Only recently, the German Federal Office for Information Security (BSI) called for increased vigilance and preparedness in connection with the Russia-Ukraine conflict. In this context, it also warned against the use of anti-virus software from the Russian manufacturer Kaspersky. However, regardless of the conflict and the increased threat situation, companies should be aware of the risk of falling victim to a cyber attack and take appropriate measures.

Synopsys has summarized security gaps specifically for small and medium-sized companies that SMEs should close as quickly as possible and which security aspects they should pay particular attention to.

Caution with cloud service providers

Low fees, which are common for cloud services, are easy on the budget. But security costs money. When it comes to protecting employee or customer data, when choosing a cloud service provider you should always check what security concept it has in place - especially what options it has for detecting and preventing cyber incidents. You can ask yourself a few basic questions:

• On average, how long does it take you to fix vulnerabilities?
• Is the elimination of vulnerabilities a continuous process or is it carried out in maintenance windows?
• How often do you validate your protection measures against new threats?

No automatic updates or patches for open source software

Open source software is generally associated with the ability to use it free of charge. This freedom comes at a price: there is no provider that automatically distributes updates to users. Users do not receive any updates or patches - unless they proactively subscribe to them. The update process is further complicated by another circumstance: unlike commercial software, open source software is often provided by several providers and can of course also be downloaded from commercial providers. However, updates and patches are specific to each provider and not universal. So if you do not know from which source your open source software was downloaded, it is unlikely that a patch from another vendor will fix problems without causing new ones. Open source patch management is highly complex; a Software Composition Analysis (SCA) solution should ideally be able to scan both binary and source code. If it finds new vulnerabilities in the scanned code, the IT team is notified and a link to the relevant patch is provided.

Train for potential outages

Business outages are all but inevitable and, while disruptive, the impact is even more far-reaching without proper planning. It is based on a threat model and associated training by IT teams. The aim is to determine how the systems concerned will behave in disruption scenarios before a disruption actually occurs. In the course of such exercises, processes are installed that define details of individual responsibilities, regulate communication with authorities and customers and determine which data should be retained for forensic analysis. It is not uncommon for important gaps to be uncovered, such as how business can run offline if an identity service such as Office 365 is unavailable, or the impact of service provider outages, e.g. when calculating shipping costs. The main aim of such exercises is to train teams to respond proactively and efficiently to incidents.

Consider security aspects when investing in technology

It makes sense to view new technologies as enablers of business agility. If security is not included, security risks increase. The migration to cloud-hosted container and microservice-based applications, for example, has the potential to protect critical applications from downtime by providing additional capacity to scale. Suppose existing security policies dictate that management agents must be running at all times across the virtual infrastructure. Then this policy can be interpreted to mean that the same agents must run in all containers and microservices. However, this means that management becomes increasingly complex because microservices often only have a short lifespan. The agents and their configuration also increase the attack surface. It is better to use container management platforms to monitor the status of the containers and make updates in golden images. Unpatched containers are then automatically removed and replaced via the management platform.

Recognize risky business practices

Those who deal directly with processes and applications on a daily basis are best placed to recognize risky activities. They know if a password reset process is sending the actual password to a user, if a security check can be bypassed or if a report contains potentially sensitive information. These employees are not necessarily security professionals, but they are experts at their job and have contextual knowledge that a security specialist may lack. If a company succeeds in establishing a security culture in which employees themselves identify potential risks, this is much more effective than limiting themselves to annual training.

Reduce the risk of shadow IT

If security practices and policies are so rigid that they potentially impact employee productivity, the likelihood of shadow IT increases. While such solutions bypass company controls, they are actually an attempt by employees to do their jobs more efficiently. Shadow IT also points to a disconnect between management and technical staff. Reducing the potential for shadow IT in an organization requires both a risk-based approach to security and an understanding by IT and security teams of the impact of the practices and technologies they choose. Shadow IT, by definition, bypasses threat modeling and risk analysis because it focuses primarily on productivity. If a shadow IT situation occurs, it is beneficial to subject this implementation to a threat analysis. This can reveal gaps in the current process, verify assumptions and uncover (and understand) the success metrics of the specialist staff.