Industry Insights with Will Ehgoetz

Endpoint Security

4 Common Pitfalls of Vector-Based Security for SMBs

Will Ehgoetz of ActZero on the Challenges of Taking a Vector-by-Vector Approach
4 Common Pitfalls of Vector-Based Security for SMBs

Budget-strapped and short of cybersecurity talent, SMBs have a hard row to hoe when it comes to securing their businesses. Far from a straight line of defense, security branches off into new vectors of attack and vulnerabilities with every new technology the organization takes advantage of to grow its business.

See Also: AI-Driven Strategies for Effective Cyber Incident Recovery

All is doom and gloom, of course, but mitigating risk across new - and old - attack vectors requires careful planning and execution to avoid the worst-case scenario: the business grinding and, sadly, sometimes never recovering.

I've noticed over the years that small and midsized businesses often deprioritize security and lag on keeping security practices updated. Maybe they see sky-high statistics on the cost of breaches and feel those numbers don’t apply to them, but that attitude changes once they’ve been hit.

A vector-based approach to security may seem to make sense, but budget constraints could say otherwise. There will always be gaps, and vectors that cannot be secured - forcing certain trade-offs that seem impossible. With an ever-rising number of attacks coming from an ever-expanding attack surface, SMBs face several specific challenges in safeguarding business with a vector-by-vector approach. Let’s look at them.

1. Looking for threats in all the wrong places

Perhaps one of the biggest mistakes is incorrectly prioritizing the vectors you’re choosing to defend. Due to budget, the reality is that organizations cannot secure every vector from attack, which means they must prioritize correctly.

This is where planning and threat modeling come into play:

  • What are the most immediate threats the business faces?
  • What are attackers targeting?
  • And most importantly, what must the business protect at all costs?

At its simplest, if the business uses email and has no web presence, it can deprioritize web security. More importantly, IT and leadership must ask themselves:

  • What happens if the business loses this tool or asset?
  • What is the business impact?

Prioritize your most important infrastructure - your business's "crown jewels" - and the vectors that are most at risk. Then move toward protecting them all.

2. Ignoring the past

"Leave the past in the past" might be a nice maxim for forgiveness, but it’s a terrible security practice. Too often in the attempt to secure every vector, organizations don’t pay attention to where failures have occurred.

No one can attain perfection, but it makes no sense to ignore, for example, the fact that employees continue to open phishing attacks or that a particular exposed server, say the website, is constantly hit.

Step back and honestly assess your environment. Take a good hard look at your data and infrastructure to determine what is failing, isn’t working fully or isn't giving you the coverage needed where you need it. Focus on shoring those areas up, whether that means updating security tools, providing employee training or implementing new security controls.

3. Chasing the buzz

There’s a lot of fear in the news media when it comes to cybersecurity. A high-profile breach, especially one in your industry or region or one using the same software you use, will often cause businesses - not just SMBs - to panic and drop everything to fight the latest, greatest threat.

Stay on target. Plans can and should change, and headlines shouldn’t dictate - but should inform - your cybersecurity response. Just because it’s the top news doesn’t mean it applies to the organization.

Leadership is almost always going to go nuts worrying about the newest cyberthreat, so it’s important to stick to the plan in place: covering the highest-priority and most truly at-risk items first. Communication is also important; a well-communicated security policy will help leadership and end users overcome their knee-jerk, hype-driven fears.

4. Lack of defensive depth

In case it’s not already clear, you can’t protect everything. Many SMBs have assets that have no tool or mechanism to protect them. Consider decades-old but business-critical equipment. Remember that everything important to business must be secured, whether it's digital or physical.

Often small businesses shrug their shoulders and don’t bother to secure what they see as "unsecurable," when what they need to do is mitigate the risks as well as possible and then put in place layers of redundancy. This way, there’s no single point of failure.

For SMBs, a vector-based approach to security is a bit like the urban legend in which you’ve locked every door and window you can think of only to learn the caller is already in the house. Having a defense-in-depth approach hopefully means they are still locked in the mudroom so you can analyze the situation, understand the real threats and risks, avoid panic and respond accordingly with the resources you have.

The struggle to protect everything from every vector of attack is real. SMBs are forced to choose between which vectors to secure, and ultimately the attack will inevitably come from the ones not chosen. Check out our recent white paper, "The Opportunity Cost of Making 'Impossible' Cybersecurity Tradeoffs." In it, you will learn how and why trying to cover all security vectors inevitably stretches resources and forces compromise, and how to use threat intelligence, monitoring and preparedness to take control of your security posture.

About the Author

Will Ehgoetz

Will Ehgoetz

Manager, Threat Hunting Team, ActZero

Will Ehgoetz manages the Threat Hunters at He has more than 25 years of experience in information technology and related fields, with over 15 years in information security. His security experience includes threat intelligence and analysis, investigation, threat hunting, vulnerability management and testing, risk management and threat assessments, policy and standards development and operational security. Ehgoetz is an active member of the global digital crime investigations and crimeware research community and a member of the Royal Canadian Military Institute.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.