I was asked the following recently in an interview for the Irish tech online magazine 'Silicon Republic’;
How can companies make sure they are spending on cyber security in the right way?
I thought it was a great question. In the article, I answered in general, however it got me thinking on elaborating on this with the particular focus for SMEs, who especially at this time are feeling the pinch of the revenues lost by COVID-19. Here we have answered this question through drawing from a number of articles which cover the various areas that make up a broad security approach.
Can I be thrifty AND secure?
Want your cake and eat it eh? Well in a way you can. Up to a point. Like many things in business if we approach cyber security in the right way then one can do some simple and effective things, inexpensively, and get a great bang for their buck. It’s a bit of bit an 80-20 rule where a small amount of time/resources spent in the right way can achieve great results.
There is an adage in cyber security that you are only as weak as your weakest link. So to be effective the approach must cover all areas to a simple (yet effective) degree.
Secure your admins
Your Admins are sacred. Start from that mental position. A breached admin account is like handing an attacker the keys to your office building and then walking. Admin accounts should be used for only administrative configuration tasks. They should not have a mailbox associated with them. Take a read of my other blog on securing your people to understand this a bit further.
In summary, the principles are as follows:
- Make a separate admin account for each user that requires admin access. email@example.com
- Don’t have general admin accounts. i.e firstname.lastname@example.org. It is not owned by a human. Instead, an admin is owned by 1 responsible human. Good Audit requires ownership. See point 1
- Don’t give admins mailboxes. Mail the mailbox of the human’s non-admin account email@example.com. See point 1.
- Now Delete all other admins
- Turn on MFA for all admins
Secure your employees
The above section recommends how not to consider admin accounts as email accounts but rather as utility accounts which are linked to the individuals who require those privileges to complete their role. Now we must separately consider our people, their habits and needs and the risks these expose. We must consider how to educate them about the risks and procedures and how to form a culture where the risks are generally understood and considered while day to day business is being executed.
I again reference this article on “Securing Your People” as it contains all that is needed here.
Remote access Mechanisms
Remote access empowers us to work from anywhere, but with this comes risks. MS 365 comes with many of access vectors left open. These include legacy access and authentication protocols which are seldom used and expose a high risk. We strongly recommend you have a read of our remote access blog for details on these and what you can do
The way we share information has a big bearing on our data security. It may sound strange but we recommend that in general, you don’t send attachments. Sound strange. Check out the section on sharing links and sharing in Team, OneDrive and Sharepoint in this article
Email forwarding and other mailbox are often key tools in the arsenal of a mal-actor (whether an external attacker or a mal-acting internal employee) who is using an account without the consent of its owner. We discussed the anatomy of an example attack in the second of our two-part blog on “How were we Hacked“. This article lets us understand how the attack is formed based on rules and social engineering. Once you understand this we recommend you look at our article on how to “Find Risky Inbox Rules in Office 365“
Turning on Auditing
Microsoft has a great audit log that can be leveraged to investigate security incidents. Its called the Universal Audit Log. Here’s the catch though. Its probably not turned on in your tenant because Microsoft does not turn it on by default. In our article on Incident Response, we discuss the many ways of investigating an incident, whilst taking into account that many organisations only realize that the audit log is not on after a breach has occurred. Hopefully, you are reading this because you are pro-active. In which case go to the security and compliance center and turn it on. You can also do it via Power Shell. Both approaches are described in this article