuff, right. So some of the things that you're buying when you pay for a, you know, a commercial product is the setup and the support, right. That is especially if you don't have in house expertise. You're the CEO, you really shouldn't be spending your time on monitoring of your, of your environment. Right. It's not your single best use. That said, you may have to in the beginning how small you are, but again that's where it, if you can open a ticket with a support company for this product and monitoring and all this stuff, that's, that's a lot easier and it takes less of your time away from running your business as opposed to trying to go as cheap as possible and not have that monitoring. That said, a lot of people are still going to have to use open source and that's fine. Just know it's going to take time and it's going to be a lot of work to maintain and get the value, even if you're not paying for a license to get the value out and make sure that you're monitoring and you're seeing all the things. Right. So how do you monitor your devices? Obviously you really need to start out with what do you have? Like do I know what devices I have? Do I know what systems I have, what critical systems? Like how can I monitor Office365, making sure my setup is correct, monitor my endpoint devices, make sure I've got antivirus on those things, make sure that I'm scanning my corporate network so that I know devices, they get plugged in and I'm monitoring the switches and the firewall and I'm looking for, you know, denial of service attempts and malware coming across. You can use, you know, logging type devices, Splunk and others, right? There's again I don't want to dive too much into which products but you know there are free and low cost options out there for many of these things. But again remember those free low cost licenses are not free because somebody has to maintain them, set them up, support them, configure them, all that kind of stuff. Right? So, but monitoring doesn't have to be expensive. You can get real time inside into your network. It just takes some time and effort to set up DNS filtering that really helps with as your Azure devices are going out, if somebody's clicking on a phishing link, right? If you've got some of these things set up, even clicking on that link it's going to block it from being able to go out. So you know, DNS blocks DNS filtering blocks malicious sites before they can infect devices. Especially important for preventing phishing and malware attacks. There are affordable DNS services. If you don't want to run your own, you can use open DNS and Quad 9 Cloud for DNS. They're free or low cost options to implement. You can also do, you know, Raspberry PI has, has a pie hole and, and there's, there's a lot of things again that are, that are not super expensive but provide very, very big value. There's a lot of other things that are built into enterprise level firewall type devices. So Fortigates and Palo Alto and those guys, they have a lot of these things built in so you can buy one device and get a lot of capabilities. You've got the 40 SIM and you've got the AI threat data that's coming in these environments from Palo and Fortigate and all this stuff and those things really get you that next level. But again they're going to be more expensive. You can also do it with a PF sense box or any number of the open source firewalls or Ubiquiti. There's a lot of them that are, that are more affordable. But again, remember that that affordability comes at a cost and it's really a time versus experience versus you know, capability. And that's where you really need to figure out what's right. As long as you're doing something, it's better than nothing, right? So figure out what those low hanging fruit are for you and really focus on, on them. And it goes back to that original pro. You know, documentation and process is what is important. What are the most, what are my crown jewels? And I want to protect those crown jewels. If my, if my, if my workstation goes down, but I've got a good backup and I know I can recover in an hour, maybe I don't have to spend the, the expense on, on really, you know, end point protection as much as I do on the other. I'm not saying import protection is not important. I'm just saying you can, you can begin to decide what is the most important for my business. Right. So getting a little bit more advanced is that instant response and business continuity planning, right. And that goes into how long can I survive? What is my recovery process if this system goes down, how do I get it back? And again, small businesses are really struggling to survive after a massive event like this. Right. And massive to a small business isn't the same as massive to target. You know, a massive event for a small business could be hours. Like you could lose enough revenue and reputation in a few hours of downtime that it's going to be hard to dig out of that hole. So make sure you outline the steps that you would take in an event of a breach containment, communication, recovery. And you shouldn't do that in a vacuum. Those are things, you know, go through a tabletop exercise. There's, there's great tools out there. Threat Gen has that auto tabletop they do which, which allows you to use the capabilities of AI and language models to go through those scenarios. You're not an expert, you might also not also be able to pay for a consultant to come in and do it, but you can use tools that'll help you, you know, kind of get a leg up on these things. Make sure you have backup strategies. You know, you need to have some kind of strategy and have multiple copies of your data. Two different types of media, at least one of them off site. That's that, that three, two, one backup rule, you know, so three copies of your data on two different media and one off site, right. So that, that you, you see the memes, the server goes down and hey, where's the backup? Oh, it's on the server that just went down. Oh, well, that's not fair. If I've got a V. If I've got a vm, a virtual environment and all of my backup servers on the same hardware as the rest of my environment and I'm backing it up to the backup server, I'm not doing much good, right? I need to have a, an offline copy. You know, think about, I don't want it in the same room if that room catches on fire, if there's a lightning strike and it takes out everything on a circuit. Like all of those things are impactful, so you need to think about those things. So I want to have make sure that I'm thinking through all of those things so that if the worst case scenario happens, I, I have a path out. It may not be pretty, maybe it's manual for the short term, but at least I've thought, thought it through. And it's not the first time I'm thinking about it. After the event, you want to do it left of bang. If bang is the bad thing, that's everything left of bang is before it happened. And everything right of bang is oh, I'm reacting and responding. I want to make sure I plan this stuff left of bang before the bad event happens so that when that event does happen, everything to the right of bang. At least I've not, It's not the first time I've thought about it. At least I have a plan, right? My plan's not going to necessarily work exactly as I think it through the old Mike Tyson quote, everybody's got a plan until they get punched in the face. But at least I have a plan of some kind. I know which direction to go in and I know where to start. I have a backup. I know where it is. I've tested it before. Now you're, you're troubleshooting, but not from a place of. I've never thought about this before. So being prepared can literally save you thousands of dollars in downtown and recovery costs. It can literally save the difference between your business continuing to run and closing up shop. So not to end on a dramatic note, but, you know, conclusion and final thoughts are, you know that cybersecurity is a continuous journey, journey you're never done. It's not something you implement. You know, it's like you go to the gym. You don't just go once, lift some weights and I'm done. You have to have a plan and continue to do these things. You're Having to constantly, as your company grows, as the, as the threat environment changes, as your, your risk profile, all these things are going to change. So you need to constantly be remembering just like you have to budget and every month is different. You have to look at your cyber and make sure that you're considering all the right topics and all the things that are important to your business. And it's not a, it's not a standard test. I can't, you can't cheat off your neighbor because you're. The things that are important to you are different than even another company, one of your competitors. Theirs is different because they have different back office systems and different people and different geographies and different customers and all these things are going to be a little bit different. So yes, you can get some templates to start but you're going to have to customize it for your environment. Environment, make sure to take immediate steps even if it's just implementing one tactic. You know, understand your environment, make sure you have an asset inventory. You know, make sure. Where are your backups? Have you tested that? Do you have backups? Are they on the same server as the rest of your stuff? Do you have one in a fire safe in a different room that you can come back to from, you know, a known good state? Like these are the types of questions you need to be looking at and you can solve for pretty simple. Like you can take a backup of your stuff, put it on a USB drive, put that drive in a fireproof safe, put that safe in another build building, right? Put it at home. That way it's off the ground, it's not going to get flooded, it's not going to get burned like and do that two or three times, that's not expensive, especially as a small business. Obviously Target's data would not fit on a USB drive, but yours may, right? And maybe it's not a USB drive, maybe it's a network attached storage, maybe it's a, you know, cloud based like whatever that is for you. Make sure you know where that you have a backup and you can get to it. I've got three copies and two different types of media and at least you know, one off site location. Right. So with all that said again, don't, don't overthink it. Also don't think that you're immune or too small because nobody is. They don't bad actors don't care who you are, what you are, how big you are. They're, they're coming after money. Like there's so many different types of things that people are going after a phishing attack. They're just broadly sending out anybody they can get. Right? That's why it's called fishing. They're not picking the individual fish. But you know, if you're the small fish and you bite the hook, you still got hooked and that's really the point of it, right? So again, all that said, thank you for listening. Do me a favor and definitely make sure that you like and subscribe on YouTube on wherever you listen to your your podcast. Definitely leave us a review. We love, we love getting reviews and and feedback as well as if you are if there's a topic you want to cover or hey, you want to come on the podcast, please reach out infotecitall. Co. You can also see the info in the show notes here. But definitely shoot me a message. Love to have interesting conversations with folks around all cyber security things from IT to ot cloud, AI, just about everything that's there. So again, happy Veterans Day. Thank you for all those veterans that are that are out there and and I really appreciate all that you guys have done. Thank you to the listeners and until. [00:24:57] Speaker A: Next time, thanks for joining us on Protect it all, where we explore the crossroads of IT and OT cybersecurity. Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.

Other Episodes

Episode 5

February 27, 2024 00:51:34
Episode Cover

Navigating Cybersecurity Challenges: A Conversation with Ted Gutierrez on Bridging OT and IT

In this conversation, Ted Gutierrez, the leader of Security Gate, discusses the challenges and strategies in implementing cybersecurity solutions in the critical infrastructure sector....

Listen

Episode 15

July 08, 2024 01:03:13
Episode Cover

Navigating Cybersecurity in OT: Challenges, Tools, and AI Integration with Joseph Perry

In this episode, Aaron Crow and special guest Joseph Perry dive deeply into the evolving landscape of cybersecurity. The episode explores the integration of...

Listen

Episode 6

March 05, 2024 00:51:48
Episode Cover

The Future of AI: Determinism, Security, and Beyond

Sevak Avakians, CEO of Intelligent Artifacts, discusses the limitations of neural networks and the need for a new approach to artificial intelligence. He introduces...

Listen