As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Corey White, the CEO and co-founder of Cyvatar, shares insights on the steps companies in IP-focused sectors should take to ensure a cyber-secure future for themselves and their business.
Growing businesses are attractive targets for cyber-criminals—that’s a given. However, many don’t understand that certain companies, like tech startups and other IP-focused sectors, are especially vulnerable targets. Threat actors increasingly seek out companies that are asset rich and whose security stacks, strategies, and cybersecurity teams typically aren’t as strong as those from established companies of similar market cap.
Crypto.com, Dropbox, SendGrid, Evernote, Mt. Gox, and CodeSpace are just a few recent examples of tech startups hit by cyber-attacks. High-growth companies often hit by attacks are laser-focused on sales, getting products out the door, getting talent in the door, and raising funds. These companies often believe they’re too small and “under the radar” to be in the crosshairs of would-be attackers. The first indication that they might be wrong in that belief is all too often also their “worst nightmare” scenario.
Companies with a less than complete understanding of cybersecurity issues and best practices typically have weak defenses, which makes them an easy mark. Consider some of the cybersecurity gaps that can make an organization an easier target for attackers:
- Poor Physical Inventory Awareness: A surprising number of companies don’t know what digital assets they have and need to secure. It’s impossible to secure assets the security and IT teams don’t know about.
- Poor Software Inventory Awareness: Equally surprising are gaps in knowledge about what’s running on organizational assets, which is essential to securing them from threats like Log4j.
- Sporadic Vulnerability Management: Many startups treat cybersecurity as a one-time activity rather than a continuous process. Attackers probe constantly and regularly update their tools and techniques, so defenses must be frequently updated—vulnerability scanning, application, operating systems patching, and fixing misconfigurations must be conducted continuously.
- Absence of Preventative Controls: Many startups will purchase MDR, EDR, and XDR solutions that are not designed to stop an attack but merely to detect one. This is wasted money and time. Without preventative controls, an attack will eventually succeed, increasing the number of attacks. We frequently hear comments from security pros like this: “The cybersecurity industry is not trying to stop attacks. Instead, it’s profiting from detecting them when easy counter-measures could be implemented.”
- Absence of Multi-Factor Authentication: The network firewall protecting the perimeter is long dead. Passwords are compromised and not a viable layer of protection, yet too many startups still rely on username and password schemes as their only line of defense in cloud-only companies.
- Absence of Next-Gen AV Configured to Block Execution: Most companies still use legacy AV or no AV. Others are using next-gen AV but haven’t configured it to block the execution of malware. This is lunacy, and it means the organization can stop a ransomware attack but instead chooses merely to detect it.
- Outdated, Unsecured Assets: Too many organizations leave online artifacts such as “test” pages and other outdated, abandoned assets that give attackers open, unprotected entry points into the organization.
Taking the First Essential Cybersecurity Steps
Creating a robust, cyber-secure environment takes many steps and requires constant vigilance and adaptation—so much so that we could look at 30 steps to get a company started building their offenses. But here are five steps to consider starting with:
1) Consider Cybersecurity as a Service (CSaaS)
There are many guidelines like the NIST framework for cybersecurity or the CIS Security Controls, V8 that organizations can use when setting up their cyber-secure defense. Still, those guidelines aren’t easily followed by understaffed startups. It’s well worth considering CSaaS managed security services that incorporate asset discovery, threat mitigation, and resolution, but choosing the CSaaS service is essential.
Most first-generation managed security services providers (MSSPs) specialize in alerting companies to cyber problems but don’t effectively prioritize and mitigate those threats. As a side note, beware of MSSPs that use “alert storms” to threaten and upsell.
Look for a CSaaS provider that starts with a solid cybersecurity strategy. Securing a company against cyber-attacks takes much more than merely adopting a few tools and technologies and reacting after a threat has breached defenses. Also, look for a CSaaS provider with expertise in the regulatory requirements your organization must meet.
2) Develop a Cybersecurity Risk Analysis
Every company’s risk profile and threat landscape are unique. It’s essential to know the kinds of threats the organization faces, its vulnerabilities (and every company has them), the likely impacts and costs of various cyber-attacks, and the most crucial assets and most at risk.
This analysis needs to include an audit of all physical infrastructure, such as computers, devices, and other hardware, that provide the surface for cyber attackers to attack. It must include both company-owned and user-owned mobile devices and network devices.
It must also include a thorough inventory of the software the company uses. Remember that attackers are always on the hunt for vulnerable versions of software that are unpatched and easily exploited. Importantly, look for any “shadow IT”—resources that aren’t managed by or known to the IT or cybersecurity teams. These resources are often open portals for threat actors.
These are some of the significant components of your threatscape, and knowing the landscape will help you make many decisions that companies otherwise struggle with.
3) Build a Cybersecurity Culture
The risk analysis informs the organization’s decisions, but it also needs to educate its employees. Tools and technologies are essential, but they’ll never be enough to protect an enterprise. It’s often said that the greatest cybersecurity vulnerability in any company can be found between the seat and the keyboard. It’s the human element: people are often the weakest link in cybersecurity, and enforcing cyber-aware strategies and habits can be a monumental effort.
Amnesty is crucial to reporting, too. If an employee unwittingly makes a mistake, make it easy for them to report it so that defenses can be rallied. That’s where a promise of amnesty is essential: it’s only human nature that an employee would balk at reporting a potential problem if they think it will cost them their job, a pay raise, a growth opportunity, or reputation.
By educating employees on your cybersecurity risk analysis, they’ll be informed of the threats cyber-attacks pose and be better equipped to be part of the solution. That includes having the founders and executives participate—if they’re reticent or feel too busy, sharing a few examples of “whale phishing” should help encourage them.
4) Secure Configuration of Hardware & Software Assets
The default configuration for newly purchased hardware and software is set for ease of installation and use, not security. Default accounts and passwords and pre-configured settings are easily exploited. Set (or be sure your CSaaS provider sets) secure device and systems configurations. It’s also worth considering:
- Managing a firewall on end-user devices by blocking certain ports based on specific needs of your organization’s online safety
- Configuring automatic session locking systems on the devices
- Changing the default configuration of the operating system to suit your organization’s needs better
5) Manage Account & Access Control
One of the easier ways cyber-criminals gain unauthorized access to your cyber-infrastructure and critical data is through valid user credentials. There are many ways attackers gain access to accounts, such as:
- Weak or easily discernible passwords
- Privileged access
- Dormant accounts even after the employee has left the organization, etc.
Take specific steps to secure all accounts:
- Establish and maintain an inventory of all the accounts in the enterprise, including both user and administrative accounts
- Maintain access granting & access revoking process
- Use unique passwords
- Disable or delete dormant accounts that are inactive for 45 days or more
- Use the Least Privileged Access policy so that privileged access is given to persons to perform only that particular task
- Centralize account management for better control
- Make multi-factor authentication mandatory for externally exposed applications and remote network access.
- Centralize all access control
This is just a preliminary list. Consider other essential steps such as protecting your data, conducting continuous vulnerability management, establishing and maintaining an audit log, and protecting email and web browsers.