Small and Medium-sized Enterprises (SMEs) have become an easy, lucrative and growing target for cyberattackers.
According to the Ponemon Institute 2017 study, more than 61% of SMEs experienced a data breach in the last 12 months compared to 55% in 2016. Although many SMEs are aware of the risk, they find difficult to obtain effective security measures in place.
Challenges facing SMEs
Most SMEs do not have enough defenses in place to protect, detect or react to attacks, making them easy to attack. For example:
- Lack of resources
- Lack of expertise
- Lack of information and training
- Lack of time
In fact, the Ponemon Institute study found that only 14% of SMEs consider their own security as “very effective”. Because of this, the majority of SMEs focus on protective security. They set up antivirus, email filters, an application whitelist, and perhaps an intrusion detection or two-factor authentication system for the most preferred accounts.
There is no harm in that. These protection and detection measures must obviously be put in place, but that is not enough. Despite all these efforts, the compromise will persist. Attackers get better, look for new ways to attack, and the problem is nobody detects it. And if there is no detection, there is no answer either.
Develop a proactive security strategy for SMEs
A protection strategy must be validated over time if it is to be effective. “Detection and Response” should be used to ensure that preventative measures work – identify and respond to abnormal or suspicious activity.
SMEs need a defense designed for large companies in terms of focus and efficiency and tailored to SMEs in terms of implementation and use.
What is needed for SMEs is a proactive security strategy. They must be able to identify when any type of threat actor is trying to hit. There are a number of indicators of compromise but it is impossible to monitor everything at the same time. It is therefore necessary to determine which indicator is the most easily detectable, while providing the best indicator of compromise.
Connection management – the solution for SMEs!
An SME can look for compromises in many ways, but in the end, a fundamental truth stands out – an attacker is unable to do anything in your organization unless you can compromise a set of internal credentials.
In other words: no connection, no access.
But for a security administrator, it can be tedious to try to identify suspicious activity when the adversary has valid and authorized credentials.
A compromise flag includes the following connection anomalies:
- Endpoint used: The CEO never logs in from a machine in the accounting department, does it?
- Time of use – A user with a job from 9 a.m. to 5 p.m. logging on a Saturday at 3 a.m.? Yes, it’s suspicious.
- Frequency – A user normally logs in once in the morning and disconnects in the evening, if he is suddenly logging in and out several times in a very short time, this may indicate a problem.
- Concurrent Sessions – Most users connect to a single endpoint. Seeing a user suddenly connect to multiple terminals simultaneously is an obvious indicator.
Visibility is the key. By monitoring your connections, you’ll have a better sense of the risks the organization faces every day. However, you also need to put in place controls to limit risky behaviour if you want your organization to start improving its security position and to limit the risk of compromise.
With UserLock , IT teams can ensure that authenticated users are the ones they claim to be, even when the credentials are compromised. Attempted connections that do not meet the established restrictions are automatically blocked before any damage is caused. Risk detection tools alert about suspicious activity that gives IT administrators the ability to respond instantly. Working alongside Active Directory, UserLock extends security well beyond group policies and native Windows features.