In the past two decades, it has been pretty popular for small and medium-sized businesses (SMBs) to outsource all things cybersecurity to a third-party managed security services provider (MSSP). But the tradeoff has often been giving up strategic thinking.

In today’s operational environment, infused with SaaS sprawl and multi-cloud hosting, the risks are everywhere and could blindside companies that don’t take a closer look at their cyber defenses. Once a company has grown to about 50 or so employees, it’s time to move beyond cookie-cutter solutions and dedicate some time to reviewing security posture. What follows are some concrete ideas for SMB IT and security personnel to examine to ensure they are effectively building a multi-faceted defense at the right level of maturity.

Beyond layered defense

The traditional approach to cybersecurity has been the layered defense model, which focuses on setting up protections at the various system layers (i.e. data, server, network and application). These layers were often compared to a series of moats and castle walls that shielded sensitive data from outside attacks.

But this model needs an update to account for the fact that not all assets are inside the castle anymore, and that not all attacks come from the outside.

For example, most small or medium-sized businesses today rely on popular solutions like Microsoft Office 365, Google Workspace, Slack and other software for everything from email communication to sales support and financial accounting.

Guess what? Most competitive software products in these categories have one thing in common: They all run in the cloud. That means they are no longer behind moat and castle walls. And if an employee is careless about their passwords, an attacker could easily pose as an insider and take control of sensitive data.

For this reason, the traditional layered defense model needs to be expanded to include less-technical protections related to people and processes, such as awareness training, password policies and software compliance standards. But it’s not enough to have the bare minimum security in each layer. SMBs need to examine the maturity of each layer of defense, and then reinforce these controls to defend their company.

“Layer up” 

This is done by increasing the level of sophistication of each layer through a mix of people, process and technology controls. The effectiveness of a layered security strategy will depend on an appropriate investment in technology, solid repeatable processes and appropriately trained and risk-aware staff. The below graphic depicts how these layers reinforce each other to guard company data against various threats.

Passwords and phishing prevention

People can be a company’s best asset, or its weakest link. They are also typically the first layer of defense. To play that key defensive role, employees need to possess general risk and security awareness as well as a level of vigilance that can only be gained through effective training. And most may not be aware of how simple changes in their behavior can significantly improve the company’s overall security posture.

The first mission is to ensure people choose unique and long (16 character) passwords for all their cloud services. The password should not have been used elsewhere, either for business or on personal websites. 

Why? There are two facts today regarding passwords. First, cheap and lightning-fast computing power makes password cracking, security key cracking, etc., a pretty competitive sport. There is a lot of potential benefit for attackers if they get lucky enough to guess a password, and not a lot of reason to stop trying.

Second, because of a series of breaches of popular websites, most people have had at least one password compromised at one time or another. 

While including numbers and special characters in passwords helps somewhat, it’s really the length of the password that makes it harder to guess with a computer. Once employees have established a long unique password, make it so they never have to change it. Advise users to pick a memorable yet unique password and then stick with it. 

The second easy but mandatory step is to give users some basic phishing education. According to Deloitte, 91% of breaches start with an email.

Threats that can enter an organization through an email include everything from ransomware to financial scams to password theft, and today’s phishing emails have become much more sophisticated in enticing employees to click on links or fill out forms that give away sensitive data. To the untrained eye, it can be difficult to separate scams from legitimate business emails.

Compliance frameworks and device standards

Most SMBs will end up needing probably a dozen cloud software solutions. In fact, by 2025, enterprises will spend more on public cloud services than traditional IT solutions, according to Gartner. And with everything provided “as-a-service,” SMB managers should demand more out of this service. Specifically, they should be asking their cloud service providers what standards and compliance frameworks they follow.

By choosing cloud service providers with solid data processing controls in place, SMBs can often “inherit” some parts of these controls, or leverage them in a way that helps them ensure their own compliance. But it’s important to note that an SMB cannot truly outsource their compliance. Security leaders are still accountable for ensuring compliance end to end.

Another important security control is to set some standards for computing and mobile equipment. Imagine a 50-person company that has grown over time that may have issued employees three different brands of computing devices depending on their start date, even allowing some employees to use their own device for business purposes. While it’s tempting to let employees bring their own devices, especially mobile devices, and then let them access corporate data on these devices, this increases the threat surface and can be a costly mistake if not properly managed.

Personal mobile devices are often a source of business email or sensitive data compromise, as users may unknowingly install malicious apps on their phones and accidentally grant these apps access to the phones’ contact list, email client or even corporate document repositories! And when an employee leaves, due to the authentication protocols used by some mail clients, it can be difficult to ensure they no longer have access to corporate email.

A good solution, if feasible, is to issue corporate-owned mobile devices to employees who need roaming access to any company data. If that’s not possible, then another good choice would be a policy management software that installs a small profile on the device and lets security leaders delete any of their company data with a single click. These solutions also have a side benefit of allowing security leaders to understand if devices are running the latest security-patched version of the operating system, and are available for both laptops and phones. Setting the right minimum patch levels and system standards for devices accessing sensitive data can be a great process layer control that reduces risk of compromised data.

The “Layer up” model is more of an approach than a prescription. Companies should perform a gap analysis to see where their biggest deficiencies are and how to level up each layer.