Interview with a Chief information security officer: the 4 security fundamentals every SMB needs
Over the holiday’s, Anthony and Trey sat down to have a conversation about things you can do to help keep your business secure. In a short transcribed video, they discuss the variety of topics. The conversation has been lightly edited. If you would like to watch the video instead you can view it here: https://youtu.be/lgcozohw1Js
Anthony Cabral: I'm going to keep it simple and just give the basics for a small to medium sized business, kind of the best bang for your buck to get the best security up front. What you should be doing out of the box, right?
The first thing is multi-factor authentication. If we can multifactor the world and everything that we log into, it makes it simpler for a lot of people.
The second one is going to be around email security, so have an email filtering, some kind of spam filtering and then having some training around that. Businesses need to make sure they are giving the proper training or are giving the proper information to our people.
Business email compromises is the number one in-route and foothold for business compromises or breaches in the last two years. Bad guys know people get fatigued because we have so many emails coming in nowadays. They will spam you with a bunch of stuff and they're smart about it, they're getting more and more intricate with that. I like for people to go a little more in depth, have an annual class that goes over what the company's security policies are.
The third thing I would recommend would be some kind of endpoint detection and response (EDR). Antivirus is just not enough. Threat actors are getting in, getting footholds and dwelling in your systems for long periods of time. Ideally, they will be monitored 24/7 by a Security Operations Center somewhere or by someone who's keeping an eye on things while you're sleeping at night.
The last thing that we've implemented from the beginning, and has been more and more prevalent in stopping threats from happening, is a privilege access management. Which is basically taking the users local admin rights away on computers and having that managed centrally somewhere.
Just last year I was involved in a business compromise where credentials were stolen. They got access to a computer, installed some software as an admin that allowed them to spread that foothold around. If they would have had MFA that would have stopped it, if they would have had EDR It would at least have alerted a little faster on it, and if they would have had some kind of privilege access management, then the bad the threat actors, when they got in, wouldn't have able to elevate their rights to install things, to start running bad processes or applications on the computers there.
Trey Hiller: Well, I know that one thing we always say here at Clear Guidance Partners is that the hackers don't go home at 5:00 PM. While you may turn your computer off and head home The hackers are just sitting down because they know that you’re leaving.
Anthony Cabral: Oh yeah, 100% they can go to your business website and see all these are your business hours. Smart bad guys are not going to try to attack you or do bad things during the business hours, right? They're going to do it in the wee hours of the morning.
Trey Hiller: Exactly, I hope this was helpful to everyone watching. If you need help navigating any of these four pathways, need help from a cyber security standpoint or your IT team needs help don’t hesitate to reach out to us, we would love to chat with you more.
If you would like to talk with a partner about your cybersecurity plan, fill out this form below: