How SMBs Can Leverage Enterprise Security, Without An Enterprise Budget
Expert Insights speaks to Richard Dobrow of SilverSky to discover how managed security services providers (MSSPs) can help small businesses defend themselves against cyberattacks.
We’re used to reading headlines that scream news of billion-dollar cyberattacks on large corporations and governmental institutions. You know the type:
This type of news can give small businesses a false sense of security when it comes to their cyber-vulnerability. They might think that attackers have bigger fish to fry: “Why would they bother ransoming my little business when they could have a huge international chain?”
But the truth is, small businesses are just as at risk of falling victim to cyberattacks as large enterprises. This is because they often have fewer resources to dedicate to cybersecurity, be that IT personnel or budget. And this lack of resource correlates directly with an increase in vulnerability—something which attackers are all too aware of and are ready to exploit.
However, not having the resources in-house doesn’t mean that SMBs should give up on trying to defend themselves against cyberattacks.
To find out more about how organizations with fewer security resources can protect themselves against the sophisticated cyberattacks we’re seeing today, we spoke to Richard Dobrow, CEO at SilverSky. Dobrow first entered the cybersecurity scene in the late 90s, when businesses first began adopting dedicated cybersecurity infrastructures—often driven by regulatory initiatives. Dobrow spent a number of years in a consulting role, helping financial institutions build security infrastructures, before realizing that many organizations needed further, ongoing support—not just the temporary services of a consultant.
Founded in 1997, SilverSky has had over 20 years of experience in tackling cyber threats and evolving their security offering to provide the most effective protection possible. Today, SilverSky focuses on managed detection and response (MDR), leveraging both their own technologies and those of the best-in-breed providers to design, implement and manage their customers’ cybersecurity infrastructures, then monitor them for threats. Around half of SilverSky’s existing customers are in the financial and banking space; the other half being in the corporate world.
MSSPs Enable Small Businesses To Tackle Big Threats
There’s a common misconception that SMBs are less at risk of cyberattack than larger enterprises but, in fact, SMBs are becoming increasingly targeted by sophisticated, financially motivated attacks such as hacking and malware. And there are a few reasons for this, Dobrow says.
“SMBs tend not to either have the same cybersecurity expertise, or to have made investments on the same level as larger organizations,” he explains. “So, they tend to have built less defenses and they fall victim to some of these attacks.
“The other dynamic is that attacks that enable the attacker to target large swaths of the internet are becoming easier and more commonplace,” Dobrow adds. Recently, the threat landscape has been augmented with the emergence of Cybercrime-as-a-Service (such as Ransomware-as-a-Service), which involves experienced cybercriminals developing attacks and licensing them out on the dark web for less technically savvy criminals to use as they please. This means that these sophisticated attacks are now not only being used by hardened criminals to target large enterprises and government bodies, but also those newer to the scene hoping to score a quick buck by evading the lower level defenses of an SMB.
“Small businesses get caught up in threats like phishing campaigns and pervasive malware,” Dobrow says. “These wide nets that are cast catch everybody. It’s not a personal attack, where an attacker says, ‘I want to target this particular small business!’—they just get caught up in the wider attack path by not having the proper defenses in place.”
Unfortunately, small businesses often don’t have the budget or dedicated security team to implement these “proper defenses” themselves—but that doesn’t mean they can’t access them at all. MSSPs (managed security service providers) like SilverSky enable smaller businesses to leverage enterprise-level security, without having an enterprise-level budget.
“The MSSP or managed detection market narrows the gap between small business and enterprise business ability to build defensive capabilities,” Dobrow explains. “So, SMBs can gain that security expertise across a wide range of capabilities on a cost-effective basis.
“Partnering with an MSSP or MDR company gives smaller businesses the ability to gain access to the best technologies and talent in the market. They gain that expertise accumulated from seeing thousands of network environments and understanding what those attack patterns are, so that they can identify issues early on and properly defend against them or recover from them quickly.”
Security Must Be Proactive, Not Reactive
As part of their stack of security services, SilverSky offers managed detection and response. MDR providers offer crowdsourced threat intelligence and constant security monitoring to proactively detect and remediate threats to their clients’ networks, including zero-day threats such as unknown or next-generation malware.
The ability to proactively detect threats, rather than reacting to them once they’ve already infiltrated your system, is absolutely crucial, says Dobrow. And the number one reason for that is the cost of an attack.
“The cost of recovery is so much greater than being proactive initially,” Dobrow says. “Recent statistics indicate that in the mid-market or SMB market, ransomware attacks and other malicious cyberactivity sometimes result in the total destruction of the business through bankruptcy. And these are not one-off situations anymore; they’re occurring more and more often.
“So, spending relatively small amounts of money to defend against that significant damage is a wise investment. And we’re seeing that movement in the market fairly significantly—the small business and mid-market environment is recognizing that waiting for these events to take place is really no longer an option.”
But the potentially devastating cost of recovering from an attack isn’t the only reason that organizations are increasingly focusing on proactive security.
“We’re also seeing the insurance industry driving that change. Companies are becoming somewhat uninsurable for general liability policies if they don’t have proper controls in place for some of these attacks, because they’re so damaging to the business.”
This is because, while attacks may increase the demand for cyber insurance, they also create a kink in the supply chain—insurers are wary of providing cover for attacks that may lead to a major financial fallout, and even more wary of covering companies who’ve already fallen victim to such an attack.
So, to insure your business against cyberattacks, you need to be able to prove to the insurance provider that you’re proactively doing your part to manage that risk.
Endpoint Protection Is A Primary Risk Management Initiative…
…Particularly for the education sector. Schools, colleges and universities store and regularly deal with reams of sensitive data concerning their students, and this data makes them attractive targets for cybercriminals looking to exploit organizations in return for the security of their data. Personally identifiable information (PII) is the most commonly compromised type of data, but also the most costly—breaches that involve a loss of PII cost an average of four dollars more per stolen record than those that don’t. This means that educational institutions can suffer great financial losses if hit by a cyberattack.
Despite this, many schools and colleges don’t have adequate security measures in place to defend themselves against cyberattacks. And, with today’s learning environment constantly changing as a result of the pandemic, it’s never been more important for educational institutions to stay protected.
“The pace of change became so rapid for these institutions as they moved to home education, eLearning and so forth,” Dobrow says. “IT departments moved out of the physical institutions to work from home, and had to drive very quick utility-oriented decisions to help their schools build the necessary infrastructure to allow remote learning, remote engagement, and the remote management of systems.
“So, step one was, we need to be able to access everything remotely, immediately. And enabling that access opened a lot of doors to the environment which could be compromised.” As educational institutions scrambled to enable remote learning, many of them were forced to sacrifice security for speed, making them vulnerable to all manner of endpoint and identity-related breaches such as “zoom bombing.” But as schools grew more accustomed to eLearning and began to experience some of those compromises, their focus shifted from provisioning users to securing them.
“Now, we’re seeing a lot of activity to build multi-factor authentication for these environments and secure endpoints,” Dobrow says, “and we ourselves are being engaged to step into school networks, tighten up the security exposures that exist, and mitigate the risks that they were creating during the pandemic.”
SilverSky’s recent acquisition of ACSG extended their MDR services, enabling them to offer protection to schools and higher education institutions—something which colleges and universities in particular may begin to consider as they welcome their students back to a virtual classroom this Fall.
“The idea that everything is going to come back inside the physical boundaries isn’t realistic anytime soon; the standard now is going to be this hybrid environment,” Dobrow says. “So, the perimeter is extended as schools have to protect both the devices that students and IT admins hold off-premises, as well as the partial existence of the student base and core IT admin base on premises.
“So, VPN access, multi-factor authentication and endpoint protections are becoming a primary risk management initiative.”
Hybrid Learning Vs A Hybrid Workplace
Just as educational institutions are adapting to secure their data in a hybrid learning environment, so must corporations adapt to secure their data in a hybrid workplace.
“From a technology perspective, the challenge looks pretty similar,” Dobrow explains. “The solutions being used to accomplish the utility of home workers and home students is very similar, so the technologies being deployed to secure them mirror each other quite a bit.”
But, though the challenges faced by schools and businesses to secure their students and employees respectively are similar, there are some key differences between the two that affect the specific solutions they should implement.
“A student population generally doesn’t have the same access levels as the administrators would inside a school environment,” Dobrow says, “so they need some different levels of security apparatus.” One such solution might involve implementing a privileged access management solution on top of their regular multi-factor authentication, to ensure the security of high-level administrative accounts.
“Also, the volumes of traffic are quite significant in the education space. If you have thousands of students all streaming and communicating at the same time, the institution may create different elements within the environment just to support that volume of activity, as well as the flow of activity during school hours versus outside hours.”
Generally, however, the prospect of a hybrid environment means that businesses and schools alike should focus on ramping up their endpoint security and identity and access management.
SMBs Can Get By With A Little Help…
…From an MSSP friend, Dobrow says—although not quite in those words, we’ll admit.
“There’s a lot of specialization in cybersecurity, and it’s unlikely that a small business’ internal IT team is going to have the specialized skill to understand all those dynamics,” he says. “Leveraging a third party like SilverSky is a way to gain access to a lot of talent that experiences a wide range of issues regularly. And that learning—that experience—can be really beneficial to small businesses.
“SMBs could suffer significant damage if an attack were to occur, but, for a relatively small investment, they can access some really great talent to help them mitigate that exposure.”
Thank you to Richard Dobrow for taking part in this interview. You can find out more about SilverSky and their managed detection and response services at their website and via their LinkedIn profile.