4 Common Pitfalls of Vector-Based Security for SMBsWill Ehgoetz of ActZero on the Challenges of Taking a Vector-by-Vector Approach
Budget-strapped and short of cybersecurity talent, SMBs have a hard row to hoe when it comes to securing their businesses. Far from a straight line of defense, security branches off into new vectors of attack and vulnerabilities with every new technology the organization takes advantage of to grow its business.
All is doom and gloom, of course, but mitigating risk across new - and old - attack vectors requires careful planning and execution to avoid the worst-case scenario: the business grinding and, sadly, sometimes never recovering.
I've noticed over the years that small and midsized businesses often deprioritize security and lag on keeping security practices updated. Maybe they see sky-high statistics on the cost of breaches and feel those numbers don’t apply to them, but that attitude changes once they’ve been hit.
A vector-based approach to security may seem to make sense, but budget constraints could say otherwise. There will always be gaps, and vectors that cannot be secured - forcing certain trade-offs that seem impossible. With an ever-rising number of attacks coming from an ever-expanding attack surface, SMBs face several specific challenges in safeguarding business with a vector-by-vector approach. Let’s look at them.
1. Looking for threats in all the wrong places
Perhaps one of the biggest mistakes is incorrectly prioritizing the vectors you’re choosing to defend. Due to budget, the reality is that organizations cannot secure every vector from attack, which means they must prioritize correctly.
This is where planning and threat modeling come into play:
- What are the most immediate threats the business faces?
- What are attackers targeting?
- And most importantly, what must the business protect at all costs?
At its simplest, if the business uses email and has no web presence, it can deprioritize web security. More importantly, IT and leadership must ask themselves:
- What happens if the business loses this tool or asset?
- What is the business impact?
Prioritize your most important infrastructure - your business's "crown jewels" - and the vectors that are most at risk. Then move toward protecting them all.
2. Ignoring the past
"Leave the past in the past" might be a nice maxim for forgiveness, but it’s a terrible security practice. Too often in the attempt to secure every vector, organizations don’t pay attention to where failures have occurred.
No one can attain perfection, but it makes no sense to ignore, for example, the fact that employees continue to open phishing attacks or that a particular exposed server, say the website, is constantly hit.
Step back and honestly assess your environment. Take a good hard look at your data and infrastructure to determine what is failing, isn’t working fully or isn't giving you the coverage needed where you need it. Focus on shoring those areas up, whether that means updating security tools, providing employee training or implementing new security controls.
3. Chasing the buzz
There’s a lot of fear in the news media when it comes to cybersecurity. A high-profile breach, especially one in your industry or region or one using the same software you use, will often cause businesses - not just SMBs - to panic and drop everything to fight the latest, greatest threat.
Stay on target. Plans can and should change, and headlines shouldn’t dictate - but should inform - your cybersecurity response. Just because it’s the top news doesn’t mean it applies to the organization.
Leadership is almost always going to go nuts worrying about the newest cyberthreat, so it’s important to stick to the plan in place: covering the highest-priority and most truly at-risk items first. Communication is also important; a well-communicated security policy will help leadership and end users overcome their knee-jerk, hype-driven fears.
4. Lack of defensive depth
In case it’s not already clear, you can’t protect everything. Many SMBs have assets that have no tool or mechanism to protect them. Consider decades-old but business-critical equipment. Remember that everything important to business must be secured, whether it's digital or physical.
Often small businesses shrug their shoulders and don’t bother to secure what they see as "unsecurable," when what they need to do is mitigate the risks as well as possible and then put in place layers of redundancy. This way, there’s no single point of failure.
For SMBs, a vector-based approach to security is a bit like the urban legend in which you’ve locked every door and window you can think of only to learn the caller is already in the house. Having a defense-in-depth approach hopefully means they are still locked in the mudroom so you can analyze the situation, understand the real threats and risks, avoid panic and respond accordingly with the resources you have.
The struggle to protect everything from every vector of attack is real. SMBs are forced to choose between which vectors to secure, and ultimately the attack will inevitably come from the ones not chosen. Check out our recent white paper, "The Opportunity Cost of Making 'Impossible' Cybersecurity Tradeoffs." In it, you will learn how and why trying to cover all security vectors inevitably stretches resources and forces compromise, and how to use threat intelligence, monitoring and preparedness to take control of your security posture.