The SMB Cybersecurity Problem
Can anything be done to help secure these organizations in 2024 and beyond?
This past week the SMB (small and medium-sized business) cybersecurity problem came into light once again with the announcement of the CMMC (Cybersecurity Maturity Model Certification) proposed rule dropping (CMMC Proposed Rule Site). The CMMC program is designed to protect the US Government’s sensitive information sent to businesses that contract work with the government. This sounds like a reasonable idea, but for the past 3+ years it feels like all that has been discussed surrounding CMMC is controversy and the issues this type of regulation will cause (unless you are trying to make money off of CMMC). It is worth noting that CMMC is not a designation that a product can receive, such as FedRAMP, but rather something an organization must obtain, with regards to their cybersecurity program used to protect CUI and FCI. The framework is mostly focused on the GRC capabilities of an organization and defines controls that are focused on baseline practices, things that decent cyber programs should already be doing (besides a few useless items that are just time sinks).
I’ve been pretty close to this issue over the course of those 3 years, and have consulted with 15+ SMBs looking to gain an understanding of how CMMC may impact their operations and workflows. Nothing I speak of in this blog is proprietary information or specific to any one organization, but rather are trends and themes that I have witnessed. So, let’s take a look into the main problems SMBs face when it comes to cybersecurity.
Problems
Lack of Skilled Personnel
While most organizations would consider retaining skilled personnel a problem, this may be the single largest issue a SMB must deal with when it comes to the state of their cybersecurity program (or lack of a cybersecurity program). And the main reason for this lack of skilled personnel, in my opinion, comes from problems 2 – 4, so make sure to read the rest of the article.
The common walls that SMBs have to face when it comes to attracting technical talent are brand, compensation, and work type. A lack of name recognition, lower compensation packages, and work that is not viewed as “cool” or “cutting-edge” can often be reasons SMBs are overlooked by job searchers. These things are by no means drawbacks to everyone, but it definitely makes it easier to recruit when you can offer them, especially to younger kids that care a lot about “image” (a whole other problem). SMBs have been battling these challenges for years, and I do not think they totally hinder the ability to find strong cybersecurity talent.
Most often, a SMB has a focus area of business. They specialize in a product or service and do it well. They do not however, perform all business processes very well. These overlooked processes often apply to the IT and cybersecurity disciplines. Without a cybersecurity leader at the company, the “cyber” tasks often fall on one system administrator, or an employee fulfilling that role on the side while also doing the work for their main paid position. No team, no proactive moves, no budget, merely a “keep the lights on” mentality. Of course, this strategy will not work against even the most average of adversaries, much less an APT keen on compromising a supply chain.
Without dedicated cyber personnel, less skilled/trained personnel are in charge of protecting information at these organizations. There is no cybersecurity program in place, but there are requirements to maintain one in order to protect another’s (USG) information. This makes the entire CMMC program feel backwards since the organization works to implement cyber controls that intend to protect info, but not the organization itself. Of course the controls could be applied across the entire organization, but it is much simpler to only apply them to the enclave or environment that stores said information.
A regulatory cyber framework requiring a cybersecurity program for organizations that have no program would seem futile at best, and a waste of money, effort, and time at worst. I can’t help but believe that organizations with no real cybersecurity talent have no shot at maintaining a decent or compliant cybersecurity program. This is not something that can be outsourced to an MSSP very well (they can’t accept risk for you, and will never really care to make your program good, only standardized and good “enough”). Some people are okay with good enough, I do not hold that opinion.
Lack of Funding
The next issue, which once again could be considered an issue for every organization, is funding. Most orgs will complain about funding, but it is one thing to not be allowed to spend by the C-Suite, it is quite another to not be able to spend (because there is simply no money). A lot can be done with a small budget in cybersecurity, but that requires talented cybersecurity practitioners (see point 1). There are so many open source tools that provide the same or better capabilities than some paid ones, but these tools require configurations, tuning, and testing. Many overworked admins tend to lean towards the “set it and forget it” options, which cost money and lack true value. In a future blog I may create a SMB cybersecurity resource list/plan that provides free or inexpensive tools for the needs of a SMB to maintain decent security capabilities and meet most standard compliance requirements.
The reality is that most SMBs have little to no budget for cybersecurity. If they do have a budget, it probably only covers antivirus and their Microsoft licenses. This quickly becomes a problem when it is expected to be costly for organizations to even get assessed for regulations such as CMMC, which they will need to pass, to continue making money by having a government contract. It is estimated to cost around $31,000 for small entities and $50,000 for “other than small entities” to obtain a CMMC level 2 assessment (see page 89093 CMMC Proposed Rule ). That cost does not include any implementation costs (as the DoD expects orgs to already have NIST 800-171 implemented). I’d guess 90% are not even close as of Jan 1 2024, even though there has been over 5 years of trying. Costs for assessments may drop after early demand, but this does not negate the fact that a year’s worth of cybersecurity budget (30k) would need to be assigned every 3 years to the “CMMC assessment” line item.
Lack of funding equates to a lack of talented personnel, lack of technology/tools, and lack of options. No matter how much vendors will try to tell you, there are no perfect out-of-the-box products that will allow you to be CMMC compliant or possess an effective cybersecurity program. Outside organizations cannot do it for you, and even if you pay a consulting company to help you pass the assessment, you still need to upkeep the continuous monitoring and changes that occur over the years due to changes in technology, operations, and staff. Having a legit cybersecurity program takes effort, time, and general care. Often, the last one is lacking the most.
No Well-Rounded Cybersecurity Programs
Let’s take a few minutes to discuss the idea of a cybersecurity program. NIST has assigned five functions to their cybersecurity framework (NIST CSF 5 Functions ). They are Identify, Protect, Detect, Respond, and Recover. The link provides a good breakdown of each function. NIST explains that “these five Functions were selected because they represent the five primary pillars for a successful and holistic cybersecurity program.” While this list could be altered, we’ll stick with it since it is widely recognized. For all 5 of these functions to be successfully incorporated into an organization’s cybersecurity program, an organization must address GRC, security architecture and engineering, and security operations. A program that does not include all three of these cyber domains will not get the job done in 2024.
Many SMBs focus solely on the GRC domain, since that is what their cyber “requirements” hit on. This will cause them to create administrative and physical controls, but they will be largely lacking in technical controls. The technical controls that are applied are rudimentary and done as cheaply as possible. And as I said early, frameworks such as NIST 800-171 (CMMC) are only looking at bare minimum controls that should be in place everywhere. Adversaries laugh at administrative and physical controls. Just take a look at some reports from the DFIR Report and let me know how many administrative or physical controls stopped the intrusions from happening.
A quick list of items that make up a well-rounded cybersecurity program was created by PurpleSec. Cool name guys. You can find the full article here: PurpleSec Article
Conduct A Security Risk Assessment
Select A Cybersecurity Framework
Develop A Cybersecurity Strategy
Develop A Risk Management Plan
Create Security Policies and Controls
Secure Your Network
Secure Your Data
Secure Your Applications
Test Your Security Posture
Evaluate and Improve Program Effectiveness
Points 1-5 can be performed with GRC, but 6-9 require some decent engineering and security operations capabilities to ensure the best security possible. Everyone needs to start somewhere, but the goal needs to be a holistic approach. Another part of a successful security program is culture. There needs to be buy-in from management and support from coworkers. Security is not one person’s job, and it’s definitely not something to punish people with.
SMBs often believe a big misconception when the term “cyber” is mentioned. Whether they were told crap information from someone trying to sell something, see a regulation such as CMMC and assume that is cybersecurity, or think that AV is still enough to protect them, the FUD and lies are everywhere. So let me clear up those two quick real lies, AV only protects from malware running on a system. Most intrusions, to include ransomware, occur from legitimate account usage today. AV will do nothing to stop that. CMMC (face palm) this is a framework to protect the government’s information. They care about Confidentiality here, not Availability or Integrity. Effective cybersecurity programs should address the entire CIA Triad. You cannot make your entire cybersecurity program just a NIST 800-171 control set. Well, you can, but that isn’t going to solve many of the existing problems out there.
Honestly, I don’t believe that most SMBs intentionally ignore the engineering and security operations side of cyber, but they lack the knowledge, talent, and funding to make them happen. Detection engineering, SIEM/SOAR, forensic analysis, threat hunting, threat intelligence, adversary emulation, and red teaming functions are almost always nonexistent at the SMB level (which I personally find a real shame since threat-informed defense is one of the best ways to prioritize threats in a cost-effective manner). To address deficiencies in security operations, some orgs will hire an outside SOC service. This might seem like the best route, but I also haven’t seen what I would call an “effective” SOC, MDR, or MSSP in real life. I’d say Huntress and Black Hills Info Sec would be good bets, but otherwise the options are definitely limited. You could also choose to dive fully into the Microsoft security path, but that requires cloud and SecOps talent.
Lack of Useful Products / Outdated Tech and Processes
The last problem I’ll touch on in this blog is the big lack of useful SMB cybersecurity products and the usage of outdated tech/processes. A considerable issue in cybersecurity is that 90% of paid products are not very useful. They exist to generate income and serve the vendor. Open-source tools are designed to actually serve a purpose, but they come with lack of support and ease of use. There are not many security products designed to serve the needs of SMBs since one deal with a fortune 500 would equate to 500 deals with SMBs. Money rules the vendor world, and SMBs get left out to dry. Now in the last couple of years many vendors have moved to the license usage cost measurement method, and this can help, but it’s clear that most products are designed to be used wide-scale and managed by dedicated staff.
If a product can’t be used quickly, efficiently, and learned by a team member that performs multiple roles, it won’t serve a SMB very well. Consider the large EDR, SIEM, and Cloud providers. There is not one that can be properly utilized without dedicated staff that spend most, if not all, of their time using that product. Products that are geared towards SMBs typically sell false promises and attempt to profit off of ignorance. Never buy a product that claims to offer full compliance or guaranteed security. Products require tuning and configuration to an environment. Products may offer great features, but they will never work unless configured properly and remain changing along with the environment they are in.
We can talk about the issues with new products all day long, but many SMBs are utilizing ones that are 10+ years old. In the cybersecurity space, it is fairly critical to stay up with the times. All the newest tools and methods aren’t necessary, but relying on Norton and single factor passwords is not really going to cut it in the age of automation, cloud computing resources, and metasploit/cobalt strike/sliver. A single phish could lead to immediate domain compromise. Along with the outdated tools, outdated processes are often just as bad. Password sharing, weak passwords, no backups, no log collection, and no network or account monitoring are still very common practices. Regulations such as CMMC do attempt to address most of those particular items, so some credit can be given. I would be generally surprised if 20% of SMBs are not actively compromised right now. If an APT (or group of European teenagers) cared at all about an SMB, they would probably be in within a couple of days.
Solution?
Obviously, there’s been a lot of negatives in this blog. So, what do we do? What options exist for SMBs? Can SMBs better protect themselves?
Well, if that question could be answered quickly, I would be a millionaire and we would not be in this situation. There is no easy button or pathway, but rather a series of choices and decisions that must be made for improvement to occur. Some decisions will go against the grain of capitalism, but that is the cost of a country looking to have a secure supply chain. SMBs that work with the USG will need to acknowledge that security will cost them money, and that they will need to care about protecting their country. Vendors will need to find ways to better support SMBs and include security by design and default. Security talent needs to be trained and ready to help out the little guy. And MSSPs/SOCs need to up their offerings and find ways to actually be useful and work with SMBs (the roasts of MSSPs may not be warranted, but my experiences have been pretty sad).
In my opinion, the biggest issue is the lack of talent in the SMB realm. Talented people make things happen. Honestly, a security team of 10 is not even required. Have one individual in charge of GRC, one security engineer, and one in security operations. The one’s working in GRC and engineering could split time as system admins if needed. Start with those 3, and you will have a better security program than 95% of SMBs.
One you have a few people, start building out defenses. Now I’m a pretty resourceful guy, but honestly anyone could do some research and identify great tools that have low costs. Things such as Wazuh, Elastic, Zeek, Security Onion, Atomic Red Team, and Microsoft E3 provide many of the necessary measures a SMB would need. Microsoft isn’t necessarily “cheap,” but unless you are running a full linux environment, the MS cloud will be the cheapest route for SMB. Throw in some configuration, account, and patch management and some type of phishing awareness. You don’t need to get crazy. Start somewhere, build a culture, and don’t pay someone to fix it in 4 weeks. This is the way.
If you can’t afford to hire anyone, first get a good list of company assets, identify your crown jewels, know where you data is, and protect it. Keep your scope as small as possible. Scope is a big deal for protection and for assessments.
I will make a post about some great cheap tools/ideas for an SMB to utilize in the future. Definitely a space that needs more attention.
Update: Here is part two of this topic: SMB Cybersecurity Answers. I give a few options for improving SMB security in this blog.