Cybersecurity Prevention for Small Budgets: Holistic Strategies

Cybersecurity measures are expensive, right!? No, not necessarily. There is a common misconception that cybersecurity measures and solutions are complex and costly, only reserved to large corporations with their big IT budgets. This is wrong.

Even micro, small and medium-sized enterprises (MSMEs) with small IT budgets can implement effective cybersecurity measures and strategies that defend them effectively against the constantly growing number and variety of cyberthreats. However, it does take careful preparation, a structured approach and a clear framework to achieve this.

This is what our 4-part-series “Cybersecurity Prevention for Small Budgets” is all about.

In part 1 of our series, entitled “holistic strategies”, we will discuss the need for holistic strategies in cybersecurity management. To this end, we introduce the widely-adopted “ISO/IEC 27001 — Information security management” standard and its various areas that help organizations to determine the status quo of their cybersecurity management and derive a strategy for strengthening their cybersecurity management going forward. Moreover, we will discuss important steps and considerations of cybersecurity management particular for MSMEs.

Cyberthreats on the rise and evolving

We all know cyberthreats are massively on the rise. Not a week goes by without another headline about another large corporation or government entity that became the target of a carefully executed DDoS or ransomware attack.

Already in 2021, we have heard of numerous consequential and sophisticated attacks like the SolarWinds attack that allowed espionage of thousands of leading companies worldwide including Microsoft, Intel and US government organizations. In early May, a ransomware attack led to the shutdown of the biggest US pipeline for more than 24 hours.

There is much data and statistics that underline the growing threat.

What is more, the type of threats constantly change and evolve, becoming more sophisticated and targeted in nature. DDoS attacks might adjust flexibly to circumvent DDoS detection systems or help hackers understand the security posture of target organizations and institutions.

Determining the status quo with the ISO/IEC 27001 framework for cybersecurity

The first step to building an effective cybersecurity strategy for an MSME is to determine the status quo of the company’s existing IT/cybersecurity measures. This can be done utilizing a structured cybersecurity standard like the ISO 27001. Drafted in 2013, it is the worldwide standard guideline that lays out for organizations, how they shall establish, implement, maintain and continually improve their information security management systems.

It is a holistic framework that considers a total of 14 areas in more detail: Information Security Policies, Organisation of information security, Human resource security, Access protocol, Cryptography, Physical and environmental security, Operations security, Communications security, System acquisition, development and maintenance, supplier relationship, Information security incident management, Information security aspect of business continuity, Compliance.

In the following, we will describe each area shortly and mention questions companies should ask as part of their status-quo determination.

  • Information security policies: This section ensures that policies are written and reviewed in accordance with the overall information security practices the company pursues.
    – Do you have a set of policies for information security, which is defined, approved by management, published and communicated to employees and relevant 3rd parties?
    – Are any relevant security policies/documents reviewed at planned intervals?
  • Organisation of information security: This section deals with assignment of responsibilities of information security tasks to specific employees. The need for implementation of a framework to coordinate and ensure information security maintenance in the organization is stressed.
    – Do you have an information security responsible defined and allocated.
    – Is a policy regarding mobile devices (including BYOD) appointed and remote working implemented?
  • Human resource security: This section ensures that employees and contractors are aware of their responsibilities and duties relating to the information security process both during and after employment.
    – Are contractual agreements with employees and contractors defined regarding information security?
    – Do all employees receive apporpriate awareness education and training on a regular basis?
  • Asset management: This section focuses on identifing organizational assets and define appropriate protection and responsibilities.
    – Is there an accurate IT asset/ IT device inventory?
    – Is all data classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification?
  • Access protocol: This section focuses on warranting that employees only have access to those assets and resources they need for performance of their duties and responsibilities — according to the “need-to-know-principle”. Aspects covered are business requirements of access controls, user access management, user responsibilities and system and application access controls.
    – Is there a formal user registration/de-registration (like e.g. Azure AD) in place?
    – Is a formal access control policy established, documented and reviewed?
  • Cryptography: This section deals with the encryption and handling of sensitive information to ensure an adequate and appropriate usage of encryption.
    – Is a formal policy on the use of cryptographic controls for protection of information developed and implemented?
    – Is a policy on the use, protection and lifetime of cryptographic keys developed and implemented?
  • Physical and environmental security: In this section, both the need to impede unauthorized physical access to the physical facilities and the sensitive assets of the company as well as theft, damage or loss of specific equipment such as servers is discussed.
    – Are security perimeters defined and used to protect areas that contain sensitive or critical information?
    – Is a clear desk and clear screen policy in place?
  • Operations security: This detailed section generally ensures that the company’s technical facilities that process information are secure and resilient. Subsections include topics such as staff responsibilities, monitoring and logging practices, vulnerability management and more.
    – Is there a malware and antivirus solution in place?
    – Is a regular backup of data done and stored (also against ransomware) appropriately?
  • Communications security: This section addresses how information in networks is secured and protected, both the confidentiality and integrity of information as well as protection of information in transit are discussed.
    – Are networks managed and controlled to protect information in systems and applications?
    – Are formal transfer policies, procedures and controls in place to protect the transfer of information through the use of all types of communication facilities?
  • System acquisition, development and maintenance: In this section a long list of requirements for internal and public-network-facing systems are described.
    – Are information security related requirements included in new information systems or enhancements to existing information systems?
    – Are rules for the development of software and systems established and applied to developments within the organization?
  • Supplier relationship: This section addresses the topic of how contractual agreements between customers and suppliers must be designed and what practices are necessary to ensure both parties maintain the levels of information security agreed.
    – Are information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets agreed with the supplier and documented?
    – Does the organization regularly monitor, review and audit the supplier service delivery?
  • Information security incident management: This section covers the procedure and measures to be initiated in the event of security incidents, containing documentation, management and reporting of such incidents.
    – Are management responsibilities and procedures established to ensure a quick, effective and orderly response to information security incidents?
    – Is knowledge gained from analyzing and resolving information security incidents to reduce the likelihood or impact of future incidents?
  • Information security aspect of business continuity: This section intends to aid in the development of a system to effectively manage business disruptions resulting from information security issues.
  • Does the organization determine its requirements for information security and the continuity of information security management in adverse situation, e.g. during a crisis or disaster?
    – Are information processing facilities implemented with redundancy sufficient to meet availability requirements?
  • Compliance: This section addresses the identification of and compliance with the relevant laws and regulations pertaining to information security policies, guidelines and solutions within their organization.
    – Are all relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements explicitly identified, documented and kept up to date for each information system and the organization?
    – Are independent reviews of information security done and planned on regular intervals or when significant changes occur?

While answering the questions in these 14 areas may provide useful insights for IT departments on their current cybersecurity practices, the classification may still prove to be too overwhelming or complex for MSMEs to deal with. The good news is that for 2021, it is planned to revise and simplify the ISO 27001 classification into four overarching areas: organization, people, physical and technological.

Security must always be a primary selection criteria when investing into new hardware like PCs, screens, periphery and notebooks. When choosing/evaluating various suppliers, it pays to analyze their commitments to integrate security measures into their hardware. HP for example makes cybersecurity a primary concern with its hardware. Even their laptop screens reduce visibility starting at 30 degree angle to prevent people sitting next the employee from viewing and reading the screen’s content (particularly necessary when travelling).

Essential yet affordable hardware for secure company networks

The foundation of a secure company network is a state-of-the-art firewall. However, selecting and investing in a world-class firewall is simply the first step. Its professional and ongoing management is even more important — a particular challenge for a MSMEs which often have neither IT Security nor Firewall specialists in their ranks.

This is where so-called Firewall-as-a-Service providers [FaaS] come into play. For a monthly subscription they offer implementation, customization, management and maintenance of firewalls. Popular FaaS providers are for example CloudflarePalo Alto NetworksCheck PointZscalerFortinet. MSMEs should opt for the price plan that satisfies their needs without being overcharged for features and capabilities outside of the company’s needs.

Free resources for cybersecurity management in MSMEs

A starting point and preparation for MSMEs must be the following platforms that offer free resources, tools and performance of queries to determine a company’s current security posture

When selecting a strategy to implement cybersecurity measures, MSMEs should decide upon a specific framework. The most common and widely-adopted paradigm is currently the Zero Trust approach.

The Zero Trust Security approach explained

The Zero Trust security approach has become the dominant paradigm for IT security implementations in recent years. In a nutshell, the Zero Trust approach defines a security model framework where all users — internal and external — off a company network regularly have to be authenticated before being granted access to applications and data.

There are various approaches, frameworks and methodologies that prescribe different ways as to how best implement Zero Trust security in a company. An essential consideration in choosing an approach is which technical infrastructure (e.g. Microsoft’s Azure, Amazon AWS) the company is using/has implemented.

Cybersecurity is an ongoing activity defined best in life cycles

It is not enough to think of cybersecurity as an occasionally executed set of measures implemented when the need arises. Cyber threats are omnipresent and can strike at any time. Today, cyber security must be integrated into all IT measures of an MSME. It has to be defined in various life cycles and be based on a holistic approach like the Zero Trust paradigm. Companies must also consider getting cyberinsurance to avoid damages and prepare themselves for a worst case cyberthreat scenario.

Conclusion

Implementing effective cybersecurity measures doesn’t have to be expensive. It can be done on a small budget but requires a structured framework and IS analysis using standards like the ISO 27001 and a holistic zero trust approach.

Cyberthreats are omnipresent, increasing in number, intensity and variety by the day. MSMEs must make security a primary criterion when selecting hardware and software solutions. After getting informed with free information platforms and resources, IT managers must determine if competencies will be built internally or obtained from outside the organisation. Trusted advisors like FaaS providers paid with a monthly subscription can offer effective and cost-efficient cybersecurity that works.

MSMEs must consider cybersecurity an ongoing, integrated activity to be defined in various life cycles. Cost-efficient cyber security for small budgets is possible — what MSMEs cannot afford is to go without it.