Cybersecurity Priorities for Every SMB in 2024
Today, nearly every small business has a multitude of digital assets, thanks to the widespread adoption of the Internet of Things (IoT), cloud-based SaaS services, and bring-your-own-device (BYOD) policies. The foundation of any effective vulnerability management, configuration management, or device protection program lies in understanding what you need to protect and its critical importance to your business operations.
Protecting Your Assets
Rather than just placing a hardened shell around your network, itās essential to understand your evolving attack surface. What do potential attackers see when they target your business? Are there easily accessible web ports, weak or unauthenticated remote access points, or unprotected assets containing sensitive data? How secure are the SaaS services you rely on for finance, HR, and sales and marketing? Are there any exposed passwords or secrets on the internet that could compromise the data stored in these services? When was the last time anyone checked?
In our analysis of numerous claims data and cyber risk assessments, we consistently identify key cybersecurity measures that organizations should prioritize:
- Patching critical external vulnerabilities.
- Securing remote access points.
- Implementing a low-risk VPN solution.
- Enabling multifactor authentication (MFA).
- Enhancing protection and detection capabilities for threats originating from email, endpoints, and web vectors.
Controlling Access to Your Assets
Effective account lifecycle management and appropriate access controls are crucial, regardless of how much you trust your employees or partners. Itās vital to secure account access to prevent unauthorized use (e.g., phishing-resistant MFA) and to limit the damage from account takeovers or insider threats.
To mitigate these risks, consider implementing a least-privilege access model, and ideally, transitioning to a contextually driven zero-trust model for accessing assets and data. From a business standpoint, this involves defining who needs access to which systems, for what purpose, and for how long. Itās equally important to revoke that access when it is no longer necessary.
This need for access control extends not only to human users but also to software, virtual machines, and server less functions, all of which may have identities and associated permissions to access data and systems on your behalf. Weak, shared, or exposed passwords remain a common vulnerability. Every organization should enforce strong password policies, promote the use of password managers or passkeys, and implement MFA to bolster account security.
Training Your Employees
The human element is critical to the success of any cybersecurity initiative. In 2023, approximately 50% of the claims we observed were related to social engineering or business email compromise (BEC) attacks. Alongside deploying advanced protection solutions against threats from email, endpoints, and web vectors, equipping your team with proper security awareness and skills training can significantly reduce these types of attacks.
Responding to Incidents
While prevention is the goal, being able to effectively respond to and recover from incidents is essential. Every organization should have clearly defined incident response plans, policies, and procedures. However, these shouldnāt just exist on paper; they must be tested through tabletop exercises or simulated scenarios.
In the event of an incident, audit logs and offline or separate network data backups are invaluable. Without the ability to trace what happened, who was involved, and which assets were affected, your organization will be left in the dark, unable to execute effective real-world incident response activities or recover data after an attack.