3 Tips to Improve your Security Posture
It was our honour to present at TechFest, run by Canterbury Tech, on the 24th of May 2024. This talk was designed as an introduction to improving your business’s cybersecurity posture. It’s aimed at small to medium businesses who are either unsure of where to start, or are rolling out new systems.
Tip #1: Know your assets
If you don’t know what you’ve got, then you can’t make decisions about how to protect it. Start by listing out all of the systems you can think of, including any vendor-managed/supplied systems, Software-as-a-service products you use, any hardware you have in your office, any servers that you run or are responsible for.
Also think about it in terms of your core business functions, what do you use for:
- Sales (CRM, etc)
- Marketing (Newsletter, Website, etc)
- Finance (Accounting)
- Office Admin (Emails, online office suite, file sharing, booking/scheduling, etc)
- Core business systems
Then also think about the physical assets you have:
- Laptops
- Phones
- Networking hardware
Now with that list in mind, you want to start thinking about the impact to your business if an event happened to any of those systems.
CIA
We often think about business impact at a high level in terms of:
- Confidentiality: What would happen if the data in the system were to be compromised? Would people’s personal information be disclosed? Would you need to disclose the compromise (which is the right thing to do if people’s information is involved)?
- Integrity: What happens if the data is tampered with? For example, does the data represent signed contracts and if those are tampered with, somebody could defraud your company?
- Availability: What happens if the system is unavailable for a minute, an hour, or a day?
Let’s take a couple of examples of these:
- A website: Assuming it’s designed to present information about your business to the public and doesn’t hold any sensitive information. Confidentiality: Likely isn’t important. Availability: Likewise it won’t end your business if it goes out for a couple of hours (even if you’d likely be having words to your hosting provider). Integrity: Is likely important. It would be reputationally damaging if your website got defaced especially if you couldn’t fix it quickly.
- Point of sale: If you’re a retail shop with a point of sale system (assuming it doesn’t contain any customer information, which is not always the case). Confidentiality: Is likely moderately important as it will contain some level of financial reporting. Integrity: Is likely important as if the data is tampered with they could tamper with the pricing. Availability: is very important, as without a working point of sale system, the shop would struggle to operate.
You could then put this data into a table:
| System | Purpose | Confidentiality | Integrity | Availability |
|---|---|---|---|---|
| Website | Present information about the business. Hosted on X. | 1/5 | 4/5 | 2/5 |
| Core System | Hosted software provided by Y. | 5/5 | 4/5 | 5/5 |
| VPN | Remote administrative access. Using Z. | 3/5 | 2/5 | 1/5 |
| Emails | Using Office365. | 4/5 | 4/5 | 2/5 |
| Laptops | Day to day office use. | 2/5 | N/A | 2/5 |
| Mobile phones | Remote access for staff. | 2/5 | N/A | 1/5 |
With all of this information in-hand, you can start to make smarter decisions about what’s important to your business.
If you aren’t responsible for a given system, don’t be afraid to ask your vendors. Remember it’s still your data that is in the system!
Tip #2: Keep them up to date
It sounds simple, right? Just turn on automatic updates, and you’re good.
In about 75% of cybersecurity reviews we do, there’s some element which hasn’t had security updates applied. In many breaches, a lack of security updates plays a role. If an attacker can identify what software you are running, then look up known vulnerabilities and use off-the-shelf exploits, then it’s significantly easier for them.
In some cases, outdated software may not be practically exploitable, but if a big vulnerability comes out tomorrow and you’re 3x versions behind, that upgrade becomes a lot more risky and time consuming.
While you can turn on automatic updates, are people ignoring them? And what about non-pc devices? Mobile phones, networking devices, anything hosting your software (if you’re responsible for it). Lastly think about the software on the computers (pdf readers, office software, etc) and the components which are relied upon by the software you use (called the dependencies)
Start with the asset map you made earlier, and work through it also thinking about any third party software or dependencies. You can start with the systems which contain the data you want more protection on.
Tip #3: Enable Multi-factor Authentication
Multi-factor authentication is where you log into a system with something you know (IE: A password) and something you have (EG: A code from your phone, or by plugging in a USB keyfob, etc). If somebody senior within the organisation shares their password with another unrelated service, or chooses a weak password, and there’s no second factor of authentication, what would that give somebody access to? Would it give access to their emails fully remotely? How would you even know that’s been compromised?
About half of the incident responses we’ve helped clients with would have been avoided if multi-factor authentication was in use. Most systems support it. As an initial step, we recommend getting all of your staff to enable it for all systems practical.
If you happen to use Microsoft 365 or Google Workspace, you can level up this trick by using them as an identity provider. This means your other applications trust them to log your users in. This means that they can make risk-based decisions about when to prompt for a password, you can enforce multi-factor authentication, and your staff only have one password. It also has the benefit of allowing you to on-board/off-board staff in one place.
Conclusion
While there’s debate within the security community about what are the most effective security measures at any given point in time, these tips would have prevented about 75% of the incident responses we’ve been called in to help with.
If you want more, CERT NZ has a list of their top 10 security controls: https://www.cert.govt.nz/it-specialists/critical-controls/10-critical-controls/. These are based on the assistance they’ve given to NZ organisations.
To sum up:
- Know what you’ve got
- Keep it up to date
- Use Multi-factor authentication
Please feel free to get in touch if you would like to learn more.