How can small companies with limited budgets win at security?
Securing data and systems is a must for every modern organization, but smaller ones often have to deal with budget and workforce limitations that make that goal harder to achieve.
We’ve asked Chris Wysopal, CTO at Veracode and well-renowned security expert who is scheduled to hold a keynote at HITB+ CyberWeek on the topic of distributing security more evenly across all technology, to offer some advice for under-resourced organizations.
Zero Trust
Wysopal advises opting for a Zero Trust model (as opposed to the outdated “everything on the inside of an organization’s network can be trusted” model).
“Network perimeter security is a speed bump for modern attacks that involve phishing and exploiting web application vulnerabilities. You want each individual application or service to be responsible for securely authenticating and authorizing connections,” he says.
“Authentication is a great place to start. Make sure that all employees are using 2-factor authentication to access company data and systems. A single-sign-on option (SSO) with 2-factor authentication to access internal and external systems such as SaaS solutions can provide simplicity, ease of use and protection from phishing and weak and reused passwords.”
Consider SaaS
Opting for a SaaS solution for email, calendaring, financial apps, and file storage can also greatly improve security, as it shifts the responsibilities of maintaining secure configurations and regular patching of systems onto the SaaS providers.
Security professionals working in smaller organizations with limited budgets should also consider using some of the many free security tools available, especially if they don’t need enterprise features like tying into SIEMs and dashboards.
“If free isn’t available for the problem you are trying to solve, go SaaS. Many security SaaS providers have tiers of service for small businesses,” he notes.
Before making the final choice, they should review the provider’s SOC 2 report and make sure that they encrypt data in transit and at rest and provide SSO with 2-factor authentication.
When acquiring vendor solutions, they should have a process in place that takes security in consideration.
“Security teams often get caught trying to secure systems as an after thought, so they are dealing with infrastructure that was purchased and built without security in mind,” he points out.
“Security leaders need a seat at the table to help retire old insecure technology and build new systems that rely on Zero Trust and are maintainable.”
Security hygiene comes first
Security hygiene is important for organizations of all sizes. Making the process of maintaining it simple is very much advised.
The aforementioned switch to SaaS solutions where possible is just one of the ways to do that.
Wysopal also counsels security leaders to push for the use of modern operating systems and make security automated and continuous, i.e., to simplify security for users as much as possible.
There are also other systems that the security team will have to maintain, and they should be built in such a way to make regular patching easy.
Patching should be continuous, as attackers have automated frameworks that they can plug new exploits into. Defenders should continuously be taking inventory of their assets, scanning those assets for vulnerabilities, and prioritizing vulnerabilities based on risk.
“Chasing solutions used to stop sophisticated attackers such as honeypots, threat intelligence, and threat hunting should wait until the basics are in place and only if your risk profile warrants it,” he concludes.