Author: Malwarebytes Labs
We aren’t going to sugar-coat this—getting security right isn’t easy for SMBs. Fortunately, small improvements in the right places can make a big difference.
To help you, here are five of the best “bang-for-your-buck” security tips that will get you on the right track, and get you thinking about security in the right way.
1 Plan your patching
If you’re reading this, you probably already known that applying software updates promptly is the cornerstone of securing your business. But knowing it and doing it are very different things. If you have more than a handful of computers, an ad-hoc approach won’t work, and as a business grows, the complexity of what it takes to keep its software patched increases exponentially.
“Just patch” doesn’t cut it, you need a plan.
For many, the right approach will be to outsource both the planning and execution to an experienced Managed Service Provider (MSP). Organizations rolling their own plan will need to know what computers they own, what software they’re running, what updates they need, who is responsible for applying them, and what schedule they’re working to. Patch management tools like Malwarebytes Nebula can’t write the plan for you, but they can really help.
2 Roll out multi-factor authentication
When it comes to “bang-for-your-buck” there isn’t much that gets close to multi-factor authentication (MFA). How about this for an endorsement:
“Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.” Alex Weinert, Microsoft Identity Division – Security and Protection Team
MFA is armor for your password. It can shut out online and offline brute-force guessing attacks, protect you from stolen passwords and credential stuffing, and even blunt phishing attempts.
While any MFA is better than no MFA, all methods are not equally good, and some of them aren’t aging well. SMS-based MFA is vulnerable to targeted SIM-swapping attacks. MFA codes sent by SMS or provided by authenticator apps can be phished, and push notifications can be abused to bore users into submission. The gold standard for MFA is FIDO2, used in modern hardware keys and other devices—we recommend you start there.
3 Get your accounts under control
Almost all complex computer systems come with user accounts that can be assigned different access rights. Used correctly, this carries significant security benefits.
If a user accidentally runs malware, the malware inherits their access rights. If malware exploits a software vulnerability to run malicious code, it inherits the access rights the compromised software is running under. The fewer rights they have, the more restricted the malware is. But if everyone’s an admin, all bets are off—the malware is unrestrained.
Access rights should be organized according to the principle of least privilege: Users should get the access they need rather than the access rights they want (yes, even the CEO). Does it get complicated? Yes. But it only ever gets more complicated (and more expensive) as you grow, so start fixing it now.
The harder attackers have to work to achieve the privileges they want, the more likely you are to spot them before they do something bad.
4 Make people your #1 security tool
IBM’s 2020 Cyber Resilient Organization Report put up in lights what many on the security front line already knew: Having too many security tools makes you less secure instead of more secure.
In 2021, a Reliaquest/IDG report about technology sprawl came to much the same conclusion:
The majority of survey respondents (92%) agree there’s a tipping point where the number of security tools in place negatively impacts security. Seventy-eight percent said they’ve reached this tipping point.
What the research showed (and everybody knows deep down) is that to be effective, tools must be well integrated, configured optimally for their specific environment, and operated by well trained staff who are confident in how to use them.
Tools that are easy to use and easy to integrate make this simpler, but the bottom line is that this is about people and whether they are brought along or left behind.
5 Find a way to say “no”
OK, this one isn’t specifically a cybersecurity tip, but it could be the single most important thing you do for your organization’s security.
Many IT and security teams are caught in an endless round of firefighting and their work always seems to exceed their capacity to deliver it. They probably know what they need to do to improve their situation, but they just can’t find the time to do it.
Well, if you’re going to create a patching plan, roll out MFA, get your accounts under control, or properly integrate your latest security purchase, you’re going to need people who aren’t putting out fires.
The only way to get out from under your firefighting and do the things you need is to say “no” to something somebody is expecting (and probably more than one thing).
You will likely need senior managers in your organization to buy into and support your decision, and how best to do that will depend on your individual circumstances. Multiple guests on the Malwarebytes Lock and Code podcast have talked about making cogent business cases for security projects, so if you want to learn more about making space for security projects listen to Matt Crape talking about doing backups correctly, and Jess Dodson talking about why we don’t patch and why we get the security basics wrong.