What is Cybersecurity? A Gentle Introduction For Small Businesses

Before we dive into the details of how to protect our systems and data, let’s take a high-level look at the field of cybersecurity. A good place to start is by defining the term ‘cybersecurity.’

What is cybersecurity?

Cybersecurity refers to the practice of protecting our computer systems from digital attacks. The word ‘practice’ is important, because taking action is central to cybersecurity.

Let’s look at the computer systems that we’re trying to protect. We can start by taking stock of the electronics that we use every day. This includes phones, tablets, laptops, desktop computers, and printers. Also our networking tech like routers, wireless routers, modems, wireless access points, firewalls, switches, and hubs. Businesses may also have one or more servers. What about other common internet-connected devices? This may include your watch, alarm clock, refrigerator, dishwasher, television, gaming console, VOIP phone, voice control device (e.g. Amazon Echo), and others.

Each of these devices may be targeted by an attacker. The more devices we have, the larger our attack surface becomes. The term ‘attack surface’ is used to describe anything that could potentially be attacked. Our attack surface includes our systems, the applications installed on our systems, and the data held on our systems and in applications.

Once an attacker manages to gain access to just one of your devices, they may be able to pivot through your network and compromise your other devices. An attacker’s ability to gain initial access and further their goals depends on how skilled they are, how much time they have, and what other assets they are able to wield to perform their attack (for example, do they have access to advanced software like Cobalt Strike).

How can we protect all of our devices in a practical and economic way?

This question is simultaneously easy and difficult to answer.

It’s ‘easy’ because you can get all of the knowledge and tools needed to achieve world-class security. That’s what this course is all about!

However, it’s also very ‘difficult’ because nothing we do can 100% guarantee the security of our systems and data. We know this to be true because ethical hackers are very successful at identifying significant vulnerabilities. They are often able to gain administrative control of the entire system, network or domain during a penetration test. This type of test is a great way to gain a very useful, in-depth assessment of your security posture and how you can improve it. However, a penetration test provides a snapshot of the network as it exists at the time of testing. New vulnerabilities are found all the time, and one year later, the ethical hackers are again able to gain control of the same networks.

We shouldn’t think of good security as a switch that can be turned ‘on’ or ‘off’.

Instead, it’s better to think about it in terms of the sophistication and time investment of the attacker(s).

The more secure your systems are, the more difficult they are to successfully attack.

Attacking a computer system takes a lot of time and energy, and it carries some risk. It is only done when the perceived rewards are greater than the risks, time, and energy required.

Poorly defended systems can often be successfully targeted by less-skilled attackers. In contrast, well-defended systems might require a team of world-class hackers working together.

The goal of defensive cybersecurity is to make it as difficult as possible to successfully attack. More technically, we are trying to harden our IT systems and improve our security posture.

Protecting A Home – An Analogy

When learning about cybersecurity, it can be useful to think about how we secure our locations physically. A lot of the same principles in physical security also apply to cybersecurity.

Let’s consider a typical home. It has at least one entrance with a locking door to prevent anyone outside from coming inside without permission. Most homes also have windows. We don’t typically use windows for ingress and egress, so most windows only lock from the inside.

It’s difficult for an attacker to break through a wall, so we usually consider walls to be secure.

The attack surface of the house is therefore comprised of the doors and the windows. But even with locks on the doors and windows, the house isn’t 100% secure.

The windows might be locked, but they can be broken by an attacker to gain access.

The doors have locks, but most locks can be picked by a skilled lockpicker. And doors can also be breached using physical force. But we still consider the doors and windows to be relatively secure as long as they are locked.

In the real world, this might not be enough to protect our home or allow us to feel secure at night.

We might buy upgraded locks, which is in cybersecurity can be compared with using strong passwords or multi-factor authentication (MFA).

We may invest in a security system, cameras, lights, and sensors to detect and alert us of anything strange. These types of security systems are similar to technologies like antivirus (AV), and endpoint detection and response (EDR).

Depending on your neighborhood, you might install a fence around the perimeter of your property. The fence is similar to a network firewall. Like a fence, the firewall is installed at the perimeter of the network. Also like a fence, firewalls control not just who can access the inside (of the network) but also what people can see from the outside.

We will learn more about these technologies in a later lesson. But as we can see, the security measures that we often use in our daily lives often have analogs in the digital world.

Challenges in Achieving Enterprise-Grade Cybersecurity

Before we conclude this lesson, let’s look at some of the challenges in implementing cybersecurity measures at many organizations.

Challenge # 1: User Behavior

User behavior is perhaps the single most important factor in cybersecurity.

Behaving in a more-secure way doesn’t cost money, but is commonly seen as a hindrance. For example, using unique, secure passwords and multi-factor authentication (MFA) are two of the most important things we can do to improve our security posture. Most of our apps support these security measures, but we often don’t use them.

Another issue is that a full compromise only takes one accidental click or slip-up. The more educated people are, the better they are able to protect themselves online. But it’s impossible to prevent things like phishing 100% of the time because it only takes one click.

When it comes to improving user behavior across an organization, we need to blend education with rule-based enforcement.

We recommend enforcing the use of strong, effective policies across the organization. For example, users on company devices shouldn’t be able to install any application they want or browse the web without controls. We also recommend the use of endpoint protection like EDR (more on this below).

Challenge # 2: Social Engineering

Some things are impossible to get right 100% of the time. For example, in an ideal world, we might wouldn’t click any link that we hadn’t fully validated to make sure it wasn’t malicious. Similarly, we wouldn’t download a document, application or an update until it was thoroughly checked for malicious content or vulnerabilities.

These sound great on paper but are hard to get right 100% of the time. For example, in a business email compromise (BEC) or phishing attack, you might get an urgent email from your direct superior about a topic that is highly related to your job. There’s a good chance that you wouldn’t think about security before downloading an attachment or clicking a link. This is an example of the attacker using social engineering, deceiving their target to achieve a goal.

For better or worse, some people are really good at socially engineering others.

Protection against this type of attack often falls to software-based detection measures such as endpoint detection and response (EDR). Host and network firewalls are also critical to defending against these attacks, but there are tradeoffs. That’s why we recommend using a layered approach to cyber defense, which we cover in our educational content and support with our services.

Challenge # 3: Managing Everything Effectively

Another challenge for small businesses is keeping systems fully patched and updated. This might sound like a trivial thing; doesn’t Windows update itself?

Unfortunately, the reality is that many systems and applications go without updates, often for years at a time. Many of our systems have a lot of applications installed on them, and we don’t typically go through every single one on a regular basis.

This might be acceptable on personal devices, but anything used for work, or connecting to the work network, needs to be as well-protected as possible.

Just one out-of-date application, system, or service can mean the difference between a successful attack or not.

Another reason that updates need to be managed is that many updates occur in order to patch security issues. When an update is released, the developer will often announce the bugs that are being patched with it. Once this knowledge is publicly released, attackers will try to make use of it as soon as possible. For more serious vulnerabilities, this means that the entire network might be at serious risk as long as the system remains unpatched. So there’s a race between attackers trying to exploit the vulnerability as quickly as possible and defenders trying to patch it.

Small businesses are often at greater risk than large enterprises because they often don’t have a dedicated IT person on staff to track and perform necessary updates in a timely manner. This includes updating all software on every device, and we estimate that it takes about 15-30 minutes per device per month to perform. Ensure that whomever is tasked with IT functions at your organization is allotted sufficient time to do this right.