3 Key Takeaways: Top Cybersecurity Controls for SMEs in 2023
- Hackers most frequently access networks and systems by exploiting software vulnerabilities and stealing source code. They do not even need to be sophisticated hackers themselves, because a flourishing trade in zero-day vulnerabilities exists on the dark web.
- One of the most effective cybersecurity controls is properly configured multifactor authentication (MFA).
- Relying on a qualified cybersecurity expert—including fractional or virtual CISOs—is a key way SMEs can get the most “bang for their buck” when building an effective cybersecurity program.
NetDiligence® President Mark Greisiger and Sherri Davidoff, Founder and CEO of LMG Security, discussed current threats facing small and medium-sized enterprises (SMEs), and the resources that organizations can use to defend themselves, including cybersecurity controls.
Sherri is also the author or co-author of three books about how to improve cybersecurity, the most recent of which is Ransomware and Cyber Extortion: Response and Prevention (Addison-Wesley Professional, 2022). In addition, she serves on NetDiligence’s Ransomware Advisory Group.
Read excerpts of Mark and Sherri’s conversation (edited for clarity and length) below, and watch the full interview above. It’s part of our continuing series of educational discussions with cyber risk management experts.
MG: Sherri, what’s the number one way you’re seeing hackers break into organizations, and how can SMEs defend against it?
SD: One big way hackers are breaking in has surpassed everything else: exploiting software vulnerabilities. Over the years, we’ve seen technology vendors get hacked over and over again, and have their source code stolen.
When source code is stolen, it’s easier for hackers to find bugs and vulnerabilities in it. Often these cases weren’t reported, and maybe not even detected by the vendors. There’s not necessarily a legal requirement to report the theft. The systemic risk has been going up, and people haven’t even realized it.
Also, on the dark web, we’re seeing more and more marketplaces where hackers create zero-day exploits and sell them for thousands of dollars. Other hackers buy them and use them. So the hackers actually using these exploits don’t necessarily have to be hacking wizards. They’re literally just buying tools other people create.
That’s part of the reason, for example, a zero-day vulnerability in Microsoft Exchange can lead to 30,000 organizations being hacked. We saw the same situation with Rackspace. It’s not going to change. It’s going to continue to be a problem.
MG: We’re seeing a lot of business email compromise (BEC). Obviously, working with the cyber insurance community, ransomware is an issue, but BEC is its close cousin. Often it’s tied to cloud account hacking. How can an SME defend itself?
SD: Typically one of the best, most effective cybersecurity controls is multifactor authentication (MFA). Authentication is how we verify someone’s identity, and we need to be using more than one method. I probably sound like a broken record—I think everybody’s talking about MFA—but this year, we’re seeing hackers level up.
We’re also seeing hackers using MFA bypasses. We saw this in the Uber hack, for example. The hackers actually explained what they did. They said they bombed the employee over and over with lots of prompts until, suddenly, the employee or contractor pushed the button—and the hackers were in.
At LMG, when we conduct “red team” or penetration testing, we see it only takes a couple of attempts before the target says, “OK, fine, I’ll let you in.” It’s a real problem.
Training is a solution. There are also different and special ways to configure MFA so attackers can’t bypass it. You can limit the number of prompts people get, and so on.
MG: I think MFA is a genius cybersecurity control. It’s so easy to get that text message on your mobile device and plug a code in, or use Google Authenticator. It’s not too complex.
SD: I can’t wait until we don’t need passwords at all! I hate passwords. I’ve been waiting 20 years for passwordless authentication, and it’s coming. I can’t wait.
MG: A lot of SMEs don’t have endless buckets of money to improve cybersecurity. How would you say an organization could get the most “bang for its buck” when making an investment in cybersecurity effectiveness?
SD: Cybersecurity starts at the top. You want to prioritize your cybersecurity investments. Nobody needs to spend a bunch of money on something that doesn’t work.
You need access to a qualified cybersecurity expert. We’re starting to see regulators require that banks and other organizations have a single, qualified information security person leading the charge.
Unfortunately, there aren’t enough qualified experts in how to improve cybersecurity out there. This is a “new collar job.” Instead, we’re seeing a rise in fractional Chief Information Security Officers (CISOs) or virtual CISOs. SMEs can tap into that expertise.
You don’t want to be relying only on your IT provider, because often third-party providers may be picking technology because they get fees from it, or maybe it’s simply something they’re familiar with. You want to talk to someone with expertise in strong cybersecurity so you’re properly prioritizing your investments.
Lastly, if you’re looking for a turnkey solution to help your organization adopt an incident response plan—a key element in any framework for improving critical cybersecurity infrastructure—get more information about Breach Plan Connect® from NetDiligence.