What Is Cybersecurity? A Gentle Introduction For Small Businesses
Imagine your business is a storefront on a busy street. Just as you wouldn’t leave your shop door wide open or skip an alarm system, your digital assets— including your computers, mobile devices, customer data, financial records, and proprietary information—need protection too. This is especially true in today’s digital age, in which attacks against small businesses are becoming increasingly common.
Using the same terms as military experts, we can consider the cybersecurity ‘battlefield’ to be asymmetrical. We can be attacked, but we can’t generally attack back (that’s illegal in almost all cases). However, we are allowed to defend our assets, keep them secure, and gather information about attackers and attack patterns that can be useful in many ways. We often can’t prosecute our attackers because they live in foreign countries – often from nations that allow their own citizens to attack us. But we do have a lot of excellent tools at our disposal to minimize the chances of a successful attack, minimize the damage done during the attack, and increase our capability to identify and respond to an attack during and after it has occurred. These types of activities are known as improving our security posture.
Before we dive into the details of how to protect our digital systems and data, let’s take a high-level look at the field of cybersecurity. A good place to start is by defining the term ‘cybersecurity.’
What is cybersecurity?
Cybersecurity refers to the practice of protecting our computer systems from digital attacks. The word ‘practice’ is important, because taking action is central to cybersecurity.
Let’s look at the computer systems that we’re trying to protect. We can start by taking stock of the electronics that we use every day – we’ll officially do this later as part of Task 1: Build a Hardware Inventory, but for now you can simply start thinking about all of the tech devices used to support your small business. This includes phones, tablets, laptops, desktop computers, and printers. It also includes our networking tech like routers, wireless routers, modems, wireless access points, firewalls, switches, and hubs. Businesses may also have one or more servers.
What about other common internet-connected devices? This may include your watch, alarm clock, refrigerator, dishwasher, television, gaming console, VOIP phone, voice control device (e.g. Amazon Echo), and others. Every device connected to the network and/or the internet, presents opportunities for attackers to target.
The more devices we have, the larger our attack surface becomes. The term ‘attack surface’ is used to describe anything that could potentially be attacked. Our attack surface includes our systems, the applications installed on our systems, and the data held on our systems and in applications. So it’s not just about hardware – it’s about software too. That’s why Task 2 in this course is performing a software inventory.
What Happens if An Attacker Gets Access To One Device?
Technical Jargon Warning: This section is a bit lengthy and includes a lot of technical terms that are helpful but aren’t really needed for you to know in order to secure your business. Feel free to skim or skip this section. The gist is that, once an attacker gains access to even a single device (like a cell phone), they will use that access in every way possible to gain greater and greater control over your whole network. Our defenses need to take this into account and stop the attackers at every stage – not just preventing access.
Once an attacker manages to gain access to just one of your devices, they will try to use it to their advantage as much as possible. For example, they will look at everything stored on it, to see if there are any useful files containing credentials – this is often called pilfering.
They will look at what browsers and other apps are installed and see if there are any users/passwords stored in them. Windows computers store passwords for logged-in users in memory, so they’ll try to gain access to those. They’ll also look at every application and piece of software installed and see if there are any vulnerabilities in them that could allow them to expand what they can do (called privilege escalation) and gain more control over the system.
Next, they will try to start working their way through your network (this is called pivoting) and compromise your other devices. As they gain more information about your network, the devices on your network, users, groups, applications, etc – they gain an increasing amount of knowledge that allows them to gain more and more control over everything. As they go along, they will also be establishing methods of persistence, allowing to keep control even after you shut everything down.
What they do and how they do it depends on their goals. Most attackers targeting small businesses will be trying to achieve a financial goal. They may try to download or encrypt your data and then ransom it. They may try and gain access to sensitive information and then blackmail or extort the business. Increasingly, they may just sell access and information to someone else. There’s a huge market for hacked computers and networks on the dark web, and it’s becoming increasingly common for the bad guys to specialize. The guy who specializes in phishing or gaining access to your system may not be the guy actually doing the encrypting and blackmailing. Bad actors have discovered over time that it can far more effective to specialize in one thing and then provide that as a service to other bad actors. And, thanks to cryptocurrency, money can be exchanged between bad actors instantly across the globe, without risk.
Ultimately, an individual attacker’s ability to gain initial access and further their goals depends on how skilled they are, how much time they have, and what other assets they are able to wield to perform their attack (for example, do they have access to advanced software like Cobalt Strike). One important consequence of this is that attackers can often tell – pretty quickly – how well a system is defended. Then they can weigh the pro’s and con’s of continuing their attack.
Small businesses will typically have a lower payday than large ones, and well defended businesses take a lot longer to attack than poorly defended ones. The ideal cash cow for a malicious attacker is a large, poorly defended business. A small, well-defended business makes a poor target.
In most cases, when an attacker sees that a small business has invested in its’ own defense, it isn’t going to be worth it to continue to attack. Additionally, those attackers who are targeting small businesses typically aren’t as skilled as those who target larger businesses. Only a very small percentage of attackers have the ability to, for example, evade endpoint protection – which is exactly why we include it in our Security EssentialsTM bundle – even though it lowers our own margins considerably.
How can we protect all of our devices and Data?
This question is simultaneously easy and difficult to answer.
It’s ‘easy’ because you can get all of the knowledge and tools needed to achieve world-class security. That’s what this course is all about.
However, it’s also ‘difficult’ because nothing we do can 100% guarantee the security of our systems and data. We know this to be true because ethical hackers (the good guys) are very successful. They are often able to gain administrative control of the entire system, network or domain during a penetration test. And, their clients are some of the biggest companies in the world.
We shouldn’t think of good security as a switch that can be turned ‘on’ or ‘off’.
Instead, it’s better to think about it in terms of the sophistication and time investment of the attacker(s).
The more secure your systems are, the more difficult they are to successfully attack.
Attacking a computer system takes a lot of time and energy. It is only done when the perceived rewards are greater than the risks, time, and energy required.
Poorly defended systems can often be successfully targeted by less-skilled attackers. In contrast, well-defended systems might require a team of world-class hackers working together.
There are great historical examples of this; back in the 1990’s it was fairly common to hear of governments or big businesses getting hacked. It seemed like every other week, someone gained access to a critical server that – one would think – would have ironclad security. But back then, security was often really weak. In many of those cases, nothing was actually ‘attacked’. So-called hackers were often just logging into servers and computers using default or incredibly weak credentials like username: administrator; password: administrator.
Pro Tip: If you’ve never logged into your router before, there’s a good chance it’s still using default credentials. Since the router is essentially the doorway to your whole network, it’s a good idea to check this out.
The goal of defensive cybersecurity is to make it as difficult as possible to successfully attack.
To use more technical terms, we are trying to harden our IT systems and improve our security posture.
A penetration test, or pentest, is a great way to gain a very useful, in-depth assessment of your security posture and how you can improve it. However, it only provides a snapshot of the network as it exists at the time of testing. New vulnerabilities are found all the time and company networks, people and assets change too. One year later, the ethical hackers are again able to gain control of the same networks, this time using a different methodology.
Protecting A Home – An Analogy
When learning about cybersecurity, it can be useful to think about how we secure our locations physically. A lot of the same principles in physical security also apply to cybersecurity.
Let’s consider a typical home. It has at least one entrance with a locking door to prevent anyone outside from coming inside without permission. Most homes also have windows. We don’t typically use windows for ingress and egress, so most windows only lock from the inside.
It’s difficult for an attacker to break through a wall, so we usually consider walls to be secure.
The attack surface of the house is therefore comprised of the doors and the windows. But even with locks on the doors and windows, the house isn’t 100% secure.
The windows might be locked, but they can be broken by an attacker to gain access.
The doors have locks, but most locks can be picked by a skilled lockpicker. And doors can also be breached using physical force. But we still consider the doors and windows to be relatively secure as long as they are locked.
In the real world, this might not be enough to protect our home or allow us to feel secure at night.
We might buy upgraded locks, which is in cybersecurity can be compared with using strong passwords or multi-factor authentication (MFA).
We may invest in a security system, cameras, lights, and sensors to detect and alert us of anything strange. These types of security systems are similar to technologies like antivirus (AV), and endpoint detection and response (EDR).
Depending on your neighborhood, you might install a fence around the perimeter of your property. The fence is similar to a network firewall. Like a fence, the firewall is installed at the perimeter of the network. Also like a fence, firewalls control not just who can access the inside (of the network) but also what people can see from the outside.
We will learn more about these technologies in a later lesson. But as we can see, the security measures that we often use in our daily lives often have analogs in the digital world.
Common Cybersecurity Challenges
Before we conclude this lesson, let’s look at some of the challenges in implementing cybersecurity measures at many organizations. We can have our computers and networks set up as securely as possible, but these challenges will remain.
Challenge # 1: User Behavior
User behavior is one of the most important factors in cybersecurity.
Using more secure behaviors way doesn’t cost money, but is commonly seen as a hindrance. For example, using unique, secure passwords and multi-factor authentication (MFA) are two of the most important things we can do to improve our security posture. Most of our apps support these security measures, but we often don’t use them.
Another issue is that a full compromise only takes one accidental click or slip-up. The more educated people are, the better they are able to protect themselves online. But it’s impossible to prevent things like phishing 100% of the time because it only takes one click.
When it comes to improving user behavior across an organization, we need to blend education with rule-based enforcement.
We recommend enforcing the use of strong, effective policies across the organization. For example, users on company devices shouldn’t be able to install any application they want or browse the web without controls. We also recommend the use of managed endpoint protection like MDR (more on this below).
Challenge # 2: Social Engineering
Some things are impossible to get right 100% of the time. For example, in an ideal world, we wouldn’t click any link that we hadn’t fully validated to make sure it wasn’t malicious. Similarly, we wouldn’t download a document, application or an update until it was thoroughly checked for malicious content or vulnerabilities.
These sound great on paper but are hard to get right 100% of the time. For example, in a business email compromise (BEC) or phishing attack, you might get an urgent email from your direct superior about a topic that is highly related to your job. There’s a good chance that you wouldn’t think about security before downloading an attachment or clicking a link. This is an example of the attacker using social engineering, deceiving their target to achieve a goal.
For better or worse, some people are really good at socially engineering others.
Protection against this type of attack often falls to software-based detection measures such as endpoint detection and response (EDR). Firewalls are also critical to defending against these attacks, but there are tradeoffs. That’s why we recommend using a layered approach to cyber defense, which we cover in our educational content and support with our services.
Challenge # 3: Keeping Everything Patched and Updated
Another challenge for small businesses is keeping systems fully patched and updated. This might sound like a trivial thing; doesn’t Windows update itself?
Unfortunately, the reality is that many systems and applications go without updates, often for years at a time. Many of our systems have a lot of applications installed on them, and we don’t typically go through every single one on a regular basis.
This might be acceptable on personal devices, but anything used for work, or connecting to the work network, needs to be as well-protected as possible.
Just one out-of-date application, system, or service can mean the difference between a successful attack or not.
Another reason that updates need to be managed is that many updates occur in order to patch security issues. When an update is released, the developer will often announce the bugs that are being patched with it. Once this knowledge is publicly released, attackers will try to make use of it as soon as possible. For more serious vulnerabilities, this means that the entire network might be at serious risk as long as the system remains unpatched. So there’s a race between attackers trying to exploit the vulnerability as quickly as possible and defenders trying to patch it. And over time, that race has gotten closer and closer.
Small businesses are often at greater risk than large enterprises because they often don’t have a dedicated IT person on staff to track and perform necessary updates in a timely manner. This includes updating all software on every device, and we estimate that it takes about 15-30 minutes per device per month to perform. Ensure that whomever is tasked with IT functions at your organization is allotted sufficient time to do this right.