With this article, our aim is to provide actionable advice to small business on how best to improve and maintain cybersecurity posture to ensure they are prepared against common cyber attacks. If you wish, treat it as an internal checklist and ensure you have ticked off these before going for security products shopping or to question your existing service providers. Where your business is already showing cyber security maturity, you should opt for a cyber health check (or IT security health check) to assess the risk. This independent exercise should detail gaps around people, processes and technology in use.

0. Less is More

There is no point in investing in products unless you have done the homework well. Your functional requirements should drive the security investments, not what you feel would add value.

The fewer products you have, the less data chaos and complexity you have. Start small.

1. Endpoint Protection

Any systems, laptops, desktops/workstations that are end-user systems are known as an endpoint. Endpoints are the first point of entry for an organisation and often targeted by attackers. An entry into an endpoint means a stepping stone to an

internal network of an organisation. For example, an employee working on a company laptop attacked by spear-phishing attack would mean direct internal network access for an attacker.

● Secure your endpoints (entry points) using anti-malware solutions that detect, block and deter any malicious attempts.

2. Network Segmentation

Network segmentation refers to multiple segments of a network that work in line with specific access requirements. This is one of the most effective measures to deter an attacker or to limit an attacker in case of an attack.

● Utilise your current equipment and establish various network segments with access controls such as VLANs, IP filtering and internal firewalling.

3. Principle of Least Privilege

Follow the Principle of least privilege (PoLP). This means privileges must be allocated on the need to know basis.

To turn your organisation into a fortress, the following tools and tactics are likely the best bit of this article.

● Privilege Access Management

● Network segmentation

● Separation of Privilege

● Systems Hardening

Although implementation may face some upstream resistance from internal departments, you must protect the most prized assets by interacting positively with all parties. A good cybersecurity implementation involves a balance of usability and security. You can’t deploy any tools or controls without users by your side.

4. Secure Internet Access

Due to the rise of remote working, securing remote workers is one of the major concerns for businesses.

● Ensure that restricted internet use policy is in effect, both in practice and on paper.

● Web and email traffic must be checked for malicious content, both ways – incoming and outgoing.

5. Passwords

Ensure that all default passwords are changed on all network, security and other computing equipment.

Implement and mandate the use of password managers. Where supported by the services, opt for passwordless authentication.

By implementing simple to use password managers, an organisation is adding multiple benefits in the long run, namely:

● Positive change towards security education and training

● Offering secure alternative taking the onus of remembering passwords, reuse of passwords that often amount to credential stuffing, password spraying attacks. This way, users don’t have to remember passwords or use weak passwords.

● Password managers help users select random and complex passwords each time, avoiding password reuse.

6. Multi-factor Authentication

Ensure that multi-factor authentication is enabled on all internet-facing portals and devices.

7. Secure Configuration

Secure configuration is important for all systems used within or outside the organisation. It ensures technical security baselines are followed before assets have joined the production environment, thereby, reducing the attack surface and network footprint. It includes areas such as patch management, secure hardening of operating systems, secure configuration of third-party software in use and security measures via group policy and local restrictions. If your business has never validated your security posture, it is time for a penetration test that would identify gaps and helps you with analysis and risk remediation steps. This would be a booster to help and decide on future IT investments and security strategy.

8. Secure and Regular Backups

Ensure regular and secure backups. Try using an automatic cloud-based backup solution where possible. More importantly, test back up restores to ensure you are ready when you require backups in case of an incident.

9. Phishing

Employees could be your strongest or the weakest link, based on your cyber security approach.

● Ensure regular user education is delivered for all employees. This should be without exceptions. Threat actors won’t let you know who is picked and chosen as an attack target, your business doesn’t want to be caught on the exceptions.

● Ensure separation of privileges for staff when working in corporate and production environment.

● Ensure that internet access is disabled on servers or other business-critical assets where no internet connectivity is needed except patching updates. In that case, firewall rules should be defined to allow the required traffic only.

This will restrict users browsing the internet from servers and other critical assets, reducing the impact of an attack in case of an incident.

10. Secure Wireless Networks

● Separate corporate and guest wireless networks, however, small your business is.

● For corporate networks, implement certificate-based authentication to ensure verification of identity for both users and machines.

● Use captive portals for guest networks to ensure accountability and separation for staff and visitors.

Logging and monitoring, secure communications, in-depth active directory security are further areas that should be considered by a business in the long run.

Always remember that cyber security approach for an organisation can never be a done-for-you service.

Remember…

● Don’t buy a product unless functional requirements and analysis is done at ground level.

● Don’t rely on your IT service providers to solve your security concerns.

● Don’t trust a single security vendor to provide you solutions, services and all advisory – it’s a clear conflict of interest.

● Review the usability and security balance regularly to ensure security is an enabler for growth.

The lift-and-shift model, also sometimes referred to as rehosting, is simply taking the applications from the onsite data centers and moving them into the cloud without changing anything. This is usually the starting point for larger cloud migrations.

Pros: For one, the lift-and-shift approach is probably the easiest migration approach, because you don’t have to change anything within the application. It’s also faster and cheaper than refactoring or re-platforming. If you have a small time frame where you have to get applications moved onto the cloud, the lift-and-shift approach can help you do that and still allows you to reformat or optimize the app later.

Cons: Because you aren’t actually changing anything within the application, you won’t be able to get most of the benefits of cloud migration, including automated recovery or monitoring systems. For applications that are integral to your business, this is more of a short-term solution than a long-term option.

This method is best suited for companies who just need to get their applications onto the cloud as quickly as possible. While it won’t be sustainable in the long run, lift-and-shift gets you on the cloud in the shortest amount of time and can be a great option when you’re facing, say, a spike in remote work due to an international pandemic. 

Lift-and-shift is also a good option for companies who are working strictly with data and want it to be backed up on the cloud but don’t actually need to access it often. With companies in highly-regulated industries, it’s usually just important that the data is available, not that it’s perfectly optimized for its environment.

Also read: Best Cloud Migration Tools

RE-PLATFORMING

Re-platforming is similar to the lift-and-shift model in that you’re not completely changing or remaking the software you’re migrating. With this approach, your IT team will make some optimizations to the operating system and APIs during the move, so you can take advantage of cloud benefits and avoid doing extra work after the migration is over.

Pros: With re-platforming, you get more cloud functionality from your software than you would with a simple lift-and-shift. Additionally, by optimizing before the migration, you can avoid doing extra work after the move.

Cons: Because the codebase of the application will be changed, you’ll need to test and retest it with each change before you migrate it to the cloud. This process can be expensive and time consuming. You’ll also need to work with either your internal IT staff or a cloud migration specialist to ensure the applications are being formatted correctly.

While this takes slightly longer than lift-and-shift migrations, it’s still a good option for companies who need to make the move to cloud quickly. The changes are minimal, just the bare necessities to make operating the application in the cloud possible and beneficial.

REFACTORING

Refactoring applications is really only going to be necessary when you have apps that were custom built. With this approach, you’ll have to completely re-engineer your application from scratch in order to create a completely cloud-native version. With out-of-the-box applications, many companies also offer a cloud version, so you wouldn’t have to refactor the software in that case.

Pros: Refactored applications have full access to cloud-native benefits, like disaster recovery. Due to these benefits, refactoring can also be more cost-effective in the long run. Additionally, cloud-native applications are more scalable and responsive than their on-premises counterparts.

Cons: Refactoring applications takes a lot of additional time and resources, meaning your upfront costs are going to be much higher. It also means your entire cloud migration will take a lot longer than it would with some other approaches, especially if you decide to refactor everything.

Refactoring is a good choice for enterprise companies who have the IT resources needed to reconfigure a custom application. Generally, small businesses stick with out-of-the-box applications, so refactoring won’t come up as often.

Also read: Cloud Migration Strategy: Expert Advice

REPURCHASING

Sometimes, you have a commercial software license that has already expired or is about to. In this case, you could simply let that license expire and opt for a cloud-based version if one exists. If one doesn’t exist, there are many competing software products out there that may offer the functionality you need with a cloud-based option.

Pros: Your team won’t have to make any adjustments to the application’s code because the new version will already be configured for the cloud. Plus, repurchasing is often cheaper than refactoring.

Cons: If a cloud-based version for the software you’re currently using does not exist, you’ll have to look into other options. So, you’ll either have to learn a new already-available version or look into having software engineers create what you need from scratch, which can be extremely expensive. Repurchasing isn’t really an option if you’ve had software custom built for your organization. You’ll have to refactor those applications.

Repurchasing (or purchasing for the first time) is a great option for new businesses. If you’ve never had on-premise software and moving to the cloud is something you think you’ll want to do eventually, choosing cloud-based software from the get-go is a solid choice. 

Repurchasing might also be a good option if you’re not 100% set on the software you currently use. If you don’t love your current platform, consider looking at new, cloud-based options that will better fit your needs. Even if you do love your current software, the provider might be willing to switch your license to the cloud-based version for no extra cost.

RETAINING/RETIRING

Not all of your applications will need to be migrated to the cloud. As you’re taking inventory of your data centers and planning your cloud migration, you may find that there are applications your business doesn’t even use anymore or can stop using because other apps offer the same functionality. In this case, you can simply retire those apps. 

Alternatively, you may decide that certain apps need to remain in your on-premises data centers. Whether that’s for security issues or to comply with regulatory requirements, you can keep those applications onsite and create APIs to work with your migrated applications if necessary.

Pros: You don’t have to pay to migrate these applications to the cloud, and, in the case of retiring, you’ll free up some extra space on your onsite servers and maybe save money in the process. Retiring software can also help you reduce your infrastructure.

Cons: When retaining applications on your on-premises servers, you’ll likely have to set up APIs so those applications can continue to communicate with cloud-based apps without disruptions. Depending on the complexity, this can be an expensive and time consuming process.

If you find that a software isn’t necessary for your business anymore, there’s no need to migrate it. Just retire the software and focus on moving the applications you do use. Alternatively, there may be applications that you use, but your business has major regulations surrounding them. If that’s the case, consider keeping them on on-premise servers to ensure you retain control over them.

Also read: Handling Challenges in Cloud Migration

PLAN YOUR CLOUD MIGRATION HOLISTICALLY

Because there are so many different approaches to cloud migration, it’s important to plan your cloud migration holistically. By looking at your migration as a whole, you can determine which applications need to be migrated with each different approach to help better anticipate your timeline and budget, and which applications should be migrated together to avoid latency and interoperability issues and unnecessary data transfer charges. If you’re thinking about migrating to the cloud, now’s the time to start planning.