Skip to main content

Defence in depth for SME

(Image credit: Image source: Shutterstock/deepadesigns)

Cyber threats often seem like far off, exotic events that don't affect the average business. The media tends to cover breaches at well-known companies, but hackers have begun to target smaller businesses at an escalating rate and SMEs are quickly becoming a primary target. The truth is that hackers know SMEs have minimal protection and are often easier to infiltrate. 

The security challenge for most businesses today is balancing best practices like defence in depth with the realities of a limited IT budget and resources. Defence in depth is a cybersecurity approach based on layering protective elements to bolster security. Traditional defence in depth layers include: data, application, endpoint, internal networks, perimeter networks, physical and policies, procedures and awareness. Using this methodology, a breach in a single layer does not result in a breach of the organization.

Strained staff and budgets

Few SMEs have dedicated IT security teams or can afford the equipment to maintain the multi-layered security approach popular among enterprise and larger organizations. Hackers utilize phishing campaigns, watering holes, driveby downloads, trojans, denial of service (DoS), ransomware and other methods to breach organizations, collect and exfiltrate information to disrupt services.

IT professionals with limited security budgets need to adopt smart practices that optimize resources and bolster their protection efficiencies. Security solutions, from firewalls to intrusion prevention and detection systems, can strain budgets for most businesses. And that's not to mention the cost of expert personnel required to manage and monitor them. Small and medium enterprises need to find ways to provide and adapt necessary coverage, suited to fit their unique needs. Hackers depend on mistakes, vulnerabilities and unassuming users so an IT professional’s job is to reduce the attack surface, educate users and implement appropriate security policies.

Here's the rundown for defence in depth elements every business needs (and can afford).

Policies, procedures and awareness

Start by developing cybersecurity policies. Most medium size organizations likely have policies in place; however, to jump start this process consider any of the following resources:

·       The Federal Communications Commission’s Small Biz Cyber Planner tool

·       The Small Business Administration’s Cyber Security for Small Business Course

·       NIST Cyber Security Framework

·       Center for Internet Security Critical Security Controls

·       US-CERT C3 Voluntary Program

These resources provide the foundation for building a successful security program but each organization must balance the guidance with their own risk tolerance. While policy, procedure and technology solutions all play a role, it is also important to note that there is a burgeoning market for cyber risk insurance to transfer some of the risk. Note, that most insurance providers will evaluate your security posture before determining your policy premiums. That said, for malicious activity such as ransomware that encrypts servers, laptops and file systems, cyber risk insurance may be appealing.

Users play a large role in preventing infection but good habits only happen through proper education. Employees need to practice good digital hygiene like not opening email attachments from unknown senders, logging on to public Wi-Fi networks, using care intransporting data with USB storage devices and having the most updated software on all BYOD. Businesses need clear policies written by IT personnel and enforced through technology solutions and HR. These policies serve as touchstones for education to help users be part of the solution instead of the problem and as a way to enforce security monitoring on devices even while off-network.

Security solutions

Given the understanding of defence in depth, technology solution layers range from firewalls to antivirus, intrusion detection and protection, two factor authentication, web application firewalls and more, the list goes on. You can see the difficulty already in regards to selecting and combining security solutions. How can you buy and manage all of these solutions with limited resources? Unlike large enterprises that use best of breed solutions to address many risks, for SMEs this is not possible. One approach is to consider multi-function security solutions that bundle several capabilities into a single platform. An example of this type of solution is a unified threat management solution. In this scenario, a single solution could provide firewall, antivirus, data leakage prevention, content filtering and anti-spam in one product. This reduces the organization’s cost and overhead to properly manage the solution.

Unfortunately, even with all of the layers mentioned above and the right policies and solutions in place, breaches still regularly occur. For example, Yahoo, Home Depot, Target and Dropbox are all recognizable names that have been in the news recently. So what should your company do?

The case for breach analytics

Investigations and responses into breaches are time consuming, costly and can potentially involve reputation risk and/or loss of intellectual property that can threaten your business. The average time an attacker is in your environment after a breach is 259 days. Bringing in outside cybersecurity firms to investigate breaches can run on average either $400 per hour or $10,000 per machine. Breach analytics solutions offer multifunctional attack detection capabilities coupled with incident response capabilities to quickly identify breaches, scope the problem and reduce attacker dwell time. They function as a system of record for all network activity accelerating investigations reducing both time and cost. Breach analytics solutions provide total visibility of your network aiding all layers of the defence in depth model. When one of the layers in the defence in depth model fails, breach analytics solutions provide the necessary information to contain, eradicate and recover from malicious activity.

Plan for the worst

The last layer of a comprehensive defence in depth system includes planning for the possibility that all other layers fail. A disaster recovery plan ensures business continuity when disaster strikes. Having offsite backups is essential, but knowing how to recover data from them and how long it will it take is just as important. The recent ransomware attack at Hollywood Presbyterian Hospital, which took two weeks and a $17,000 ransom to resolve, was a wakeup call to many. Just a month after that attack, two Prime Healthcare Service hospitals in California confirmed they paid no ransom after being targeted with ransomware. The takeaway from both of these scenarios is that a plan needs to be in place before disaster strikes. Lockdown, isolate, eradicate and recover are the basic steps when an intrusion occurs. Each company must plan for how this will work for their unique system.

Bringing it all together

The defence in depth mindset takes all these distinct layers into account and evolves as threats evolve. The average amount of time before a hack gets detected is dropping, but it is still measured in months, not days. No business, however small or large, can afford that kind of exposure. Setting up a comprehensive and layer-rich cybersecurity defence strategy may be the difference between survival or failure of your business.

Robert Huber is Chief Security and Strategy Officer at Eastwind Networks
Image source: Shutterstock/deepadesigns

Robert Huber
Robert Huber is Chief Security and Strategy Officer at Eastwind Networks. Huber has more than 20 years of experience in critical infrastructure security, the financial industry and defence. His previous positions include vice president at iSIGHT Partners, co-founder and president of Critical Intelligence, senior cyber intelligence analyst at Lockheed Martin and vice president and chief security architect manager at JPMorgan Chase. He is also in the Air National Guard, where he serves in a network warfare squadron.