It’s common to hear people say something along the lines of there’s no such thing as a 100% secure environment, that may well be true but it doesn’t mean we shouldn’t try to build environments that are as secure as reasonably possible. The problem is that there are so many areas of security to focus on and generally too few hours in the week and too few ££s in the budget to cover everything we’d like to.
This is especially true for SMEs who often have smaller teams and limited budgets, trying to do ‘less with more’ is an uphill struggle for a lot of businesses. Getting the basics right can help organisations of any size ensure that the fundamentals are in order, so where should we start?
Understand Your Assets
Understanding what assets are present within the environment is imperative, it’s very difficult to securely manage devices if nobody knows that they exist.
As a general rule, most organisations have a reasonable understanding of which laptops are provisioned as well as commonly used servers but niche devices are often forgotten about and over time can be left in a state that leaves the entire organisation at risk.
Understand Your Software
The same logic applies for software, patching has been a major problem for organisations for decades, the issue has been well addressed by Microsoft’s WSUS as well as various 3rd party patch management products however there are often still significant gaps in many patch policies in many organisations.
In practice most businesses are able to ensure that the operating systems of most devices are updated most of the time. Common software used throughout the organisation is also usually kept in good order, where things typically fall down is with niche systems and software used by specific teams.
One of the key benefits of Penetration Testing is assurance, providing an organisation with a list of vulnerabilities and misconfigurations can be extremely useful but even a report with a relatively low number of results can provide assurance that the team have things under control.
Regular penetration testing can help organisations to understand if assets and software are not being managed correctly and may constitute a threat to the organisation.
Train Users
One of the most common causes of compromise is Social Engineering(1); ensuring that users are aware of common attack techniques like phishing and having a good understanding of what a complex, targeted phishing attack can look like can help provide a secure ‘first line of defence’. One of the most difficult aspects of user training is that it is often seen as a burden, educational videos are another thing to fit into someone’s (already busy) day. Selectively training users who are more likely to be specifically targeted in spear phishing or Whaling type attacks such as directors or gate keepers can bolster the defences of the entire organisation.
Social Engineering doesn’t stop at phishing however, physical security is an important aspect of cyber defence. In the past, many organisations have dismissed physical security but these attitudes seem to be slowly changing(2).
VIP Cyber Security training of users likely to be targeted by social engineering campaigns can be a great option for helping to increase the security of the entire organisation.
Engage With Senior Management
When discussing cyber security services with customers one of the most difficult barriers to overcome is simply the internal battle within an organisation to take security seriously.
In some cases senior management still see cyber security as a ‘nice to have’ rather than a necessity of doing business in the modern world.
It can be difficult to show a clear ROI for cyber security services in general and Penetration Testing in particular however the importance cannot be understated. A US study showed that approximately 60 percent of small firms go out of business within six months of a data breach(3).
Regular penetration testing can often open up additional business opportunities, it is a common requirement for compliance and even as part of a supplier due diligence processes.