Affordable Cybersecurity Solutions for SMBs

With cyber-attacks on the rise, the cost implications to combat these threats can be overwhelming for small and even mid-sized businesses. Unfortunately, for many business owners and leadership teams, the perception of overwhelming costs have resulted in decisions to largely ignore the threat. Misconceptions of being too small to be “on the radar” for major threat actors is a common justification. A recent article published on LinkedIn supports this theory that many small business owners believe they are too small to matter to cyber criminals. But the opposite may be true, given the general lack of security controls and detection tools. Small businesses are proving to be a treasure trove of opportunity for the criminal underworld.

The good news is that there are now a multitude of surprisingly low and even no cost security tools that are suitable for smaller businesses. Though, as recently discussed in our post about EULAs, we encourage readers to read and understand licenses before incorporating any tools into their businesses. Many modern tools offer free versions for smaller businesses that lack enterprise-capable features but might still be sufficient for use in smaller organizations. For example, free antivirus tools often offer a centralized management console as a paid add-on feature. Manual management of agents across a small number of machines might be an acceptable tradeoff to paying top dollar for higher end tools, or worse, going without.

Although Black Kilt will not publicly endorse specific vendor products or services in this article, we will discuss options for common categories of security tools and provide links for the tech-savvy to make their own informed decisions. And for those less comfortable rolling their own solutions, we have some data points to assist you in asking questions of service providers prior to signing contracts.

A great place to start when looking for entry level security tools is the Federal Government’s Cybersecurity Infrastructure Security Agency’s (CISA) list of free cybersecurity tools and services. Common security tools all businesses should implement include awareness programs, antivirus and intrusion detection, vulnerability scanning, multifactor authentication, firewalls, and data backup and recovery software. Larger organizations should also consider a centralized security incident and event management repository (SIEM) as well as Virtual Private Networks (VPNs) and network proxies or other traffic monitors as well as data loss prevention tools. But, before jumping into solutioning, let’s step back and talk about strategy.

A good security strategy, even a lightweight one, will be based on a well-known framework or methodology. Splunk published a brief guide of several common frameworks. At Black Kilt, for small and mid-sized businesses, we highly recommend using a frame that is focused on risk identification and mitigation strategies such as the COBIT framework.  In our experience, these frameworks can be helpful in identifying and ranking risks, helping small businesses to prioritize their limited resources and get the biggest bang for their IT dollar by tackling the areas of highest risk first.

Once a strategy is identified, a focus on policy, governance, and solutioning can begin. Policy is often overlooked, but can serve as a guidepost for the business, and for employees on how to operate securely. It has the added benefit of setting expectations for employees and can also build confidence with clients and vendors or partners about the level of expertise and the reduced risk of working with a business that takes cybersecurity seriously. Policies can easily be rolled out as part of cybersecurity awareness campaigns, which help to ensure users are informed of the risks and behavioral expectations.

IT Supply chain breaches are a major risk for companies. Companies that have taken steps to secure their business and reduce cyber risks for clients are going to come out ahead, as fearful companies begin to drop relationships with firms that don’t take security seriously. The Securities and Exchange Commission (SEC) may soon require public companies to significantly increase breach and incident reporting, which in turn will likely drive even more scrutiny of their vendors and partners. Formal security policies, coupled with governance to enforce and maintain them, can differentiate smaller suppliers from the rest of the pack.

Key policies for businesses of any size are disaster recovery and business continuity. These document what to do when the unexpected happens. This could a cyber event, catastrophic weather, or even utility failures or more mundane incidents. These documents should include a robust data backup plan. A good plan includes testing recovery capabilities annually at minimum and may also require plans for alternate hosting. Having both a plan to continue business in the face of an unexpected event, as well as a plan to recover or completely rebuild quickly are two of the best actions a business can take to minimize losses during a catastrophe. A few examples of the effects of failing to plan for the worst include the closure of an Arkansas telemarking firm in 2020 as well as the closure of a medical practice in Michigan.  In both cases, the company didn’t have an effective plan to recover from a ransomware event, and had to shutter their doors as a result.

When it comes to detecting and preventing security events, businesses strongly need to consider antivirus and even intrusion detection software. PC Magazine has reviewed some of the best free tools in their 2023 product review. These tools are designed to actively detect and block most common threats in real-time. Intrusion detection systems (IDS) take this a step further, scanning for common signature-based activity or deviations in known behavior. Upgard has a primer on IDS solutions with a listing of several notable free solutions that can be highly effective for smaller organizations.

For organizations of any size, actively scanning and remediating known vulnerabilities needs to be at the top of the priority list. Many breaches happen because of exploits against unpatched but known security flaws.  Thus, leaving software unpatched is akin to inviting trouble into the house for afternoon tea.  The CISA list, mentioned earlier, includes a number of free vulnerability scanning tools.  The best tools incorporate components of the common vulnerabilities and exposures (CVE) program. These tools automatically pull data about known vulnerabilities from organizations such as MITRE, and will scan endpoints and devices on your network for these vulnerabilities. CVE’s are ranked based on severity, making it easy to prioritize remediation efforts. In many cases, remediation will be as simple as applying a free vendor patch or upgrading to an unaffected version. Hence, awareness of these security problems is more than half the battle.

Many small businesses now rely heavily on free and low-cost IT tools. When these tools reside on the Internet, a simple strategy to help protect from unwanted access is to choose solutions that support multi-factor access (MFA). This can be anything from a text message, email, or phone call, to more sophisticated solutions such as authenticator apps, hardware tokens, or biometrics. Solutions that require something a user possesses beyond a simple username and password are less likely to be compromised without notification. Any attempt to go through the front door of these services will instantly alert the user.

Along these same lines, modern operating systems come with firewalls built in. Simply enabling these solutions to block unwanted or unknown traffic can provide an early warning if a malicious program slips through the cracks and tries to phone home. The firewall can block this traffic and warn the user of the unexpected activity, prompting them to escalate to the IT org for further investigation.

Slightly larger organizations may benefit from implementing SIEM tools to aggregate IT logs and security events. Attackers often inadvertently leave small clues behind in logs that help security teams find bad actors and understand what they’ve done. When logs remain on individual systems, attackers can modify them to cover their tracks. The best SIEM tools ingest log data in near real-time, before attackers can scrub the data. Top tools have the ability to scan logs for interesting events and unusual patterns, raising alerts for unexpected behavior. The downfall of these tools tends to be the cost for storing all the log data and the computing power required to process events in a timely manner. Although great free and opensource SIEM tools exist, this item will require budget planning to be successful.

VPNs, network proxies, and data loss prevention tools are the last category of services to consider. These tools often work in concert with one another, by funneling and blocking network traffic in ways that allow it to be monitored and restricted. Requiring VPN clients to be “always on” for remote user laptops forces activity onto the company network where it can be monitored by a variety of tools for unusual or inappropriate activity.

Although aging, proxies still serve as a great tool to restrict users from accessing unwanted sites such as file sharing programs, social media, or other non-business sites. They also allow for monitoring and logging of user network traffic. If an incident does occur, these logs can be extremely valuable in identifying breach related network activity.

DLP tools are the icing on the cake. These tools can monitor and even block user access to company data. The downfall of these tools is that they often require extensive and complex configuration and ongoing management to maintain effectiveness. They also have a heavy footprint, chewing up valuable resources on user devices that might be needed for other business activities.

If all of this seems like too much, don’t despair. Rather, resolve to tackle this one bite at a time. Each topic discussed today has measurable impact on improving cybersecurity. If used as a punch list, over time, cybersecurity can become part of the culture, the way a business operates. Costs can be offset by reductions in insurance premiums, productivity from improved uptime, and perhaps even increased business due to the positive reputation that results from a solid cybersecurity program.

Related Posts