What steps should businesses take to assess and improve their security posture? What tools would you recommend for this purpose?
Awareness Awareness and Awareness, the Problem is the Head.
True story, issues take place on the senior lvl (Open USB Port, no Clean Desk Policy, etc.)
Afterwards "we" (the working lvl) can talk about trainings and SW/HW Solutions.
So first is that security means not only buying a SIEM or ISMS Monitrin, its a mindset.
Some sort of taking care for the company like taking care for your family :)
@Norman Freitag great advice!
You must perform a vulnerability assessment on all your devices, for example with Tenable Vulnerability Management. Then you must remedy the critical and high vulnerabilities.
Always evolving your technologies with security threats and trends is needed , similarly user awareness of security is a key . As an IT person with a limited budget of SMB organization they should opt for UTM (NGFW) , better endpoint with EDR,ATP and email security . An enterprise should be always ready for any targeted or rogue attacks hence a defence in layers is required , firewall, network layer ATP (sandboxing), Email with zero day attack intelligence, device controls, EDR and EPP , WAF for web servers and an honeypot to trap and known the threat vectors for their organization.
No matter what tool you used, we can't stop all the threats.
We need 360 degree visibility and need to categorise the risk factor and work continuously to improvise on enhancing security posture. There are end number of tools available depending on the risk factor
1. People buy - very important - it's not the technology adopted but the mindset and willingness of the people.
2. Choose your technology based on actual need and available budget.
3. Ensure that all possible exposure points are covered in your defense mechanism - laptops, server, firewalls, VPN - all are exposure points.
4. At the time of final design consider the threat landscape you are in and what all factors are contributory to it - your industry type and technology used, the endpoints involved, the type of people who are using these endpoints
The product and technology you finally choose AFTER you answer these basic questions will define your future defense mechanism as this will be the start point of your company's defense mechanism and its future evolution.
The question is very broad as it depends on what industry you are in and if you are B2B or B2C and how transactional your website is. Ideally, you should request a cyber security consultant to provide some advice.
My priority would be to request a comprehensive IT & Risk Assessment. Small MSP's can perform these at very affordable prices and sometimes credit the fee back if you subsequently buy other products and services from them.
A good IT & Risk assessment will provide you with visibility of everything attached to your network(s) and a thorough analysis of each of them. One of the biggest threats to an organisation is leaving servers and applications on old versions of software - patching. That is what criminals are looking for as an easy route into your company. The second threat is poor password management. A good assessment will notify you about devices you didn't know you even had and their patch status. It will also notify you of users with passwords that need to be reset and their login history of all the systems they have access to. We sometimes find credentials of employees who left the company months ago are still being used to login to critical systems - That is a big alarm bell!
If you are considering a penetration test (pen test) - great, but have a network assessment first and clean up all the easy stuff so that the pen testers have to work hard for their money.
The contributors to this article who talked about staff being the weakest link are correct. Email phish simulation and training can cost as little as $1.5 per person per week. Over a fairly short time, it makes a massive difference to the likelihood of an attack getting into your company. MSP's that provide assessments usually offer a staff awareness platform too. Staff benefits from vital cyber skills in their personal lives too.
People are the weakest link in security so frequent awareness training is a must.
The top management needs to understand the implications of data/security breaches and also understand that they also need to comply with security policies. Form a TI team for detailed information on what threats are most likely to affect the organization/industry, and indicators to help prevent and detect more attacks.
Training & awareness to the insider, understand the risk involved and have mitigation plans.
The recommended tools are APT Patch Management tools and Content filtering.
First of all, you need to know what you have inside your company, not only computers, but every device that is connected to the network, this will help you to identify where are the potential threats. There are products focused on making inventory of your network assets.
After that you can plan the best approach, based on your needs.
Surprisingly, the worst threats can come from places you don't even know they exist.