SMBs were generally ignored by cybersecurity criminals. Not anymore. We’re suddenly prime targets for the bad guys and we’re all struggling to keep up. This eBook is a primer for conversations between C-suites, boards of directors and investors. It’s also a “how to guide” for driving cybersecurity changes in the face of budget challenges and expertise shortages.
Training is not just a security requirement. It is a cyber insurance requirement and for many industries, a regulatory obligation. Cyber liability insurance payouts are often predicated on adequate employee security training and monitoring. If your employee testing training monitoring program is good, some insurers will give you a discount.
Here’s what we’ve covered so far: SMBs are the current bullseye in the cyberattack landscape, that employees are your biggest vulnerability, and the steps you need to take to stay secure.
Now we turn our attention to ‘how’, in the face of dizzying complexity, you can put an achievable plan in place to stay secure. Securing a business is no longer something that one person—or one team—can do alone. But it can be done by organizations of all types and sizes. It’s a three-part solution. Before we get into the mechanics of it, let’s take another look at the nature of the threat landscape and how organizations engage with it.
What we know:
In the face of mounting threats, organizations need to safeguard business continuity, maintain the high levels of transparency and resilience that good governance requires, while husbanding their legal and fiduciary cybersecurity responsibilities . It’s getting tougher to do these things, in large part because of the rate of change in the security world. It’s astonishing. The growth curve of cyber crime is almost vertical. And given the complexity involved in staying secure, criminals are making a fortune
Perhaps even more importantly, cybercriminals now work together in a very synchronized fashion. The cybercrime world has become deeply collaborative, a key element in the power that it wields. It’s time for businesses to return the favour and take a page out of the cybercrime book.
How many times have you asked an IT person a question that they couldn’t answer? Perhaps something that they didn’t know, you knew about? It’s becoming commonplace. That’s because the big consulting and accounting firms are teaching Executive Directors and boards the questions that they need to ask. They’re essentially saying “if you’re going to be fully responsible for this organization, you need to stay on top of cybersecurity.” And they’re not wrong.
Still, the poor IT folks who report to Executive Directors and boards don’t have answers at the ready. That’s because the cybersecurity environment that they have built is typically incoherent. It’s often an in-house effort that doesn’t leverage collaboration with an IT security firm—without even an IT security expert18. It’s a jumble of tools, programs and protocols that do a passable job of keeping their company secure. If boards of directors knew how complicated cybersecurity was, they would have some empathy
The knights of old wore chain mail—mesh garments made of small metal rings linked together. That’s a great analogy for effective modern IT defense: interlocking security tools that keep your organization safe. The tools you need work together to address the different attack vectors that criminals use to compromise companies, and limit your internal vulnerabilities.
We use 31 process and remote management tools within our environment at Quartet. Seven of those are intrinsic to our managed security service. Each group represents a different category of defense:
This tool ensures that you’ve dotted the ‘I’s and crossed the ‘T’s of security. The one we use checks 130 security items across all users and key infrastructure elements in the corporate environment. If something is misconfigured, this tool detects it—for example, if a Microsoft server is missing a patch. This toolset also detects users who have permissions that they shouldn’t, e.g. access to files without appropriate security clearance. It extends to firewalls, including on-premise mail servers and Office 365. As security exceptions are flagged, we review them and act accordingly.
In theory, firewalls are simple. They keep unwanted traffic out of the corporate network. In practice, a firewall is not just a firewall. They come with things like Real-Time Deep Memory Inspection and Reassembly-Free Deep Packet Inspection that enable them to decrypt and analyze secure (SSL) traffic in real time—without breaking it. Oh, and all while processing up to 10 Gigabits per second.
Modern firewalls leverage networks of millions of sensors worldwide to monitor the Internet. Unrecognized signatures are sandboxed and those that pose a threat are added to firewall defenses in real time. Firewalls extend protection to wireless devices, wherever they may be. And of course they offer centralized management, reporting and experts on the other end of a telephone, 24/7. The trick lies in configuring a firewall solution that’s right for your environment and fine-tuning it as your network environment changes, so that it sends out only meaningful alerts.
Anti-virus and anti-malware capabilities have grown enormously over the years. But so have viruses and malware. New vectors are detected every day. When something suspect is detected within the network perimeter of a customer organization, it is sandboxed. Our AV provider then uses artificial intelligence to determine if the program is safe.
The weakness inherent in this kind of tool lies in its management. It needs to be configured properly and updated constantly. If it’s not updated, it doesn’t work. Both the virus scanner agent itself and the definitions need to be kept up to date. The tool itself does that most of the time, and we add an extra layer of precaution with our remote monitoring agent that keeps an eye on the antivirus system and forces updates when required. Monitoring these tools is a big part of the service we provide.
How often does John in accounting try to access a counterfeit bank login page? This tool analyzes Internet traffic in real time and blocks the bad stuff. The Internet security program we use also has heuristic analysis built in. In other words, it tracks and analyzes browsing behavior. This insight into employee surfing habits can then be used to block specific sites like Google Mail, Facebook or anything deemed not safe for work.
The team behind the tool has a whole R&D department that finds bad traffic and blocks it automatically. But they need us as a local agent. They occasionally block a valid domain and we need to work with them to get around that
This tool scans servers and workstations for popular 3rd party applications like Google Chrome and GoToMeeting. It checks versions and compares them to the most recent available, then updates if required. As new apps are added to this 3rd party application patching tool, we push them selectively to customer environments. But we have to be careful about automatic updates, because some clients need old versions of applications, like Adobe or a Microsoft OS. An extreme example is one of our customers, an airport. 50 of the 300 applications they use to run the airport broke when we updated the Microsoft OS (in test mode, of course). So we had to figure out an upgrade path, application by application.
Internal network defense detects anything that has gotten through the firewall. It gets a copy of all network traffic and analyzes it against known patterns. That might look like a user going to Dropbox or Ask.com, if those are internally banned sites. Or it could be a user going to the Tor network (the deep Web) or a virus that’s attempting to download something from it. If any of those patterns match, it creates a ticket so the team behind the tool who performs an analysis. If it’s an actual issue, we are immediately notified and take appropriate action with our customer.
Disk encryption protects data from physical theft. Without disk encryption, a thief could simply put your hard drive into a different computer and read its contents. With encryption, they can’t get access to the data unless they know your encryption keys. That applies to USB drives as well: to use them in the work environment, they must either be encrypted or read-only. We define encryption configuration and policies within customer environments and enforce encryption, verifying encryption status by means of a remote monitoring agent
What traditional anti-virus misses, advanced threat detection will eliminate. However, there is a fine line between an actual threat and an unwanted program. That’s because such programs can lead to horrible things. For example, Google does a good job of winnowing out search results that lead to malicious websites. Some niche search engines, however, don’t. When workstations have certain search engine toolbars downloaded, it’s asking for trouble.
Advanced threat detection also eliminates persistent mechanisms. These are malicious hooks that are hard to get rid of. For example, such a mechanism might download a virus every time the computer starts or a user logs in. The anti-virus program detects and deletes the virus, but the next time the computer restarts it will do the same thing. Advanced threat detection solves that problem.
Have you ever received an email from your boss asking to you send iTunes gift cards to a suspicious account? Employees receive many phishing emails a day but they’re getting harder and harder to detect. Cyber criminals are now disguising their phishing attacks as click-bait emails that look so real, you’re compelled to click on it. Some emails are disguised as free pizza coupons, while others can be specific to your industry. Employees are your weakest link, simply because they’re human. That’s why it’s becoming increasingly important to train them on phishing email detection. Phishing detection and training tools help prevent employees from making a small mistake that could potentially cost your company millions
All of these tools are designed to help you:
Notice that we don’t say ‘to prevent attacks’. Why? Because attacks happen. They’re happening right now—to your network. The quicker you get used to the idea of hardening and recovering, rather than building a hard shell to protect a soft underbelly, the better you’ll fare.
The tools we just reviewed do a great job of reducing the likelihood of an attack and limiting the damage that an attack may cause. Still, as good as they are, they won’t stand up to employee ignorance and negligence. Human error is still the number one cause of IT security issues, so it’s still very important to train your people. All of them.
The tools that are available today are nothing short of fantastic. There is so much money being poured into tools right now that they are all good. These are cyber defence tools that your average in-house IT team typically cannot access, either because of price or because they are only provisioned directly to managed service providers. They are a far cry from self-managing. You can’t turn a robust, cutting edge tool on, walk away and expect it to work properly.
To cite a simple example, think of a firewall. The night that a new firewall is set up, a typical company of 50 people will get about 150 alerts, approximately 12 of which are relevant. You got the other 138 because firewall alert parameters are too sensitive, or misconfigured. They need fine-tuning—a process that can take weeks or months. Whoever is responsible for that firewall needs to be trained on it and understand in great detail how it works. And that’s just a firewall, a tool that’s been around for over 20 years.
Selecting, managing and updating the several tools required for each bucket—as well as organizing and conducting two types of training—is not a one-man job. It’s not even a five-man job: You need time and expertise to evaluate and choose the right tools. You need time…
…to master their use.
…to train other people in their use.
…to formulate and conduct employee training to reduce the human risk factor.
…to manage tool alerts.
Time, time, time. And money.
Think it might be time to bring in some outside help?
The heart of security has gone from building a security apparatus to managing complexity. It’s no surprise that your IT people can’t answer all your questions. They have tools, they have some expertise, but they can’t stay on top of it.
Quartet has systematized complexity management. We put together teams of people who are experts at doing all of this. It begins with tool selection. We base our tool choices on three things:
The function they need to fill
How good they are
Whether they can interface with our security software management solution
“I simply can’t keep up with cybersecurity. AND do my other job. AND answer to Directors armed with great questions but too little IT knowledge.” ~ IT Directors everywhere
“It doesn’t get much more critical than assuring the safety of children.” Quartet goes to bat for an Ontario not-for-profit dedicated to improving the lives of children-at-risk.
IT security breaches endanger the lives of children every day. When we began working with Alan, the CTO of an Ontario-wide children’s organization in 2008, his network defenses needed help. Alan was constantly putting out fires. What’s worse, smaller regional organizations had experienced serious breaches that put young lives at jeopardy and made the news.
The security regime that we put in place drastically reduced the threat of an IT security breach. As we beefed up the organization’s defenses, its security environment slowly switched from reactive to proactive.
But getting there took more than tools—it involved something over which Quartet had little control: internal security posture. Alan drove the essential change management effort, educating employees, putting protocols in place and enforcing good behaviour. Together, we achieved what we never could have managed on our own—especially with respect to behavioural change within the organization. Documentation, training, best practices…our work would have been for naught without his help. It’s a classic example of interdependence. In 2018 we got together with Alan and co-presented our program and its results to a council of organizations under the same umbrella. It blew them away. It made them realize that they didn’t have to be victims—that they could take a proactive stance on cybersecurity.
Several years ago, as we were busy adding tools to counter threats to Alan’s organization, we began to feel the weight of managing all those tools and alerts. No surprise there: a more sophisticated security environment upped the volume of work for Quartet. Eventually, the challenge morphed from securing Alan’s environment to managing the complexity of the program.
It dawned on us that comprehensive security programming is more about managing complexity than security, or at least more than we had appreciated. The paradigm had shifted. That’s when we adopted one tool to manage that complexity, to consolidate and prioritize alerts and actions
We may see the day when a single tool can deal with the entire universe of cyberthreats. But it won’t come soon. That’s because every attack vector is a small microcosm that’s constantly evolving. Each demands a ton of specialized knowledge and specializes tools with countermeasures for each particular threat.
“The key to effective cybersecurity is managing complexity.”
Keeping up with one tool is difficult, because each of them demands that you do dozens or hundreds of things every day. You have to learn which of those 100 things the tool wants you to do are urgent, important or irrelevant. Multiply that by 38 different tools and the complexity quickly becomes unmanageable.
We are constantly looking for the best tools for each of the different attack vectors. Last year, we adopted 26 new ones. We researched, tested, then integrated them and became expert in their use.
The reason we can do this is that we employ two people who are dedicated to managing tools. Just managing them! What this gives our clients is an easy-to-follow and transparent process for IT defence. The security software management ecosystem that we offer is something that boards of directors can easily understand.
If you don’t have a way of integrating all tool management and notifications within a security software management solution, you can’t handle the complexity. At Quartet, a critical part of our tool selection process is determining whether a new security tool will integrate completely into our consolidation tool and our ever-changing cyber defence ecosystem.
Our consolidation tool centralizes and streamlines the management of the rest of the security tools. It allows us to collect and interpret the data from our defence ecosystem and provides a single location for us and our clients to identify issues, assign tasks, manage changes and track progress. Without this, any security program will be crushed by the weight of its own complexity.
Do you have great IT people? The world needs more of them. Right now, there are ten jobs for every competent IT security professional. They don’t come cheap. It’s tough to find and afford the right people, and if you’re going to get the tools, you need those people to select them, master them, manage them and use them to secure your ship.
We have the right people at Quartet. We can afford to—we leverage economies of scale. It’s a perfect example of collaborative consumption. But our people aren’t the whole picture. Behind each of the tools that our experts use is a team of experts ready to help us.
Our teams communicate regularly. We make tool development teams aware of cyberattack refinements as they appear on our radar, and they use this knowledge to refine their tools. The result is a team of teams tracking and responding to the threat environment as it evolves.
The tools and teams must interact in a coherent way. When we integrate them within our security software management solution, we have a unified interface for managing security.
The implication of this? We need tools as well as the technology to manage them, and we have to work with other people. And if collaboration is imperative for Quartet, guess what that means for your company?
Outside IT service provisioning might once have been a ‘nice to have’. Now it’s an imperative.
The IT industry is playing catch up. How many companies have inhouse legal counsel? Lots. And outside legal representation? Lots. Do companies have financial controllers and outside accounting partners? Of course they do. Any Director who questions that needs his head examined. But for a long time, there was an all-or-nothing mentality: manage with internal resources, or outsource. There was judgment: ‘if Bill and his team can’t take care of everything by themselves, they couldn’t be doing their job. That’s no longer the case. Your in-house IT team simply can’t do what we do, nor can we do what they do.
The challenges involved in addressing evolving cyberthreats are clear. Collaboration is the new imperative. If you can see the wisdom behind this concept, here is how you can put the new model into place. Staying secure is difficult, but it’s not complicated. It requires just three key actions:
Enterprise-grade IT security tools are fantastic. You have to keep trading up for the latest and greatest, but when you integrate them into your security software management solution, it will automate 50% to 80% of the work depending on the tool.
Ideally, choose a service provider with really smart people. Service providers can afford the very best because they can leverage that expertise for profit. We also train them like there’s no tomorrow.
No one can keep your company secure for you. Not without your collaboration. I can send you a ticket that says ‘You need to reset the firewall by 10 am on Thursday’ or ask you if the timing is right to take down a database. But it’s you who needs to do it or make the call.
These three steps will effectively take care of the security piece of IT. Which gives your team space to concentrate on the functionality and efficiency of business processes.
Good governance requirements are onerous. IT security requirements are just as onerous. Meeting them is not optional.
Most business leaders have some idea of how dire the IT security situation has become. If your IT people are screaming for help, there’s probably a reason. Just like outside counsel, managed IT security service providers take care of a critical element of doing business that’s ancillary to your IT team’s core responsibilities of keeping the IT ‘lights on’.
Let’s look again at our firewall example in the context of collaboration. Your IT security service partner helps your IT team choose the right firewall and manages the integration. The night that the new firewall is set up, they receive about 150 alerts, approximately 12 of which are relevant. They alert your IT team of the prioritized local actions that you need to take based on those alerts. Your IT security partner fine-tunes the firewall over the coming weeks. If you have decided that a firewall is something that should be managed in-house, it’s at this point that your team takes control, with full management documentation provided by your partner. Scheduled IT security partner audits will confirm that the firewall is still doing its job.
We’ve been providing managed it services in Toronto and helping our SMB clients maintain efficient, secure IT environments since 1998. We play the long game. As we’ve said before, an effective IT strategy isn’t a one-time deliverable; it’s a constantly evolving execution that’s shaped by the kind of risk your business faces, efficiency and ROI.
In 2017 we became SOC2-compliant, meaning that we conform to strict, audited standards of secure data management that protect customer interests and privacy. That’s just the latest in a long string of investments we make on behalf of our customers. When we acquire new tools or certifications like SOC, all our customers benefit. The same is true for our IT security services and solutions: we conduct the cybersecurity audits that most auditors now require of customers like ours. We also help clients transform their security posture to a robust security information and event management (SIEM) approach. The bottom line is simple. If it’s something we think you need, we’ll make sure you have it.
1. 2017 State of Cyber Security in Small &Medium-Sized Businesses (SMB), publication, Ponemon Institure LLC, September 2017, accessed September 2018, https://www.veille.ma/IMG/pdf/2017_state_of_cybersecurity_in_small_medium-sized_businesses.pdf.
2. Dawn Calleja and Steve Brearton, “How to Hack-Proof Your Employees,” The Globe and Mail, September 28, 2018, accessed September 2018, https://www.theglobeandmail.com/business/rob-magazine/article-how-to-hack-proof-your-employees/.
3. Wes Spencer and Eric Foster, “Finding Your Inner MSSP: The Easiest Way to Add Cybersecurity to Your Mix” (IT Nation Connect, Orlando, Florida, November 2018).
4. ibid
5. Dawn Calleja and Steve Brearton, “How to Hack-Proof Your Employees,” The Globe and Mail, September 28, 2018, accessed September 2018, https://www.theglobeandmail.com/business/rob-magazine/article-how-to-hack-proof-your-employees/.
6. Wes Spencer and Eric Foster, “Finding Your Inner MSSP: The Easiest Way to Add Cybersecurity to Your Mix” (IT Nation Connect, Florida, Orlando, November 2018).
7. 2018 Data Breach Investigations Report, report, Verizon, February 2018, accessed September 2018, https://enterprise.verizon.com/resources/reports/dbir/.
8. ibid
9. On the Money: Growing IT Security Budgets to Protect Digital Transformation Initiatives, report, Kaspersky Lab, 2018, accessed September 2018, https://go.kaspersky.com/rs/802-IJN-240/images/2205_kaspersky_ IT Security economy Report_final_2305.compressed_NA.PDF.
10. Dawn Calleja and Steve Brearton, “How to Hack-Proof Your Employees,” The Globe and Mail, September 28, 2018, accessed September 2018, https://www.theglobeandmail.com/business/rob-magazine/article-how-to-hack-proof-your-employees/.
11. On the Money: Growing IT Security Budgets to Protect Digital Transformation Initiatives, report, Kaspersky Lab, 2018, accessed September 2018, https://go.kaspersky.com/rs/802-IJN-240/images/2205_kaspersky_%20IT%20Security%20economy%20Report_final_2305.compressed_NA.PDF
12. ibid
13. Catherine Tunney, “RCMP’s Ability to Police Digital Realm ‘Rapidly Declining,’ Commissioner Warned,” CBC.ca, September 24, 2018, accessed September 2018, https://www.cbc.ca/news/politics/lucki-briefing-binde-cybercrime-1.4831340.
14. Rob Sobers, “60 Must-Know Cybersecurity Statistics for 2018,” Varonis May 18, 2018, accessed November 2018, https://www.varonis.com/blog/cybersecurity-statistics/.
15. ibid
16 “2018 Cybersecurity Survey : Report,” Canadian Internet Registration Authority (CIRA), February 05, 2019, accessed February 24, 2019, https://cira.ca/2018-cybersecurity-survey-report.
17 “2018 Data Breach Investigations Report,” report, Verizon, February 2018, accessed September 2018, https://enterprise.verizon.com/resources/reports/dbir/.
18 “2018 Cybersecurity Survey : Report,” Canadian Internet Registration Authority (CIRA), February 05, 2019, accessed February 24, 2019, https://cira.ca/2018-cybersecurity-survey-report.
19 “How to Hack-proof Your Employees,” The Globe and Mail, September 28, 2018, , accessed February 10, 2019, https://www.theglobeandmail.com/business/rob-magazine/article-how-tohack-proof-your-employees/.
20 “2018 Cybersecurity Survey : Report,” Canadian Internet Registration Authority (CIRA), February 05, 2019, accessed February 24, 2019, https://cira.ca/2018-cybersecurity-survey-report.