In part one of our series on cyber hygiene, we explore the fundamentals that can help businesses understand where they're vulnerable and how to protect their networks from cyberattacks and breaches.
No doubt you've got a lot on your plate running a business: keeping productivity and output on track, monitoring expenses and sales, managing employees, maintaining customer service and so on. As such, you may not be as aware of cybersecurity fundamentals– what those in the industry often call "cyber hygiene" – as you should be. Leaders of small businesses might even be wondering, "Why would my business be hacked? It's not big enough to attract hackers' attention."
Fear not; the Tenable team has you covered. In part one of our series, we'll explore why cyber hygiene is so important and dig into essential practices for establishing it.
Understanding your vulnerability risk
For starters, it's important to define vulnerabilities. The term "vulnerability" isn't synonymous with "malware" or "virus”: It simply means any weakness within your network that can be exploited. Vulnerabilities can be errors in application coding, unpatched flaws in the operating systems of hosts on the network, devices on the network with insufficient security measures or other complications. (Malware and other cyberthreats often enter networks because of vulnerabilities; they are not vulnerabilities in and of themselves.) Recognizing what these weaknesses are is the first step toward establishing cyber hygiene.
Another principle to keep in mind is that business size or level of renown doesn't necessarily matter: Research from the Ponemon Institute found that 66% of small- or medium-sized businesses (SMBs) experienced at least one cyberattack in FY 2019, while 63% underwent a data breach.1 This illustrates an important distinction: Even if you aren't specifically targeted by ransomware or a banking trojan, a data breach can still occur as the result of an underlying vulnerability somewhere on your network. Even if the vulnerability is not exploited, the fact that it can be is dangerous enough. You might even bear the brunt of a cyberattack without being its main target: This happens with self-propagating botnet attacks that seize onto every accessible network in their path and wreak havoc indiscriminately, as well as hacks that use your business as a springboard to a bigger target (if, say, you supply materials to an enterprise-scale company).
Additionally, it's been found that cyberattackers go after SMBs b fecause they consider them easier targets. An April 2020 study by Infrascale reported that 46% of small businesses were specifically hit with ransomware, and 73% of these organizations paid the money demanded of them.2 While a large-scale ransomware attack on a major corporation could certainly net hackers a big payday, it's simpler to pursue many smaller targets: From an attacker’s point of view, they're more likely to get paid and less likely to be caught or stopped with the latter approach.
Defining "shadow IT" and your attack surface
Once you understand the need for constant vigilance, the next step toward cyber hygiene is to develop full awareness of your network. Begin by inventorying all hosts and devices connected to your network.3 Pay specific attention to devices that aren't company-issued: Personal computers, smartphones and tablets may not include the same protections as their organization-provided counterparts, and thus represent a significant risk – they're often called "rogue IT" or "shadow IT." Prioritize network assets according to greatest risk, paying closest attention to those with personal information of customers, employees or suppliers as well as any that contain PCI-protected credit card data, health information under the umbrella of HIPAA and any other data covered by regulations relevant to your business.
Similarly, you must make yourself aware of all applications running on the network. Unauthorized, unknown applications are always a major red flag, but so are apps that haven't been updated in a while: The latter can be just as dangerous as the former, due to their higher likelihood of featuring unpatched vulnerabilities. Once you catalog all vulnerable elements of the network, you will have a fuller understanding of your attack surface.
Implementing fundamental cybersecurity protections
Now that you know what can be vulnerable, it's time to look at what is vulnerable, starting with the use of vulnerability scanning solutions. Such tools will pinpoint specific vulnerabilities, wherever in your network they may be. Many of them can be easily addressed by downloading and installing the latest patches from manufacturers. (Leaving known vulnerabilities within your network unpatched for any length of time opens your organization to serious risk, which only increases as time passes. A significant number of organizations do nothing upon learning of unpatched vulnerabilities– not a habit you want to mimic.)
Other vulnerabilities may require you to delete excessively compromised applications and replace them with similar, non-vulnerable programs. Alternatively, you might need to get rid of host computers or devices with unsupported software or operating systems that are too outdated to be worth the trouble of patching. While these application or device removals might not be simple processes, you can't ignore their necessity if your scan determines that they're the sources of critical vulnerabilities.
Eliminating definite or potential threats is only half of the battle, of course – you also have to reduce your chances of future exposure. If you're not already using anti-malware tools and firewalls, implement them immediately4 (ideally in the most up-to-date iterations you can find, like next-gen virtual or hardware-based firewalls). Beyond that, you'll want to encourage better cyber hygiene throughout your organization by training your employees and establishing a cybersecurity policy that all employees must follow, detailing not only what solutions should be used but also best practices like creating smart passwords (with random character combinations) and spotting phishing emails (noticing suspicious-looking requests to click links or attachments, et al).
If you're unsure how to create this policy on your own, the FCC's Cyberplanner tool is a great place to start. Also, if handling all of these issues on your own is untenable, you can turn to cybersecurity consultants or managed services providers, but be sure to check the service-level agreement you sign with either of those parties to know exactly what they'll offer you and what you're expected to cover yourself.
Next steps
All of the practices noted above are very valuable for protecting your business from cyberattacks and breaches, but they're ultimately the basics. True minimization of your attack surface may require more precise actions, which we'll examine closely in part two of this series.
1. Ponemon Institute, "2019 Global State of Cybersecurity in Small and Medium-Sized Businesses," October 2019
2. Infrascale, "Infrascale Survey Reveals Close to Half of SMBs Have Been Ransomware Attack Targets," April 21, 2020
3. CISA, "Cyber Essentials," Aug. 17, 2020
4. Carnegie Mellon University, "Cyber Hygiene: A Baseline Set of Practices"