Small businesses are the backbone of the United States economy, as they comprise upwards of 99% of all businesses. Given the sheer number of small businesses, in addition to the fact that they have the weakest cybersecurity out of all the organizational sizes, adversaries are targeting small businesses with cyberattacks at increasing rates. Small business cybersecurity risk is higher than it has ever been, and doing nothing has resulted in millions of dollars, as well as entire businesses, lost. If you are a small business thinking about cybersecurity for the first time, you are likely wondering where to begin. In this post, we outline what we call our Totem Top 10™: the 10 most important cybersecurity safeguards for small businesses.
These controls are derived from recommendations from leading security organizations but are tailored to better match small business needs and resource constraints. The 2022 update of the Totem Top 10™ was inspired by the incorporation of the NIST Interagency Report (NIST IR) standard for small businesses implementing the Cybersecurity Framework (CSF).
Regardless of your industry, whether regulated or not, the Totem Top 10™ (TTT) is meant to help you establish a strong baseline of cybersecurity within your small business environment. While this post will serve as only an introduction to each control, if you’d like to learn more, visit our TTT page or grab a seat in our Small Business Cybersecurity Essentials Workshop!
The Totem Top 10™ follows a “defense-in-depth” approach, where many different safeguards, both technical and not, are layered together to reduce small business cybersecurity risk. These safeguards are as follows:
1. Know Your Assets
Small business cybersecurity starts with knowing your environment. After all, how can you protect what you don’t know exists? This first control serves to help you identify both what you are protecting as well as who is involved in the process. This is necessary for understanding the scope of the problem, and it will set you up nicely to implement the rest of the TTT. We recommend approaching this first control in the following manner:
- Identify the sensitive information deserving (or requiring) protection
- Characterize how this sensitive information flows throughout your environment
- Inventory the IT assets (hardware, software, and people) facilitating the flow of sensitive information
Our Knowing Your Assets blog goes into detail on each step. You’re going to need to capture some technical details pertaining to your hardware, starting with all makes, models, serial numbers, IP addresses, MAC addresses, and open ports. For your software, capture the type (OS, application, etc.), version, as well as whether the software requires/uses an administrative account. This will be necessary when addressing TTT #5. Finally, for your users, capture their name, job title, and whether they operate an administrative account. If you are looking for a system inventory template to get started, you can download one for free below.
2. Train Your Users
You may be surprised to hear that your users are your greatest cybersecurity weakness. It’s true. Why is this? In a nutshell, it’s because humans are susceptible to social engineering: a type of attack (not necessarily cyber-related) where an adversary attempts to deceive someone into performing an action as to obtain something in result. Phishing is an example of social engineering: an adversary uses a carefully-crafted email to try and deceive your user into taking some action, such as clicking on a link, downloading an attachment, or providing confidential information. A successful social engineering attempt usually sets the stage for a much, much worse attack (e.g., ransomware), which is why it is imperative that all your users receive cybersecurity awareness training. The ultimate goal would be to build something of a cybersecurity “culture” within your organization. This is the most effective (and least expensive) way to snuff out attacks before they are able to go anywhere, as your users will go from your most dangerous liability to your greatest asset.
Totem Tech can perform customized cybersecurity awareness training for your small business, including carrying out a phishing simulation for your staff and holding a training to discuss the results. Contact us if this interests you.
While a cybersecurity culture is the most effective way to reduce small business cybersecurity risk, you are still going to need other safeguards. From this point forward, we will look at some technical controls that can help. While we have prioritized these, they can be done in pretty much any order. Just so long as you have done TTT #1 and #2 first.
3. Protect Your Endpoints (NEW!)
The newest control to our Totem Top 10™, replacing the previous Whitelist Software. For those of you who have been keeping up with the TTT, don’t worry: software whitelisting isn’t going anywhere. We explain below.
Broadly speaking, an endpoint is simply any device that is connected to and exchanges information with a network. More specifically, it’s a device that is not only connected to your network, but also to the Internet. An endpoint could include desktop computers, laptops, servers, printers, security cameras… if it’s talking to the Internet (or capable of doing so) and sitting on your network, it’s an endpoint.
Endpoints are particularly concerning in terms of security, because they are outside the scope of network security devices such as a network firewall. While a network firewall may be able to catch and block malicious network traffic before it reaches an endpoint, what happens if it slips past the firewall, perhaps as a result of a successful phishing attack? Without protection on the endpoint itself, it is left exposed. Thankfully, most operating systems will have a built-in antivirus that can help. Windows Defender is the free antivirus built into Windows operating systems, and with a little configuration, can become a nice first layer of endpoint protection for your small business cybersecurity program.
Unfortunately, even an antivirus such as Windows Defender probably isn’t going to be sufficient by itself in today’s threat landscape. At least, not for endpoints sitting on a business (as opposed to residential) network. You’re likely going to need something a little more robust to fend off more sophisticated attacks. We recommend that you take a look at some Endpoint Detection & Response (EDR) as well as eXtended Detection & Response (XDR) solutions. These are going to provide far more advanced capabilities than a standard antivirus, including:
- Software whitelisting/blacklisting
- Automated threat detection and response
- Threat hunting
- Centralized management across all your endpoints
Software whitelisting, specifically, is one of the most powerful technologies you can use to protect your network. Given the risks associated with allowing unknown or untrusted software to run on your endpoints, it is imperative that you control what is allowed to run. Software whitelisting allows you to specify exactly the software that you approve to run, and all other software is denied by default. That piece of malware that slipped past your firewall and made it to an endpoint? It won’t be permitted to run because of the software whitelist. A good EDR/XDR solution will have a software whitelisting capability, or, if you’re feeling brave, you could try out Windows’ native software whitelisting tool, AppLocker. It’s not very intuitive, but it is free!
4. Patch Software & Operating Systems
Of all the controls that made this list, this may be the one you’re least surprised to see. When you leave your assets unpatched, you leave them vulnerable to already-proven cyberattacks. While it usually (but not always) takes a more skilled hacker to develop new exploits against patched IT systems, even a novice-level hacker can easily crack open unpatched IT systems, as the exploits are already known. Got any Windows machines still running Server Message Block (SMB) v1.0? If any of your devices are still running Windows 7 (which reached end of life in 2020), the answer is likely yes. After a two-minute Google search, we found everything we needed to gain administrative control over such a machine from a remote device. No advanced scripting or social engineering required. See the example image below, where we cracked open an unpatched Windows 7 machine inside a testing environment:
This is the risk you run by leaving your assets unpatched. Keeping them up to date is one of the easiest ways to lower your cybersecurity risk, and it doesn’t directly cost anything to patch. However, we understand that you may operate in such an environment (e.g., manufacturing) where machinery must use an outdated operating system (OS), because updating the OS could cause older or custom software to malfunction and disrupt operations. Clearly, patching these machines would be a no-go. This is why the Totem Top 10™ is a layered approach to reducing small business cybersecurity risk: if one control just isn’t feasible, we are still implementing other controls (such as network segmentation and physical security) to compensate for this. If your small business finds itself unable to implement patching (or any other TTT safeguard) due to the potential for it to disrupt operations, schedule a consultation with us. We’ll help you identify some compensating controls instead.
5. Restrict Administrative Privileges
All major operating systems support different types of user accounts, each varying in its technical capabilities. For example, Windows supports two types of user accounts: Administrator and Standard User. Administrator accounts, also referred to as “superuser” or “privileged” accounts, have complete control over the operating system, meaning that they can make any configuration changes that they want to. This could include installing new software, disabling services (such as the host-based firewall or local antivirus), or making network configuration changes. This makes Administrator accounts key targets for adversaries, as they typically (but not always) will need elevated privileges to make their intended malicious changes (e.g., installing malware).
The most concerning element to this TTT control is that default accounts are Administrators. This is a problem, because unless you have manually created Standard User accounts for each of your users, they are all currently running with administrative privileges. What happens when one of your users is tricked into clicking on a phishing link? Whatever nastiness lies behind the phishing link will be given administrative permission to run. Translation: let the pain begin.
The goal, then, should be to disable Administrator rights for all those who do not need them. For small businesses, this is likely going to be everyone except your IT and engineering staff (if applicable). First, you’ll create Standard User accounts for everyone, which they will use on a full-time basis. Once this is complete, Windows is packaged with a neat tool called User Account Control (UAC), which allows you to designate how major changes are made to the machine. On each device, search for “UAC” in the Windows Search utility, and turn the dial up all the way:
Once the user has moved from an Administrator to a Standard User account, when they attempt to download a new piece of software or run an Administrator-level task, they will be presented with the following screen:
Those who do not need admin privileges will not (and should not) know the correct credentials, so they will not be able to proceed. However, those who do require Administrator permissions to perform their job will know these credentials, and they will enter them to continue their task. This essentially prevents your users who do not require Administrator permissions from making any unintentional changes. This also makes it much more difficult for an adversary to do something even worse.
6. Harden System Components
Your small business network, though minuscule compared to larger enterprise networks, is comprised of many different types of devices: workstations, servers, printers, scanners, smart devices, switches, routers… the list goes on. Each of these types of devices come pre-configured with certain settings, what we refer to as “default settings”. Unfortunately, these default settings tend to not be the most secure and are easily discoverable online, so we’ll need to fix that. We can achieve this through system hardening.
To “harden” a system means to take that system from its default (or current) vulnerable state and make it more secure. At a bare minimum, this means that all devices should be configured to:
- Change default credentials
- Disable unnecessary or insecure services (e.g., WEP & WPS on a WiFi router)
- Engage the strongest encryption algorithms available (e.g., AES)
- Enforce multi-factor authentication (MFA) where available
- Engage automatic updates
- Synchronize time via NTP with the an authoritative source like a domain controller (if one exists)
While this is a really good start, some vendors will create system hardening guides (sometimes referred to as “secure baselines”) for their products to help you really lock down their configuration. For example, Windows has done this through its free Security Compliance Toolkit, which you can use to harden any Windows products in your environment. If you are operating in a regulated environment, system hardening may be a requirement for you. For DoD contractors facing CMMC, we talk all about system hardening in our quarterly CMMC Workshop. Come join us!
7. Segment Your Network
If your small business has a brick-and-mortar headquarters, this control is especially important for you. When you first spun up your IT environment and unboxed that shiny new networking equipment, it is very likely that you created what is known as a “flat” network. A flat network is a basic network architecture type where all devices can easily communicate with one another. Using technical terms, all devices are on the same sub-network (subnet) and share very similar IP addresses. See the example flat network below.
In this flat network, the workstations, printers, and servers are all on the same subnet, and there is no logical separation between any of these assets. If an adversary were to compromise a user’s workstation through a phishing attack, there is nothing that would prevent them from jumping over to the servers. This kind of free-range access gives the adversary plenty of room to move around with impunity, and if you aren’t monitoring your environment (TTT #10), you won’t notice until bad stuff starts to happen.
We can solve this issue through network segmentation: chopping up our network into different logical pieces based on type or business function. Through network segmentation, we are adding obstacles into our environment, so that in the event someone does break in, it becomes a serious challenge for them to find what they are looking for. Network segmentation can be achieved through a variety of ways, but for small businesses, these options make the most sense:
- Physical “air gapping” between segments
- Putting firewalls in front of each segment
- Creating Virtual Local Area Networks (VLANs) for each segment
Many of you probably have some basic experience with network segmentation: creating a “guest” WiFi network for your customers. This is an example of air gapping (if you use a separate WiFi router for guests) or using a firewall (if the same router is used for both WiFi signals) to separate guest WiFi traffic.
In this example, network segments were identified according to the types of devices on the network: workstations, printers, and servers. The switch was configured such that three VLANs were created, each with their own unique IP address range, and the devices from each segment were placed into their respective VLAN. In this case, if someone were to get ahold of a user’s workstation, they would need to make some pretty significant network configuration changes to be able to move over to the servers. Assuming you’re monitoring your network, this would make a lot of noise, and hopefully exhaust the adversary to the point of giving up and moving on. Another helpful addition to our small business cybersecurity program.
8. Backup Your Data & Test Restoration
While most of the technical safeguards in the TTT are focused on attack prevention, this control is centered around the fact that a cyberattack against your small business is eventually going to succeed. It is inevitable. Recognizing this is the first step, then comes the preparation. In this case, you are going to need backups of whatever you cannot afford to lose when (not if) a cyberattack succeeds. This ultimately boils down to having a clear incident response (recovery) plan, which will require you to identify some recovery metrics for getting your systems back online following an attack. Our Incident Response Plan (IRP) template, which you can download for free below, is a good start to this process. There is no such thing as a “one size fits all” IRP, so it will require some significant customization to fit your small business cybersecurity program. But an IRP is critical, so we encourage you to take a look.
As far as data backups go, you have plenty of different options depending on what best suits your environment. If you are in a distributed (remote) environment, you might consider a cloud backup solution, so that your remote users do not have to each maintain separate data backups. A cloud backup might also work best for you if you have a brick-and-mortar facility, but have an extensive and complex network architecture. Cloud backups typically come with a monthly fee, depending on the number of assets and how much data is being backed up to the cloud. Though these are more expensive than local backups, they are much easier to scale as your small business grows.
If you are a very small business, perhaps one or two people with nothing more than a couple laptops, a local backup is probably more your speed. Grab a couple external hard drives, and regularly backup your data. You might even consider configuring Windows Backup to do it for you.
9. Enable Multi-Factor Authentication
Multi-factor authentication (MFA) is the process of requiring two or more authentication “factors” in order to successfully validate a user. There are three types of authentication factors:
- Knowledge factors – something you know, such as a password, PIN, or the answer to a security question
- Possession factors – something you have, such as a smartphone, security token, smart card, or PKI certificate
- Inherence factors – something you are, a biometric factor such as a fingerprint, a facial scan, a voiceprint, or a retina/iris scan
So, MFA is achieved when a user is required to present one or more items from at least two of these factors. The reason that the cybersecurity community is so outspoken about MFA is that it is one of the simplest, yet most effective, technologies you can put in place to protect your data. While we can certainly hope that our users are creating unique, long passwords as we trained them to, the reality is that they are still going to fall back on old habits and reuse or create easy-to-crack passwords. MFA drastically reduces the risk of this harming your organization by requiring an additional authentication factor.
We recently discovered that Windows has a free MFA capability built-in, called Windows Unlock. If you do not have a domain, this will come in handy for ensuring your standalone workstations are enforcing multi-factor authentication.
10. Collect & Analyze Event Logs
Last but certainly not least in our Totem Top 10™ is to collect and analyze event logs. As alluded to in TTT #7: Segment Your Network, we need a capability that allows us to monitor our network for suspicious activity. This control enables us to do that.
Event logs are small text files describing some computer event. For example, an event log is generated when a user signs into a computer, or when they install a piece of software. In Windows, you can view the event logs using the Windows Event Viewer application. Event logs not only pertain to what is happening on a given machine, but also to what is happening across a network in the form of network traffic. On a given day, your collective network is likely generating tens or hundreds of thousands of logs. By collecting and analyzing these logs, we can spot adversarial activity within our network before it grows to something much, much worse.
There are a couple options for you to monitor your network. You can attempt to do it yourself using a free tool such as Security Onion. This is going to require some technical know-how (and a good amount of time) to spin it up and tune correctly, but the features are pretty nice. You can expect to pay for support if you need it, but if you have the determination, this might be just what you need. However, if you are like most small businesses, you may just look to outsource this capability to someone else, such as a Managed Security Service Provider (MSSP). The MSSP will take on the event log monitoring task for you, and they will alert you when they notice suspicious activity. Depending on the tier of package you purchase, they may even step in and assist you with incident response. If you’d like Totem to make an introduction to an MSSP, let us know.
There you have it: an introduction to the Totem Top 10™, and our methodology for small businesses wanting to take cybersecurity seriously. Whether you are operating in a regulated environment or not, regardless of your industry, the Totem Top 10™ will help you reduce your cybersecurity risk. It is going to take some time and plenty of effort across the organization to make happen, but the end result will be a pretty robust defense-in-depth cybersecurity program.
If you find that you’d like some additional help building a small business cybersecurity program, grab a seat in one of our Cybersecurity Essentials Workshops, schedule a TTT assessment, or just drop us a line. We love helping small businesses improve their cybersecurity!
Keep fighting the good fight!
–Nathan Cross, Cybersecurity Engineer