How SMBs can bring their security testing on par with larger enterprises
What are the challenges of securing small and medium-sized enterprises vs. larger ones? And how can automated, continuous security testing help shrink the gap?
When studying the differences between cyber security for small and medium sized enterprises (SMEs) and larger enterprises, several components factor into how securing SMEs is different. Here’s a breakdown.
Business hour coverage
To monitor systems for suspicious activity, larger enterprises have security operations teams working in shifts 24×7. At best, SMEs may have business-hour coverage. Alternatively, some may choose to offload IT security-related work to a managed security service provider, or MSSP, who in turn can provide 24×7 coverage.
The central problem with utilizing MSSPs is that they are usually not as intimately familiar with the organization’s infrastructure and security solutions. They therefore may not be able to provide insights into an organization’s security posture, advising where in the infrastructure they may have weak spots that need to be fixed.
MSSPs may provide managed detection and response, identity and access management or threat alerting and remediation services. More often than not, however, an attack must take place before they come into the picture to assess the effectiveness of an SME’s myriad security controls, rather than performing security testing in advance to proactively reduce the company’s attack surface.
Greater exposure to supply chain attacks
SMEs outsource a lot. Their natural inclination to contract out numerous activities to agencies, consultants and offshore firms translates into greater exposure to supply chain attacks. These are carried out through access to resources like IT ticketing sites and partner portals, as well as collaboration tools (e.g. shared spreadsheets) to which both the SME and supplier have access. Should one of these shared collaboration tools or portals be poisoned with a malware infection link, this could spell disaster for the SME, and even put it out of business.
Case in point is a recent campaign of the ransomware-as-a-service called Sodinokibi, whose threat actors devised an effective way to spread across business networks. By first hacking into MSP networks and then locating client workstations that can be accessed over the Remote Desktop Protocol (RDP) used by support personnel for remote assistance, the attackers were able to install the Sodi ransomware on numerous client organizations’ workstations. Another recent example involves a group called TortoiseShell, which breached 11 IT providers with the aim of compromising their clients.
The Target breach is one of the most prominent to arise from a supply chain attack, launched by a threat actor who used the compromised network access credentials of the retail giant’s refrigeration, heating and air conditioning (HVAC) subcontractor. Target ended up paying $18.5 million in a settlement after 41 million of the company’s payment cards were compromised.
Fragmented security control visibility
According to a recent SANS Institute poll, two thirds of organizations (65%) have 10 to 20 security products deployed, while just over a quarter (27%) have 20 to 60 security products implemented. To manage a distributed security framework, organizations use security information and event management tools (SIEMs) to monitor and prioritize alerts, and the more advanced ones may be using security orchestration, automation and response tools (SOAR) as well.
The first challenge for SMEs is to invest in unifying and increasing their security visibility and incident response through such solutions. But more importantly, maintaining these solutions with the appropriate configuration and prioritization may be a challenge for them, as would monitoring them on an ongoing basis by the appropriate personnel to ensure that high-urgency alerts are followed up on in a timely manner.
Limited need to undergo compliance audits
According to their industry and the geos in which they operate, some SMEs may need to comply with regulations such as PCI DSS, SOX, GDPR and HIPAA. Whereas the ability of a company to pass compliance audits does not guarantee the effectiveness of its security program, it does tend to ensure that a minimum of security controls have been implemented.
These may include allowing only authorized users to access certain data (as in GDPR), a requirement to encrypt sensitive records (as in PCI DSS, NY DFS) or even the mandate to use multi-factor authentication when performing certain actions (EPCS) or accessing networks and databases harboring payment information (PCI DSS). Some regulations also require periodic pen tests, which further provide guidance to companies on how they can improve their cyber defenses.
Without these regulatory pressures, some SMEs may be reluctant to invest in security solutions, increasing their exposure to cyber attacks.
Automated security testing – The great equalizer
With continuous, automated security testing, SMEs can start to gain enterprise-grade security. Why? Because it’s not about how much you spend on security. It’s all about how effective your security is. And the only wait to ascertain the effectiveness of your security is to put it to the test.
Can it handle a ransomware attack perpetrated through unsafe browsing habits? Will your controls alert you of Trojan-like maneuvers performed on your endpoints? If a system in your network is compromised, how far will a potential attacker be able to move laterally?
Automated security testing, using breach and attack simulation tools, removes the guesswork and speculation around your security posture. These kinds of tools safely simulate a plethora of common types of attacks, while providing insights into where your gaps lie, and what mitigative steps you can take to fix them.
The automation behind these tools provide you with enterprise-grade benefits, such as:
- Automated penetration testing to challenge your controls
- Round-the-clock assessments, reporting and alerting
- KPI metrics such as exposure score and benchmarking against industry peers
- Comprehensive mitigation guidelines
- Supply-chain touchpoint security testing (email, browsing, apps)
- Visibility into where your security risk is highest, so you can prioritize remediation accordingly
- Testing defenses against the latest immediate threats
- Enhanced blue and red teaming through customizable, full kill chain attack simulations
In sum, larger enterprises may have the wherewithal to have and do it all. But, as an SME, you can quickly step up your posture, not by buying more security, but by continually ensuring that your security works.
Breach and attack simulation tools are a gamechanger in terms of how fast organizations can get security reports and how much they have to pay for them. To explore attack simulation firsthand, get started here.