6 Budget-friendly Cybersecurity Must-Haves

cybersecurityonabudget

Just when security breaches are at an all-time high, many organizations are having to tighten up budgets, leaving tech staff to figure out how to protect their data and network.

We can tell you firsthand that just like your car insurance seems expensive until you get in an accident, Cybersecurity may also seem out of budget until you are hit with a Ransomware or Business Email Compromise incident!  Fortunately, there are several measures you can take to fortify your Security Posture without huge expenditures.

Here are our Top 6 Cybersecurity Must-Haves to Improve Your Security Posture on a Budget that have a significant impact and with minimal investment.

1)Secure your Castle

The first thing I try to understand when talking to a client is, “How are you protecting your perimeter, what’s exposed, and if someone were to get in, how are you protecting your endpoints.”

The cybersecurity landscape right now is like living on the Florida coast in hurricane season. You don’t want to have a flimsy screen door protecting everything inside the home you’ve worked so hard for; you want that storm door to hold back the deluge. A Next-Gen Firewall is essentially this storm door. A firewall is just a tool, and a tool is only as good as the way it is used. You want to ensure you are leveraging it to geo-block traffic to/from risky regions, limiting the types of traffic you are allowing outbound, and prevent all but the most critical traffic for business needs inbound.

As far as your endpoints go, a modern EDR solution is a must-have. With the amount and cleverness of malspam campaigns (malware delivered via email) and the remote nature of our workers post COVID, you need something to protect your endpoints. EDR solutions have evolved along with the complexity and inventiveness of ransomware gangs. Having a solid, up-to-date, and monitored solution will help empower your security team to respond quickly and with automation to any identified threats.

2)MFA All the Things!

Our workers have gone remote, and our businesses have migrated to the cloud for the increased efficiencies it provides. This has been a great evolution in the use of technology to enable businesses to scale, but it’s also created an immense attack surface that we need to protect.

The easiest way to increase your security posture is to implement Multi-Factor-Authentication on all company resources that are remotely accessible. Cloud platforms, VPN access, admin access, and you can even go as far as logging into laptops requiring MFA to help improve the security of your mobile workforce. By deploying MFA, you help combat the never-ending cycle of password breaches, brute force attacks, and phishing/social engineering campaigns that are carried out in attempts to compromise a user’s credentials and gain unauthorized access to your organization’s data. A good rule of thumb is if I can access this resource remotely, so can an attacker, and it needs to have MFA.

3)Train Your People

All the technical controls in the world can and will be circumvented by the end-user who doesn’t know any better.

It is said in every cybersecurity talk and class around the world that cybersecurity is everyone’s responsibility. You must create a culture of security, provide training around why it is important, and explain the implications of a failure to consciously protect the sensitive data with which your organization has been entrusted.

Social Engineering training and testing is a great tool, and, when done right, helps get buy-in from the members of the team. It should be seen as a fun learning experience, not something punitive or burdensome. The processes and policies should be intended to get people talking and thinking about how they can help protect the business through simple actions. Additionally, this must be bought into by the highest levels of management, or it will not be successful.

4)Write an Incident Response Plan and Test It

Security Incidents should not be talked about as an if they will happen, but rather when they will happen. We need to be prepared for the inevitable and have a plan with controls in place to help us limit the impact of any incident. Having a documented, non-digital version of an Incident Response Plan will provide the responding team with a document to refer to during an incident to see who needs to be alerted and brought in and ensure no critical steps are missed in the response.

Everyone who will participate in an incident should know who is responsible for the different aspects of the response, be that a technical response, legal response, public relations, managing the incident, etc. Having a clear roles and responsibilities matrix and lines of communication can help coordinate the response, ensure the business suffers as little interruption as possible, and any reputational damage controlled. IR tabletop exercises, at a minimum, should be performed every year to help the Incident Response team feel more comfortable in knowing their role in the response and practice the steps that will be required of the team to support the business’ recovery from an incident.

5)Data Retention Policies are your Friend

You would be surprised how many organizations don’t fully understand how much data they have, the type of data they have, or even where they might be storing it. A strong Data Retention and Data Classification Policy helps to unravel this. The goal of a Data Retention Policy is to outline the requirements for the destruction of data no longer needed by the organization. Data should only be kept for as long as absolutely required, either by regulation or contractual obligation. If there are no external requirements, senior management should decide what constitutes data “aging” out of usefulness for the business and set that as its threshold.

The more data your organization holds on to, the more risk it presents. If you don’t need that sensitive data from 12 years ago, why haven’t you gotten rid of it? The last thing you want to do when you suffer a breach is to have to perform data discovery on 15-years worth of stale, outdated, sensitive information to determine how much of a fine will be levied or the number of breach notifications that need to be sent. All of this extra effort was wasted on data that was serving no purpose for the business and could have been avoided had it been purged appropriately.

6)When All Else Fails, Have a Solid Backup Plan

A golden rule for backing up your organization’s data is the 3-2-1 rule. Have 3 copies of your backups on 2 different media types, with 1 being offline/offsite. One of the highest valued targets a bad actor can go for is your backups, as such, they should be protected at all costs. Attackers, especially ransomware gangs, will specifically target your backups and attempt to destroy them to force you into paying the ransom to recover your business.

This is your lifeline. This is the “If all else fails and we suffer a catastrophic incident or disaster, we can restore from backups, and the business is still viable.” Due to this critical nature, you should perform a Disaster Recovery Test, at least annually. In this exercise, your team needs to verify the backups and their processes in restoring from said backups to ensure they can meet the organization’s defined Maximum Tolerable Downtime and Recovery Point Objective requirements.


 

I know these tips seem like a lot, especially if you’re just starting your cybersecurity journey. However, having basic implementations of these principles can significantly improve your organization’s security posture. Security is an ever-evolving process for an organization, once started, you need to realize that it will need to continue to improve and adjust as the organization grows and evolves as well. 

If you need help with strengthening your Cybersecurity Posture, or maybe just don't even know where to start, we are here to help.

Click here if you have questions about Cybersecurity

Leave a Comment