Identifying SMB cybersecurity weaknesses turns out to be easier than having the know-how to fix them. Can a new class of advice software plug the gap?

By John E. Dunn

SMB-Cybersecurity-BannerNo single cybercrime phenomenon better encapsulates what has happened to small and medium business (SMB) cybersecurity in the last decade than industrial ransomware.

Originally targeting consumers, at some point the crime groups that crafted these attacks made an interesting discovery – as well as poorly-defended home users, their malware was catching out a lot of SMB-level companies. Some of these even had IT teams and security budgets.

These companies should have been harder targets. In fact, far from being better secured, many of these organizations appeared to be just as susceptible as mom-and-pop stores. For cybercriminals, it was a critical pivot that led eventually to the doors of even the biggest enterprises in the land. The size of an organization, apparently, told you little about either its vulnerability or its willingness to pay.

If a home user might pay $50 to get their data back, perhaps an SMB would pay $250 or $2,500. How about $10,000 or $100,000? Perhaps there wasn’t a limit at all, and you could just make up a figure. Smaller companies were interesting, though, because while they valued their data every bit as much as a larger enterprise, they had no plan B if it was scrambled or stolen. Even backups wouldn’t save them because those often took inconveniently long to reinstate, assuming they worked at all.

The reasons why SMBs have proved so vulnerable to cyberattacks such as ransomware are varied. It’s true that SMBs don’t have staff or resources as larger companies and there has also been a complacent assumption that they wouldn’t be attractive targets because of their size. But there is a technical side to the failure too. SMBs have relied on the same vulnerable applications as everyone else but without the same resources to implement mitigations and fixes.

What’s extraordinary is despite all this hard-won learning, smaller companies today often still struggle with common issues. The blinkers have fallen from their eyes and SMB organizations know they are under attack. And yet a lot of the same issues keep repeating themselves. The question is what they can do about it.

Knowledge Gap

“I’ve done everything from risk and compliance all the way down to pen testing and through that you learn just how broken the digital world is,” said Jamie Akhtar, co-founder and CEO of UK-based SMB assessment company, CyberSmart.

“It’s broken for enterprises because they use 100 different products. But it’s broken for SMBs for very different reasons. What we set out to do with CyberSmart was to bring everything an SMB needs to know into one place.”

He is scathing about the way the industry sold security to SMBs in the past.

“The anti-virus vendors told people that for $60 a year they would be protected. That was simply not true. Anti-virus is an important technical control but there are so many other aspects to security such as training people and authentication.”

Akhtar’s contention is that the biggest problem SMBs have with securing themselves isn’t knowing what needs fixing but understanding how to apply the fix. He used a basic example of a small customer preparing for certification who was advised to update their iPad for security reasons but confessed they had no idea how to do this.

“We had to literally take them through step by step on how to update an iPad,” Akhtar said.

Some will scoff at this but it’s a microcosm of a problem that reaches across almost every product and software that might be used by a small company. SMBs with an IT person will know how to update an iPad, but would they know how to do the same for more complex products? Or perhaps they would know but wouldn’t realize it was necessary in the first place. Experts constantly tell SMBs to regularly patch or update their systems but it’s not always that simple as hitting an ‘update’ dialog.

CyberSmart’s software is an example of an automated tool that guides SMBs through the tasks they must complete to become secure. It comprises a variety of technical controls designed to make organizations compliant with UK Government and EU certification schemes such as CyberEsentials, CyberEssentials Plus, and GDPR. It also helps reveal common security weaknesses that SMBs struggle to stay on top of, including:

  • Passwords
    They consume valuable time which is why employees are always going to use short examples, and re-use them at every opportunity. Password policy management can mitigate some of this except that designing watertight policies and managing them over time requires a lot of expertise. Credentials remain the biggest shortcut to get behind an organization’s perimeter and attackers will never stop trying to steal them.
  • Authentication
    2FA/MFA is the obvious answer to the password problem except that too can be complex to implement and manage. In most cases, SMBs need pragmatic advice on where and how to implement MFA. The starting place should always be to apply strong MFA for the most privileged users.
  • Employee awareness
    This isn’t as simple as telling workers that phishing attacks are real. They need concrete examples and constant reminding as new types of phishing appear. This includes fatigue attacks on MFA itself.
  • Certification and auditing
    According to Akhtar, certification schemes are a good influence because they give organizations a baseline to aim for by defining what basic cybersecurity looks like. He believes more SMBs in the UK now value these certifications and are investing to attain them. There are also frameworks such as NIST, but these can be demanding and high level.

Penetration Test It

The history of small company cybersecurity has been dominated by two ideas. First, sell SMBs cheaper and slimmed down versions of the same perimeter security products designed for enterprise departmental use. Second, more recently, if an SMB wanted to understand whether this infrastructure was doing its job effectively, they could pay for a penetration test.

It’s a protect-and-assess philosophy that has obvious limitations. Simply installing security doesn’t prove it is working. And if a pen test report tells you it’s not working, you still need the knowledge to both fix it and keep it in that fixed state indefinitely. Again, an area where SMBs traditionally struggle due to a lack of skills, knowledge and dedicated personnel.

The market’s solution has been to offer services, outsourcing the security problem to a managed security services company. The drawback in this model is that it can be expensive. You also hear complaints that managed services can sometimes end up being arm’s length and remote.

Nor is it clear how well managed services cope with the human dimension of cybersecurity. Inevitably, employees make mistakes, re-use credentials when they shouldn’t, or unwisely store sensitive data on a USB stick they drop in a car park. A larger company will survive the consequences of this because they have deeper pockets. An identical incident might sink an SMB.

“We give them a security model such as the NIST Framework without them realizing they’re going through a security model. The first stage is always assessment of people processes and technology,” said Akhtar.

Run a Nessus vulnerability scan and it’ll give you a 60-page report full of CVES and hundreds of recommendations that non-technical people will struggle with. The intention behind SMB tools like CyberSmart is to turn this into a simple set of tick boxes they can work on. As well as patch state, it will analyze the software on a device such as the anti-virus solution, check the status of the firewall, the credentials and privileges each user has, and whether disk encryption is in use.

It's an interesting thought experiment to imagine what state SMBs would be in today if products like this had existed 15 years ago. Most likely, they’d still have been over-complex, requiring the help of expensive trained consultants. Today, SMB cybersecurity must be much simpler and more cost-effective.