SMB: Best security practices

Security spans a wide gamut. While most agree that it’s imperative to keep data and privacy information safe, which SMB security best practices and how exactly organizations go about implementing security protections and to what degree varies wildly from one company to the next. This has everything to do with the unique needs of each enterprise being different and this sets the standard for how SMB security risks are determined, in turn affecting how they go about choosing the best SMB cyber security protections to manage risk effectively.

One thing is certain, regardless of where your security needs take your organization, the fact remains that it all must start at the beginning with the basics. That’s where the foundation lies and that forms the basis for the structure of your security. After all, much like a house, if it’s not built upon a stable foundation, everything that is built upon it will eventually crumble – regardless of the size of your organization or the funding allotted to procuring security technologies.

So, where do we begin? Well, the first step that should be taken before any hardware or software security products are purchased is to determine your organization’s inventory and assess the risk associated with different devices, apps and services. Simply put, without this critical info, how are you to know what needs protecting or how to best protect it, right? Once your organization is armed with these details, only then should you move forward to implementing the proper security solutions to protect your devices, users and data.

Here are 7 foundational steps to take implement to secure devices and safeguard privacy:

1. Implement password requirements

This may seem like a “no brainer” and yet, this remains the most targeted attack vector due to the many weak points. From no passwords at all to those that are easily guessed – obtaining access means gaining a foothold onto all the apps, services and data a user has privileges to.

Requiring complex passwords with an expanded keyspace (such as a minimum character count that stipulates using special characters and cases in addition to letters & numbers) is a good starting point. Making passwords unique and setting a policy that requires it being changed every ninety days means passwords cannot be reused.

Additionally beneficial to data security is that disk encryption that secures data at rest are tied to the user’s account password in many cases. No password = no encryption. In the event of loss or theft, the data contained within the device will be effectively scrambled and not so easily accessible to any unauthorized parties.

2. Install malware protection

This is another one of those no-brainer types. With the continuous rise in malware-related attacks, especially given the migration to remote or hybrid environments, endpoint security is critical to the long-term protection of both data and privacy.

Given how those two facets are largely the crux of what threat actors are looking to gather, the only real choice is a comprehensive security solution that offers real-time monitoring and alerting of detected issues, prevention of malware attacks (like spyware, viruses and their variants, along with analytics-based detection engines for unknown malware types), remediation processes to aid in recovering from compromise and granular reporting, which serves as an invaluable source of information for security admins to thwart future campaigns through identification of weaknesses in the security posture.

3. Keep devices & apps updated

Patch management, or a general lack thereof, accounts for a large percentage of vulnerabilities that ultimately lead to compromise when exploited by malicious actors. While zero-day exploits are a very real threat and one that offers little mitigation recourse until patches or protections are made available, they are also significantly less prevalent in the wild than known threats.

By far, known threats outweigh zero-day threats and best of all, the former is 100% preventable. Take for example a browser app used by all users of your organization to access web-based content, data, apps and services. If that browser has a known update that patches a remote execution vulnerability, by updating your device fleet to this browser’s latest version, each device in your fleet is effectively protected against this potentially severe, high-risk threat.

Now, extrapolate that single app instance to include all of the apps used by your organization: email clients, productivity software, messaging apps and so forth. You’ve now got at least ten (but likely many more) apps that consistently interact with data of all sensitivity levels that could be potential pain points for data leaks and/or compromise whenever a new version of any of your apps is released and not deployed.

4. Develop acceptable usage policies

Acceptable usage policies are a bit of a two-fold issue. On the one hand, they are a completely administrative function developed by management to provide all company stakeholders with rules and expectations for employee use of devices and infrastructure. They can and should also provide alignment with company policies and adherence to industry regulations and possible consequences of violating policies.

The other side to AUPs is the technical representation of adherence to policies established by management and enforced through procedures maintained by IT. For example, in a regulated industry, accessing company data from an unsecured connection may be restricted. The aim of this policy is to inform users that they must sign in to encrypt the connection using Zero Trust Network Access (ZTNA) technology. The enforcement of this policy might look like segmenting access to the app or service unless the ZTNA agent installed on the device has determined that the app is both up to date and successfully able to establish a secure connection before granting access to data.

It’s seamless to the user, enforced by the organization to mitigate exposure to data loss and controlled by a policy that automates the health check and remediation of detected issues each and every time a connection attempt is made.

5. Use the right tools for the right job

Have you ever used a butter knife to open a panel with flat-head screws securing it? It sort of works, but it isn’t a great fit. In some cases, it’s a horrible fit and you only succeed in damaging the screw heads. Case in point, with the security you (the defense) always need to get it right to keep your network protected. The offense, sadly they only need to be right once in order to succeed in breaching your network and compromising data & privacy.

So, you don’t want to trust the overall security and protection of company data & user privacy to a tool that sometimes works. As Luke Skywalker said to Rey in The Last Jedi, “This is not going to go the way you think!” That’s why it is imperative to identify resources and their needs through risk assessment first. Armed with this data, identifying and testing solutions makes it possible to find the right fit for your organizational needs.

The right tools + the correct procedures to minimize risk = a security solution that maximizes security and eliminates threats by providing real-time insight into device health while adding holistic protection against the threats and addresses the needs unique to your organization…not to mention that it makes it easy for IT and Security teams by working with their workflows – not against them.

6. Empower your end-users

IT management strategies have been written about extensively before and maybe found spread across all four corners of the Internet. In the end, what works for your organization will depend almost exclusively on their unique needs. In the past, the road to this was simple: IT creates rules that all users must follow – no exceptions. This method, especially for remote and hybrid work environments, or those that leverage personal device usage programs, like BYOD, often find that this “iron-fisted” approach falls short of the intended goal by underserving users through over management.

A better approach may find organizations protecting their apps, services and data by leveraging modern, flexible technologies alongside the user base. As mentioned previously in the ZTNA vs VPN example, deploying the ZTNA agent may be considered more of a required app, which IT can create a workflow to automatically deploy the agent to all devices upon enrollment within your MDM solution. However, what about a web browser app? With so many choices, some employees may prefer one browser while other users prefer a different one.

Instead of deploying all to a device, making them available via a Self Service portal may be the solution for all users. Making them available within Self Service can help IT to provide choice and flexibility while empowering users to install the app themselves when needed. Additionally, by doing so, app updates occur from one point making patch management painlessly easy for users and IT.

7. Review your procedures regularly

Now that you’ve identified the solutions and processes that work to secure your environment and users, we can trust in automating all these functions and simply kick back, right? Wrong! If technology has taught us anything it’s that it is – in its very nature – dynamic, not static. What policies and procedures in place working today, may not be very well by the case in the future; or maybe it continues to work, but only there are better, more efficient ways of implanting them.

There’s no way to know for sure unless you keep your ear to the ground as it were, or in this case, check the logs from apps and services, periodically reviewing them for important metrics that indicate changes need to take place. By reviewing processes, the organization can get a better idea of not only where it currently stands, but where it might be headed. If it’s a direction you want to go in, say switching over to mobile devices, then this data will help them to make the data-driven decisions to facilitate that endgame. Conversely, if it’s not a direction the organization wishes to take, then corrective actions can be made – also backed by data and metrics – to support the use case for pivoting and how to best go about doing so without wasting resources.

Whatever your vision for the protection of your organization’s data & privacy information, there’s definitely a way to get there. All it takes is vision and a little hard work to achieve it. With a proper security foundation, each phase can continue to build upon the former, adopting a defense-in-depth approach to strengthen each part before and after it, for a fortified, comprehensive solution.

Where your organization will take from there depends on what their needs are and what tools, paired with procedures will work best to serve those needs. But one thing is certain, without a solid foundation, the weaknesses in your defenses will appear soon and unfortunately, will not stop until corrected at the root. Following the guidelines discussed above will help to eliminate many of the headaches involved in going back and retooling, or simply rebuilding it all from step one.