Let’s take the path down the memory lane for a bit. Over 5 years ago, raising awareness about cyber security in organizations was all too relevant. If a company was not a financial, healthcare or otherwise heavily regulated institution, there was a very good chance that IT security was more or less neglected and almost as a rule, received more attention only in scenarios where a breach caused actual financial or reputational damage. And we actually have to thank phishing, ransomware and massive cyber attacks like WannaCry for the cyber security awareness now being raised to arguably the highest level since the invention of computers. Can we say that that’s sufficient? Of course not. But we’re more alert than ever.
The problem, however, is that as the defending side tries to catch up, the attackers already are planning again. And one of the main reasons is that the attacker always has the upper hand in cyber warfare. One forgotten and unpatched server, one trusting and helpful employee or one forgotten “temporarily” lifted restriction on MFA might be all that is needed to lose data or even leave the better part of an organization inoperable.
Besides the established understanding that the attackers have a default advantage (as a contrast to the more traditional warfare), different types of organizations may have additional but different challenges in their IT security to address. So let’s look at them, shall we?
1. The “mom and pop” shops
If you have had the experience in glancing towards a small company’s IT, more often than not you probably found a very simplistic setup which is held on with some home grade network equipment with little to no upkeep. Even when such companies decide to hire an MSP to take care of the problems, the MSP often ends up being the fire brigade in keeping the same crummy setup going. Suggestions from the MSP to improve the existing infrastructure are being shot down as being too expensive.
Of course, not all small businesses are like that, yet based on our experiences, that is often the case. If there’s no direct impact on the primary business, IT is often ignored. As a result that means a plethora of equipment not being maintained and most likely having known vulnerabilities, the employees do not undergo even the basic IT security training and there really are no means of knowing whether someone’s already lurking in your IT systems. If cyber security is at the very end of the “to do” list or not in it at all, you can be sure that you will be breached sooner or later, even if nobody knows or cares about your business.
In a sense, the current IT product model of providing SaaS products without the need of having any infrastructure whatsoever, is like a life vest. When a company’s IT landscape is small and it is solely a tool to support daily operations, outsourcing often is the best way to ensure a decent security posture. This, of course, does not eliminate the need to train and educate the employees on the potential cyber hazards, but also puts a lot of the organization’s cyber defenses with the SaaS providers.
2. The medium size growing businesses
Why is this a separate category? For a few reasons.
The first one is that a medium growing company has potentially more valuable assets to begin with. They usually maintain not only a larger customer database, but also relations with partners and have to “offer” an overall more valuable catch for those who are looking for ways to steal data or otherwise compromise IT systems for a quick buck. Reputation for these companies comes into play more as well. And with reputation comes a broader recognition, which attracts not only clientele, but threat actors as well.
The other reason is that due to the growth and focus, such an organization might be more focused on its actual business and still have some of the gaps of a small company and then some, as the business processes and interactions between IT systems get more complex. And that makes sense from the business perspective. What does not make sense is the fact that sometimes even the basic (and cheap, to be clear) security practices are not being followed. And that often includes:
- A trail of unnecessarily privileged accounts are handed over back when the company was founded
- Some data exchange pipelines involving moving data between your organization and the partner’s FTP servers (some duct tape is usually involved)
- An edge firewall which has some resources exposed which should not be exposed (just because it was required two years ago for one week and after it was never reviewed)
- Etc.
If there’s one takeaway from this for growing companies is that maintaining security posture must be a part of the growth strategy and with current supply of available tools and following the general sanitary security practices it is quite easy to achieve, especially since you’re still not under the heavy corporate structure.
3. The large enterprises
On the opposite side of the spectrum we have the large enterprise organizations with well established and often complex structures, often being subject to regulations and with enough budget to spend on ensuring the highest possible standards in cyber security. However, there are enough public records that even these organizations are faced with issues. And since the topic of this article came to our minds in the context of large organizations, let’s dive deeper into it.
Remember a while back when dividing your network into zones and sandwiching them between firewalls was regarded as being fairly safe in terms of network access? Yeah… Well, the rise of phishing attacks, ransomware, social engineering similar attacks actually showed that this idea of a holistic security approach and the concept of zero trust is actually a more robust concept.
Now think about how long such a major security concept change would take for a smaller company and one that has multiple approval gates and processes in aligning everything across multiple departments. Those who have lived through that know that it’s a very tough task, where even some personal ambitions often come into play (not that security is different to other types of changes).
And with that long alignment times, there’s plenty of time for malicious actors to exploit the existing gaps in security configuration. Not to mention the usual security threats that a larger attack surface results in, including more employees to phish and more systems that might be missing a critical security patch – just as with the smaller organizations, but at a larger scale.
With the resources that large organizations can throw at security, it is really ideal to start implementing security as an essential pillar for any aspect of the IT organization. Authentication and authorization? Reputable IdPs, MFA, Zero Trust. For any system that the users need to use. Maintain the same exact experience, require additional, yet not bothersome verification when accessing different IT systems. Developing software in house? Make security tests as accepted as unit tests for developers. Utilize your DevOps-minded engineers to make it a seamless process. Being targeted with tons of phishing? In addition to educating your users, make use of what your email provider has to offer. You might be surprised at the rate at which they innovate.
The bottom line
Differently sized of organizations often face different problems when it comes to cyber security. However, with the increased IT teams and overall budgets, it is important not to forget to expand your set of armor with it. And even though armor always adds additional weight, people often underestimate how flexible some of the current day measures can be.