Last Updated on January 15, 2024
Is your SMB one of the many that doesn’t have a CISO? Or even a professional security team? So, how do you make good decisions to manage cyber risk?
To share crystal clear, foundational best practices to help SMBs take a big step forward with security, Dr. Eric Cole, well-known author and Founder/CEO of Secure Anchor Consulting, was featured on a recent episode of The Virtual CISO Podcast. Pivot Point Security’s CISO and Managing Partner, John Verry, hosts the show as usual.
“It becomes even more important that when you’re having people make decisions where there is no CISO, or there is no security department, that it’s really ingrained within that thinking,” advises Eric.
“What I do with those small or medium-sized organizations is you have non-negotiables. You just go in and make it simple. It’s not really hard. I’ll break it down for you. It really just comes down to three basic rules.”
Non-Negotiable Rule #1: All web-facing systems must be fully patched.
The first non-negotiable cybersecurity rule for SMBs is that any system that is accessible from the internet, be it a web server, email server, etc., must always be fully patched and up-to-date. Period. No exceptions. This helps block many—if not most—of the opportunistic attacks that rely on exploiting (often old) vulnerabilities.
Non-Negotiable Rule #2: Systems accessible from the internet cannot contain critical data.
If you never make critical data accessible from the web, it becomes much harder for hackers to find it and exfiltrate or damage it. You may be “breached” in the sense that hackers get into your environment. But if they can’t cause harm by stealing, deleting and/or encrypting data, this is much less of a problem.
Non-Negotiable Rule #3: Always store, secure and protect all of your critical data in an approved location.
This is, in many ways, the hardest (that is, the most costly) of Eric’s three non-negotiable rules—but it’s still not that hard. If you have viable, tested data backups that can’t be harmed by most attacks and disasters, your business can survive significant misfortune that might otherwise take it down financially or irreparably damage your reputation.
“If you follow those three basic non-negotiables, most of the problems go away,” counsels Eric. “If we look at all of the major breaches over the last four years, I will argue and debate that every single one of those breaches was caused because a company broke one of those three rules. I always say, security doesn’t have to be hard if you understand the exposure.”
But maybe security isn’t quite as easy as Eric’s three non-negotiable rules.
Non-Negotiable Rule #4: Use multi-factor authentication (MFA) for your cloud-based services.
John makes a compelling argument for adding a fourth rule: “I would agree with that for an organization that’s largely hosting their own stuff. But I would add to that multifactor authentication if you’re using cloud services. Because I’ve been involved in a number of breaches that were [account takeover] breaches of credentials to, let’s say, Microsoft 365. I think MFA would be a good addition to the list.”
“Oh, absolutely!” Eric agrees. “After this call, I’ll give you credit and I’m going to say there are four non-negotiable rules. I’m going to steal that, because you’re right.”
If you’re looking for ways to simplify—and strengthen—cybersecurity, be sure to catch this podcast episode with Dr. Eric Cole.