It’s harder than it seems to come up with a quick list of 10 things a small/medium business should do when looking to implement stronger (or a first level of) cyber security. It’s a copout whenever I see a “top steps for security list…” and they go something like, “secure endpoints, secure servers, secure network…” You’re cheating by not saying anything actionable or consumable by relatively average admins and business users.
Here’s my current list of top 10 items an SMB should do (I’m sure I left something obvious out…).
1. Backups. – Mistakes happen. And when shit hits the fan, you need to have backups to restore to. This includes something off-site in case your live backups are bad. You should also have some idea of what to back up, and a general priority of what is most important for the business to remain solvent. This needs to include procedures to verify backups and perform clean restores.
2. Endpoint security software. – Commonly antivirus or antimalware software that runs on end user and server systems. These should automatically update at least daily. Admins should understand this software enough to be able to work with it rather than turn it off for whatever reason when it gets in the way.
3. Patch your systems (and software). – I don’t care if these patch automatically or if a patch management process is in place, but all systems need to be running a patched OS. Software should be patched as much as possible as well, but I understand that can be harder for businesses that do not have automated endpoint management tools in place.
4. Identity management (lock your workstation). – Uniquely identify every user and require strong passwords for their accounts. Do not share accounts. Know which accounts (user and service accounts) have high privileges on your network and thus with your data. Locking the workstation is a form of controlling/limiting unauthorized usage of the unique account assigned to someone.
5. Practice least privilege. – Users should only have access to what they need in order to do their jobs. This is mostly focused on data access, but also applies to system and network (or Internet) access as well.
6. Practice proper password principles. – Don’t write passwords down. Don’t share them. Don’t reuse them. Do make them complex. Do change default passwords. Do change them regularly. Store passwords in something that has some modicum of security (i.e. not a password-protected Excel file).
7. Limit physical access to your IT assets. – Keep network closets, servers, data backups, and other IT assets locked away from unauthorized access. This should also include limiting access to mobile devices and storage devices for theft and tampering prevention.
8. Deploy a network firewall (network segmentation). – For really small business, this might be limited to whatever modem/router comes with their Internet access. But for everyone else, they should have at a minimum a network firewall between their corporate network and the Internet with default deny rules in place. Permit rules should adhere to least privilege principles, again. A firewall between wireless networks and the rest of the corporate network is good. As a bonus, a firewall between workstations and servers is a good next step. But at a base minimum, Internet access into the corporate network/servers should be controlled by a firewall. Limit who can make changes to the firewall.
9. Limit local administrative rights on workstations. – For small to medium businesses, it can be a fight to pry away local administrative rights to systems, but it really needs to be done, not just for security purposes, but also for desktop support sanity (efficiency). This will help prevent malware from running as a local admin, and will prevent users from installing rogue software on their systems.
10. Understand and protect your important data and corporate assets. – Yeah, I’m slightly copping out here on the last one, but every business should know what data is important for business continuity or what data, if divulged or stolen, will result in business closure. Special considerations should be taken to ensure these assets are protected. Most important to this specific bullet point, though, is just making sure the business goes through the exercise of identifying what is vital.
BONUS: Get help. – Get help from staff or a security consultant on how to properly do IT security, both the steps above, and the next steps. And to keep aware of new threats (ransomware) and issues (0-days).
Ultimately, I hate making a list of just 10 things, so here’s a few more more that come next.
11. Email filter for spam/phishing prevention.
12. Web browsing filter.
13. Password protect wireless access and limit only to corporate managed devices.
14. User education and security awareness training.
15. Establish security policies and procedures.
16. Identify your industry regulations and compliance that you need to meet. Get help on these.
17. Establish hardware and software inventory systems. Know when something is lost or mysteriously new.
18. Run vulnerability assessments on servers/systems and prioritize/remediate findings.