Introduction to Behavioral and Configurational Security

In the field of cybersecurity, a lot of effort goes into developing new technologies and improving existing ones. The messaging that most small business owners tend to receive is that these technologies and the buzzwords that accompany them (next-gen firewall, eXtended Detection and Response, etc…) are the most important defenses that we have against attacks online.

The truth, however, is that these technologies are needed mostly because most people don’t do a great job of using secure behaviors, practices, and configurations.

If we look closely at common attacks like phishing or business email compromise, we find that the bad guys almost always get in because of something that we did (like clicking a malicious link or using a weak password) or didn’t do (like maintaining our systems, or using multifactor authentication).

This is why we recommend working on behavioral and configurational security as a first step in improving small business cybersecurity.

To make things easier for small businesses, we group together behavioral and configurational security and recommend that small business owners spend time improving these things first, or at the same time as deploying our Security Essentials (or performing the same functions in-house).

Improving behavioral and configurational security practices is generally free, easy to implement, and small business owners can often work on them at the same time.

Behavioral and Configurational Cybersecurity for Small Businesses

When we talk about ‘behavioral and configurational‘ security, we are referring to two different things:

  • Behavioral security refers to behaviors and practices that are essential to maximizing our defenses.
  • Configurational security means configuring, or setting, our systems up to be as secure as possible. Most commercial grade software can be configured to maximize security, but also can often be easily misconfigured in such a way as to allow an attacker to take advantage of it.

Treat Company Devices Professionally

When it comes to small businesses, many of the most important points about cybersecurity come down to treating company devices professionally. This point is so important, that we have an entire article dedicated to the topic!

Big companies do it; they carefully control what happens on every device on their network. When a new employee comes on board, they are often given a laptop and cell phone, pre-set to be functional and secure. They are required to use strong passwords and multi-factor authentication (or other type of secure authentication), and there isn’t any discussion about it!

But small businesses tend to be more lax, especially those without dedicated IT employees. It’s critical to have a distinction between work and personal devices the same way that most business owners protect their personal finances by incorporating and maintaining separate bank accounts.

This can seem difficult to implement, especially when owners are already using devices for both personal and professional use. One of the biggest challenges for owners is changing their own behaviors on their own devices, which are often mixed for both personal and professional use.

However, small business owners can often simply alter their behavior a bit to achieve dramatically better security. For example, you may use two laptops for mixed use currently. Simply by switching to using one professionally and one for personal use, may result in a much stronger defensive posture. This means that, for example, all of our mindless Facebook scrolling and random link clicking should take place on the personal device, not on the work device.

Here are some important points to consider:

  • Work devices are not personal devices. There needs to be significant restrictions to what users are allowed to do on work devices. These restrictions are often the business’ first line of defense against online threats.
  • Use a strong password policy everywhere and multifactor authentication (MFA) whenever possible. Most apps today support MFA, so use it.
  • Practice the principle of least privilege, which states that users should only have access to the resources and information that are needed for them to perform their functions.
  • Choose applications carefully. Every application running (on every device – workstations, laptops, cell phones, tablets, servers) adds to the organization’s ‘attack surface’.
    • Don’t allow employees to simply install random applications. Choose necessary applications carefully, manage their use, and remove them if/when you don’t need them anymore.
  • Configure all applications as securely as possible. Most applications involve
  • Keep all software updated and fully patched. This includes the OS as well as all applications. It can be surprisingly tough to do this without dedicated software. Most people are unaware of how vulnerable their devices are if they aren’t actively managing them.
  • If there’s no need for a computer to be on/running then consider turning it off. Turning a computer off, or restricting access to it, is the easiest and most effective way to eliminate the risk of it being hacked at any given time. Many 9-5 businesses get hacked needlessly in the middle of the night.
    • One caveat to this is that sometimes we keep computers on overnight for various reasons, like performing updates and maintenance or taking a backup. We might need a server to stay on overnight so that we or others can access the service at a moment’s notice. Use your judgement in determining what’s best for your company.
  • Restrict web browsing and other activities on company devices.
  • Don’t allow employees to connect to the secure company network(s) using their personal devices. You need to provide them with a company phone if you want them to be able to safely connect to the network.