What Are the Minimum Standards for a Defensible Cybersecurity Program?

The Top 10 Security Controls for SMEs

Startups and small and medium-sized enterprises (SMEs) face unique challenges in securing their assets from evolving cyber threats. Cyber risk is hard to ignore because it can lead to severe business disruption and financial losses. However, limited budgets and a lack of specialized knowledge often hinder these smaller organizations from implementing robust cybersecurity measures.

That’s why we created the Defensible Cybersecurity Framework to help SMEs navigate the complex threat landscape and secure their critical assets and operations.

As part of our framework, there are foundational security controls which are non-negotiable in building a defensible cybersecurity program. In this post, we’d like to discuss these controls and why they’re essential in protecting against a wide range of cyber threats. 

1. Security Awareness Training

Human error remains one of the leading causes of security incidents. In fact, Verizon’s 2024 data breach investigations report found that 68% of all breaches in 2023 involved a non-malicious human element.

Technical controls cannot fully mitigate this risk on their own. To effectively address the human factor, organizations must implement regular security awareness training, phishing simulations, and foster a culture of security vigilance among all employees.

2. Access Control and Identity Management

Compromised accounts are another significant attack vector. There are milions of compromised credentials available for sale on the Dark Web. Access control measures like using strong passwords and enabling multi-factor authentication (MFA) will significantly boost the security of company accounts. Here are some best practices for creating strong passwords:

  • Passwords should be at least 12 characters long
  • Use a combination of letters, numbers, and special characters
  • Avoid using common words and phrases
  • Include upper and lower-case letters

MFA adds an extra layer of security by requiring additional verification steps beyond just entering a password, such as a code sent to a mobile device or biometric verification. 

When it comes to identity management, it’s best to use the principle of least privilege, which means that employees should have the minimum access necessary to do their job. A good way to implement the principle of least privilege is via role-based access controls (RBAC) which ensure that employees have access only to the information necessary for their roles.

3. Data Protection and Encryption

Protecting data is ultimately the main goal of a strong cybersecurity program. There are two main aspects of data protection: backups and encryption.

Data backups involve creating duplicate copies of critical information stored on-site and off-site. Backups protect your organizations from unforeseen events, including hardware failures and ransomware attacks.

Encryption secures data by converting it into a format that can only be read or understood by those with the proper decryption key. It ensures that even if unauthorized individuals access the data, they cannot interpret or use it. Data should be encrypted both in transit (such as during communication over networks) and at rest (when stored on devices or servers).

4. Endpoint Protection

Endpoints like computers, laptops, smartphones, printers, and other devices within a network are all potential entry points for an attack. Ensuring the security of these endpoints is critical to protecting the entire network from threats such as malware, ransomware, and unauthorized access. Effective endpoint protection involves deploying comprehensive security solutions such as advanced antivirus software, endpoint detection and response (EDR) tools, and firewalls.

Additionally, regular updates and patch management are essential to fix vulnerabilities and enhance security measures. Users should be provided with strict policies regarding endpoint use, which include the company’s guidelines for accessing sensitive data, acceptable use of devices, and protocols for reporting suspicious activities or potential security incidents.

5. Managed Detection and Response

Organizations need technical controls in place to detect and respond to cybersecurity incidents. This can be arranged in two key steps:

  • Log retention capabilities

Logs are tiny but powerful pieces of information that track user activities, system events, and network traffic. Proper log retention allows organizations to maintain a comprehensive record of these activities, which is crucial for identifying suspicious behavior, investigating incidents, and complying with regulatory requirements. 

  • 24x7x365 monitoring

Beyond simply retaining logs, organizations must actively monitor and analyze this data in real-time to detect potential threats. These capabilities can be costly to arrange in-house. Managed Detection and Response (MDR) services offer advanced tools and expertise to continuously monitor network activity, identify anomalies, and respond to incidents swiftly. They provide round-the-clock protection and monitoring to ensure that any potential threats are detected and mitigated as quickly as possible.

6. Incident Response and Recovery

Regardless of the maturity of your cybersecurity program, incidents can and will happen. In such a scenario, it’s critical to have a roadmap that outlines clear procedures and responsibilities for identifying, responding to, and recovering from security incidents.

According to the National Institute of Standards and Technology (NIST), handling an incident consists of four stages:

1. Preparation

Establish and train an incident response team, create and distribute incident response policies, and set up the necessary tools and resources to handle incidents effectively.

2. Detection and analysis

Identify and confirm the occurrence of an incident through monitoring and alerting mechanisms. Analyze the incident to understand its nature, scope, and impact on the organization.

3. Containment, eradication, and recovery

Implement measures to contain the incident and prevent further damage. Eradicate the root cause of the incident, remove malicious components, and recover affected systems to restore normal operations.

4. Post-incident activity

Every incident is an opportunity to learn and bolster your defenses. Conduct a thorough review and analysis of the incident to understand what happened, why it happened, and how it was handled. Document lessons learned and make necessary improvements to the incident response plan and overall security posture to prevent future incidents.

7. Regular Security Assessments and Penetration Testing

Identifying vulnerabilities before they’re exploited by malicious actors is a major component of a strong security program. Regular security assessments will uncover potential weaknesses in your systems, applications, and network. These assessments help organizations proactively address security gaps, prioritize remediation efforts, and ensure that security controls are effective. 

Penetration testing simulates real-world attacks against your network in a controlled environment. By mimicking the tactics, techniques, and procedures (TTPs) of actual attackers, penetration testing provides valuable insights into how an adversary could exploit vulnerabilities and how effective your defenses are in detecting and mitigating these threats. 

The findings from penetration testing enable organizations to strengthen their security posture, fix identified weaknesses, and enhance their overall resilience against cyberattacks. Regularly conducting these tests ensures that security measures remain robust and effective as threats evolve.

8. Third-Party Risk Management

Aside from worrying about security threats from within your organization, you must also consider the risks brought about by your various third-party relationships, including vendors and partners. Third-party-related breaches regularly make headlines and account for nearly one-third (29%) of all cybersecurity incidents. 

Before you embark on a relationship with a third party, you should consider their security posture. Have they had any significant incidents in the past? What are they doing to protect their data? 

Contracts with third-party providers should include clauses about safe data use and adherence to specific security requirements. If a third party is incapable of adhering to these requirements, you should seek an alternative.

9. Regulatory Compliance

Compliance regulations are coming out regularly in an effort to control the surge of cyber threats and protect sensitive customer data. All organizations, regardless of size, must follow these regulations. Non-compliance can lead to hefty fines and loss of business, as potential clients increasingly rely on on compliance as a benchmark for trust and reliability.

Popular security regulations include:

  • GDPR - applicable to all organizations that have customers in the EU.
  • PCI DSS - which applies to organizations that handle credit card information to ensure secure transactions and data protection.
  • HIPAA - sets the standard for protecting sensitive patient data in the healthcare industry.

SMEs must invest in security leadership to guide them toward achieving and maintaining compliance. Working with compliance experts will streamline the development of the necessary security policies and practices to reach compliance with all necessary regulations.

10. Cyber Insurance

In a world where the likelihood of a cyberattack is growing each year, having cyber insurance to protect against such an event is an attractive option. In some industries, cyber insurance is not only advisable but mandatory. 

Cybersecurity insurance provides a safety net for organizations against the potentially crippling costs of data breaches, ransomware attacks, and other security incidents. It will cover expenses related to incident response, data recovery, legal fees, and regulatory fines.

As with any form of insurance, it’s very important to clearly understand what your cyber insurance policy does and doesn’t cover. It’s easy to overlook key details or assumptions that could lead to gaps in coverage during a cyber incident. Having the guidance of a seasoned cybersecurity professional and policy expert can help you get the best coverage possible for your business.

Become #Defensible

Founded in 2019, Defensible Technology is a New York-based, client-centric managed services and cybersecurity provider. 

We work with clients of all sizes and industries to kick-start or enhance their cybersecurity programs, achieve compliance with increasingly rigorous regulations, and select the best policies to insure and protect their digital assets.

Our approach is centered around providing a personal service, with a dedicated team that understands the unique needs and challenges of each client. We prioritize building strong relationships, ensuring that our solutions are not only effective but also aligned with the strategic goals of our clients. 

We would love to hear how we can help your organization strengthen its cybersecurity posture. Contact us today at info@defensible.tech or call 646-949-4980.