5 Steps to A Strong Defensive Posture: Mastering Small Business Cybersecurity

Note: This article is part of the Small Business Cybersecurity Masterclass in the GAIT Academy.

We use a five-step approach to help small businesses achieve enterprise-grade security:

  1. Optimize behavioral and configurational security.
  2. Assess and securely redesign the company’s network(s).
  3. Research and deploy defensive technologies like firewalls, AV, and EDR.
  4. Use active defensive tactics to maximize ROI and achieve enterprise-grade security.
  5. Deploy the use of targeted offensive cybersecurity services to test and harden the company’s networks and devices.

The first three steps will help establish a strong defensive posture. The last two steps are somewhat more advanced but can be used to help small businesses achieve true enterprise-grade security.

This approach has been carefully designed for small businesses in mind. One of the key aspects of this plan is that it starts with things that are free or extremely cheap (such as using strong passwords), and (generally) increases in price. Each step is also more important than the steps that follow.

Steps 1 – 3 : Establishing a Strong Defensive Posture

The first three steps are all about establishing a strong defensive posture.

During this phase we will clean up our environments and learn to use secure behaviors; set strong passwords, use multi-factor authentication (MFA), enforce the principle of least privilege, and configure our applications securely.

Next, we’ll assess and potentially re-design our networks for security and function.

Finally, we’ll deploy a range of defensive cybersecurity technologies to actively protect our networks, devices, and data.

These first three steps should be thoroughly understood and a strong defensive posture achieved before the organization moves onto the last two steps.

Step 1: Optimize behavioral and configurational security

This is the most important step and it’s 100% free. Therefore, time spent on this has the highest ROI of any cybersecurity-related activity. ‘Behavioral’ security means using technology in a secure way. ‘Configurational’ security means that we are configuring our software to be as secure as possible.

We’re talking about things like: using strong and unique passwords, employing the principle of least privilege, being skeptical of links and documents in email, setting applications up securely, and keeping everything nice and updated.

Step 2: Assess and securely redesign the company’s network(s)

Figure out what systems and data you need to defend. Then structure your network in a secure and sound manner that takes into account how you will be storing and accessing sensitive information.

Effective network segmentation is one of the most effective security tools we have, and it costs very little.

Well-segmented, well-designed, and otherwise secure networks are often considered nearly un-hackable, even by the world’s best ethical hackers.

When you segment your network effectively, it will pay dividends in the long run. As your company changes and grows, a well-designed network will be most effective and flexible.

Step 3: Research and deploy defensive technologies

This is where things get fun and we get to play with some shiny new technology.

A standard defensive ‘stack’ includes technologies like a network firewall to protect the network and it’s perimeter, as well as a device firewall, antivirus (AV), and endpoint detection and response (EDR) on endpoints inside the network.

As the company grows and improves its defense, the focus shifts toward network-wide detection and response, using technologies like Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), and eXtended Detection and Response (XDR).

A Note on Vendor Bias: In this course, we cover all of these important technologies at a high level to empower small businesses to make good decisions. At the same time, we will also offer some amount of opinion and perspective based on our experiences at Guardian Angel IT. While we don’t intentionally want to bias our students, we feel that it’s important that our students know what we’ve discovered in our own research.

Steps 4 and 5: Active Defense and Offense

Active defense refers to the use of legal ‘cyber deception’ tactics like honey users, accounts, or machines that are only used to help identify attackers on the network. Active defense tactics are underutilized by small businesses. They are very effective and can be deployed 100% for free in many cases. However the appropriate logging/alerting and corresponding response need to be in place for these tactics to be of use.

Offensive cybersecurity is about adversary emulation – simulating an attack in order to help identify weaknesses. We will see through the course that while traditional offensive services are prohibitively expensive for SMBs, we can carefully design targeted engagements to be both effective and cost-effective.

These last two steps are advanced, and most small businesses will be better served focusing their efforts on the first three steps if they haven’t already.

Step 4: Using Active Defensive Tactics

Active defense uses objects and services that are designed to be interacted with by an attacker. For example, a honeypot is a fake/dummy computer on the network. When the attacker attempts to interact with the honeypot, they will inadvertently trigger a cascade of alerts and responses that help to protect the network.

We can do this with all different types of honeypots. We can create a honey user, honey port, honey server, and many more.

The best part is that tools like honeypots (honey ports, honey everything…) are free or extremely cheap to implement and can dramatically enhance your security posture.

Step 5: Deploy targeted offensive cybersecurity engagements

Offensive security, also known as ethical hacking, involves performing an assessment such as a vulnerability assessment or a penetration test. During these assessments, an ethical hacker looks at your systems from an ‘offensive’ perspective, using the same tools and techniques that real-life attackers use.



Offensive engagements are great for identifying security gaps in a way that is difficult to otherwise do. By looking at the organization from the perspective of an attacker, and using the same tools that attackers use, we can gain insights of great value.



The historical barrier to offensive security is one of cost and value. Small businesses can’t afford a penetration test with a high price tag, so they often forgo it or purchase an automated vulnerability assessment and are disappointed with the results.



However, it is more than possible to craft human-led, targeted engagements that are extremely effective while minimizing cost.



Even if it decided that any offensive security engagements are out of budget for a business, we still highly recommend making use of free software like Nessus Essentials to assess networks, or OWASP ZAP to assess web applications.

Using the Five-Step Approach

This five-step approach isn’t intended to be perfect.



As we dive into the topics presented here in the course, we will gain firsthand experience as to why each step is considered ‘more important‘ than the steps that follow. But that doesn’t mean that we should wait to implement things from Step 3, before ‘completing’ Step 1. We need to remember that ‘perfection is the enemy of progress’.



Instead of thinking of these 5-steps as ‘checkpoints’, it’s best to think of them as being a holistic framework that we can return to over and over. Each iteration is a chance to improve the company’s security.



Work on Steps 1 through 3 before proceeding to Steps 4 and 5. The first three Steps are about establishing a solid defensive posture. Steps 4 and 5 are where we integrate advanced methods – Step 4 is about advanced defensive methods, and Step 5 is about using offensive tactics to test and improve our defensive posture.

Additional Notes

  • The steps themselves aren’t going to be equal in the effort that they require.
  • Step 1- Behavioral and Configurational Security – is an ongoing battle for every organization. Any changes to the IT environment necessitate a review of the current configurations. For example, every new employee should receive some cybersecurity training, and new software or changes to existing software, will necessitate new configurations.
  • Step 2 – Structure The Network Securely – May be as easy as just a few clicks, or may require a full network redesign. If the company has multiple departments and the network was never properly setup, this could require a small investment to do properly. If the company can’t afford a small IT project at the moment, it would be wise to employ simple/free strategies and move onto Step 3 – and then complete the redesign once funds have been allocated.
  • Step 3 – Deploying Security Technologies – like Step 2, this can be as easy as clicking a few buttons. Associated costs are typically monthly and are either per device or per user. The software that we deploy in Step 3 is necessary for the advanced strategies in Steps 4 and 5.
  • Step 4 – Active Defense – This should only be done once the company has a solid foothold on Steps 1 – 3. Generally, the company will have deployed EDR / MDR and potentially a SIEM product (as part of Step 3). Step 4 is designed to dramatically enhance – not replace – the effectiveness of the technologies we already deployed.
  • Step 5 – Offensive Security – In this step, we put our defense to the test. Like Step 4, it should only be done after Steps 1 – 3 are ‘complete’.