Advising SMBs: The Game of Thrones Edition

I’m a sucker for a good pop culture reference, what can I say? However, it’s also something that becomes ubiquitous in the mainstream culture which makes using it easier when trying to demystify cyber‍ for small and mid-sized businesses. Recently, a company brought me on to help them navigate their current cybersecurity‍ program. And really, for a lot of SMBs, winter is coming (even if you don’t live in the depths of frigid New England).

And yes, there’s gonna be Game of Thrones spoilers below. Only through the most recent HBO season, however. But if you want to remain spoiler free, I guess you need to skip the post.

Spoilers are coming.

You’ve been warned.

Winter is Coming - But How Cold Will It Be?

The entire first season of Game of Thrones had people uttering “winter is coming.” Basically, the concept was that the dark, long winter was inevitable and people needed to prepare. Moreover, if you didn’t prepare for the upcoming winter, you were pretty much a goner.

Clearly, statistics indicate that cyberattacks‍ are the same level of inevitable. However, the question for SMBs is - How cold will it get? Do they need to be a Jon Snow covered in a gigantic faux-fur cape or can they be a Daenerys meandering around in a stylish coat and some gloves?

As I’ve said before, I don’t think it’s that c-suite‍ members don’t understand the importance of information security‍ , I think it’s that they get overwhelmed and don’t want to be wrong. Of course, a lot of small business‍ owners may feel that the risks to their data are different than the risks to large organizations.

And, in fact, comparison reports indicate they’re not really wrong.

For example, the 2018 Verizon Data Breach investigation Report listed the top four action varieties in breaches as:

  1. Use of stolen credentials (hacking)
  2. RAM scraper (malware)
  3. Phishing (social)
  4. Privilege abuse (misuse)

However, if you drill it down to the small and midsized business‍ category, the threats look a tiny bit different according to the 2018 State of Cybersecurity in Small and Medium Size Business Ponemon Report:

  1. Phishing/Social Engineering
  2. Web-based attack
  3. General malware
  4. Compromised/Stolen Devices

On the surface, these look the same, right? But, for small busiensses, the threats tend to be related to external malicious actors‍ and in the case of malware, less specific.

Beware the White Walkers - Malicious Actors

Bascially, white walkers in the Game of Thrones universe are a bunch of horrible ice zombies who really don’t care who they hurt. They just want control. (Ok, at least in the HBO series so far… and I’ve tried the books and can’t make it through them. Yes, even audio and graphic novelization.)

Malicious actors do the same thing. They want to gain control of any information they can. So, they’re going to try to break into the North Wall in any way possible. It’s kind of that simple, really. But hey, I got to discuss ice zombies.

The North Wall Will Be Breached - A Firewall Isn’t Going to Save You

White Walkers marched their ice zombie selves to the Eastwatch and then used an ice zombie dragon breathing, well, ice to get through the Night Watch’s protections.

Let’s start with the first line of defense, right? You walk into an SMB, and they’re answer is, “we have a firewall. That’s going to protect us.” The problem is that they may not understand the variety of attacks.

Malicious actors are doing the same thing to web-application firewalls‍ or unpatched‍ firewalls. With more DDOSattacks, protocol downgrade attacks‍ also put the firewalls at risk.

SMBs need to learn that their North Wall can be breached.

Bend the Knee - Hiring an IT Manager

When Jon Snow first met Daenerys Targaryen, he refused to accept her leadership. To bend the knee, or kneel, is a sign of respect within the Game of Thrones universe. The person bending the knee recognizes another person’s authority and offers them loyaly. Jon Snow not only accepted Daenerys as his ruler by bending the knee, but he also recognized her authority.

It’s hard to talk SMBs into hiring an internal person to manage their architecture. In fact, the biggest problem that the Ponemon SMB found for SMBs was that 74% of respondent lacked personnel and 55% lacked a sufficient budget. Most SMBs outsource their IT security to a managed services providers‍ or rely on their cloud service provider‍ to protect their data. The worst part is that many MSP‍ companies don’t really do much, know that SMBs have limited internal resources, and then find they can gouge them with insane fees. Meanwhile, SMBs think that if their cloud service provider is handling their data security, they’re all set.

SMBs need to hire IT managers who can control their data environments. By bending the knee, they can put the people with expertise and authority in a position to protect their information.

Everyone Needs a Dragon - Choosing a Suite of SaaS Solutions

First, let’s all admit right now: we all want flying, firebreathing beasts and no saas provider‍ is going to really do that. But, we’re in Game of Thrones land at the moment. And I wanted to type “dragon” a bunch of times. For Daenerys, her trio of dragons offered power and protection. Even with the untimely zombie icing of poor Viserion, the Queen used her other two dragons to rescue the Night’s Watch and keep everyone safe. Even the Queen that Jon Snow respects can’t do it all alone.

A single IT manager can’t handle reviewing all of the reports and alerts alone either. In other words, an IT manager needs an army of dragons (ok, well, who doesn’t ). Unfortnately, just like Viserion was the smallest and seemingly weakest of the dragons, not all security monitoring‍ platforms are equal.

To protect against data threats‍ , an IT manager needs not only the right tools but needs more than one. This need presents another hurdle for SMBs, after all, the research takes time and expertise. Besides, what happens when the product doesn’t work the way it says it does?

Giving SMBs and their IT managers directed questions to ask can help ease that strain.

  • How does your continuous monitoring program work?
  • Are you reviewing anything other than firewall threats?
  • How you provide insights into unpatched software, network, and system security updates?
  • Does your tool monitor the Dark Web?
  • Does your tool help detect threats from social engineering?
  • Does your tool use machine learning?
    • Corollary 1: How do you collect data?
    • Corollary 2: How much data do you use for your modeling (hint: the more the merrier)
    • Corollary 3: Do you use raw data if you buy data from other places to enhance attribution and control?
  • How does your tool make password security and multi-factor authentication easier?
    • Corollary 1: Does your tool encrypt the password information?
    • Corollary 2: Who in your organization can recover my data (hint: the fewer the better, bonus points if the answer is “no one”)
    • Corollary 3: How does your tool help me monitor password security and strength?
  • How does your tool help manage vendor monitoring? (Hint: if it’s just a big ol’ database, think about the number of vendors you really need to collect data from before paying a huge sum of money)
  • How does your tool help perform a gap analysis if I need to add new compliance requirement?
    • Corollary 1: Is any of that automated?
    • Corollary 2: How much data input do I need to do?
    • Corollary 3: Is there any control information migration from one standard/regulation to the next?

Basically, the issue here is that no single solution is going to be able to help with all of these things. That means that SMBs (and larger organizations as well, but specifically SMBs) need to be able to seek out a variety of providers who can bring together a total solution that helps them create an overarching program.

Can You Take the Iron Throne?

In full disclosure before you ask any questions, I work for a variety of solutions as a content writer which means that I’ve looked at their products and their competitors’ products in depth as part of marketing campaigns. This mean, no, I’m not going to be able to offer suggestions because a) if I offer a client it comes off as marketing for them or b) if I don’t offer one it comes off as bad marketing for them.

The reality is that different companies need different solutions. There’s no such thing as a “one size fits all” - what might work for one SMB won’t work for another. What one product offers might be too much for one SMB but not enough for another. The real answer is that there’s no Iron Throne that can control all of an SMB’s data security, but there’s a way to work towards finding something that at least allows you to create a stronger program and more robust cybersecurity‍ stance.