00:01In part 1 we covered awareness, maturity levels. In part 2 we focused on the 4 priority controls.
00:09In 3 how small businesses can implement these changes in a structured way.
00:21Small businesses understand the risks and struggles with execution.
00:26Security implementation often becomes reactive instead of proactive.
00:32Limited IT resources, competing business priorities, lack of structure and planning.
00:39So these can be some of the things we are lacking.
00:42And then you have MSPs and other providers just trying to make a quick buck of these businesses.
00:53Security should be approached as a maturity level journey.
00:57Realistically first goal for small businesses is essential 8, maturity level 1.
01:08And you know small starts, small gradual improvements.
01:12Progressing, making sure that you use MFA wherever possible.
01:17If you have a domain, making sure that you use Azure or Azure logins and SAML wherever possible.
01:31So using the domain credentials or email credentials as users would say.
01:38Step 1, assess your environment.
01:43Understand your environment is the foundation.
01:46You cannot protect systems that you do not fully understand.
01:50Users, devices, administrative accounts, data storage locations.
01:55So you need to know how many devices you have.
01:58How many users you have.
02:00How many administrative accounts.
02:02Where are the data stored.
02:04Things people might overlook.
02:06How many people have access to their admin accounts.
02:09Usually in small businesses you leave passwords as default.
02:13Or your sharing accounts, which is not a good practice.
02:18As well as in case someone has a grudge or some kind of issue with you.
02:25Or you fired them.
02:27Or they have the details.
02:28And they were able to access it with the same username and password.
02:32They could just change the password.
02:34Or they could delete stuff and do things.
02:37Even if you find them, this will cost you some kind of a loss.
02:43So step 2, identify immediate risks.
02:47Shared admin accounts.
02:48This is what we are talking about.
02:49Don't have shared accounts.
02:52Admin accounts.
02:54Missing MFA.
02:55MFA might be annoying to have to type a code.
03:00Or get an SMS or an email code.
03:02Just to log in.
03:03But it's for your safety.
03:05Then else don't get in.
03:07Unpatched systems.
03:09Not running Windows updates.
03:10And other updates.
03:12Phone updates.
03:13iPhone updates.
03:15And Android updates.
03:17A lot of these things.
03:20Taking backups.
03:21And make sure you test the backups.
03:22It actually works.
03:24Rather than.
03:25So these might look like little things.
03:28But when it's all said and done.
03:31It adds up.
03:34So looking at the full controls provide the highest impact risk reduction.
03:40Step 3.
03:41Implementation.
03:42Priority controls.
03:43Enable.
03:44MMFA.
03:46Create.
03:47Patching.
03:48Management processes.
03:49You can.
03:50Get free tools.
03:51That does.
03:52Patch management.
03:53Or you could.
03:55Just buy.
03:57There's.
03:58There's a few other.
03:59There's.
03:59There's.
04:00There's.
04:00There's.
04:00There's.
04:00There's.
04:02There's.
04:03There's.
04:04There's.
04:06There's.
04:08A lot more.
04:09Patching.
04:10Tools.
04:11You can find.
04:11Open source.
04:12Patching.
04:12Tools.
04:15Making sure.
04:16That critical.
04:17And security.
04:18Updates.
04:19Are installed.
04:19And then other.
04:20Updates.
04:21Are as follows.
04:22Restrict.
04:23Administrative.
04:23Access.
04:24Making sure.
04:25That.
04:25Financial.
04:26And other.
04:28IP.
04:30Accesses.
04:31Are only.
04:32To those.
04:32People.
04:32That need.
04:33To have.
04:33Those access.
04:34So.
04:36So.
04:36Make sure.
04:37That.
04:37You give.
04:38The least.
04:38Access.
04:39To the person.
04:39That requires.
04:40It.
04:42Establish.
04:42Backup.
04:42Strategies.
04:43Making sure.
04:43You take.
04:44Backups.
04:44And ensuring.
04:45That you test.
04:45The backups.
04:46Maybe monthly.
04:47Three months.
04:48Two months.
04:49Six.
04:49Monthly.
04:50Depending.
04:50On your.
04:50Organizations.
04:51Needs.
04:52Making sure.
04:53That happens.
04:58Step.
05:00Document.
05:00Processes.
05:01Patch.
05:01Schedules.
05:02Backup.
05:03Procedures.
05:03Access.
05:05Policies.
05:06So.
05:06These are.
05:07Some of the things.
05:08That needs.
05:08To be done.
05:09So.
05:09Making sure.
05:10That you.
05:11Run.
05:11Your patches.
05:12So.
05:13If you.
05:13Follow.
05:13Essentially.
05:14You need.
05:14To.
05:15Have.
05:15Backup.
05:16Your.
05:16Updates.
05:17Run.
05:18Especially.
05:19The critical.
05:20Updates.
05:21Every.
05:23You need.
05:25Within.
05:26The 48.
05:26Hours.
05:27And.
05:28For.
05:28The updates.
05:29They can.
05:29Be installed.
05:31Fortnightly.
05:33Backup.
05:33Procedures.
05:34This depends.
05:35The severity.
05:37Your.
05:37Company.
05:40Making sure.
05:40That you.
05:41Test.
05:41Your.
05:41Backups.
05:42Weekly.
05:42Um.
05:46Monthly.
05:47Scheduling.
05:48Access.
05:48Control.
05:49Policies.
05:49Making sure.
05:49You.
05:50Have.
05:50Processes.
05:51Of.
05:51How.
05:52People.
05:52Get access.
05:52To things.
05:54It's not.
05:54Just.
05:55That someone.
05:55Just.
05:56As.
05:56As.
05:56As.
05:56As.
05:56As.
05:57Says.
05:57This.
05:58Why?
05:58Do they need access to it?
05:59Do they need access to do their job?
06:01I.
06:02How?
06:02What kind of access have you given to them?
06:04And?
06:05Do they need that level of access to they just need to be able to do something?
06:10Do they need added level access?
06:12Making sure that you understand the needs.
06:15Rather than just giving them access which is.
06:18Um.
06:19Which might cost you in later on end the business.
06:23user awareness significant improvement and security measures so step five
06:29training users fishing awareness there's a lot of fishing spam fishing ensuring
06:37that users know what emails SMSs are fake what called fake passwords hygiene
06:45don't stick passwords on on your laptop or your desktop or the back of your
06:51phone don't use passwords that can be gathered like your kids name or your
06:58spouses in your birthdays your home addresses things that people can find out
07:04about you make sure this try to use phrases for your passwords incident
07:09reporting making sure that there is an incident where your password was leaked or
07:14anything it's been kind of there was some kind of someone used their privilege to
07:21do some malicious activity make sure there is a process to see how they can
07:27report it and what they need to do steps and so review the security controls that
07:40are there make sure you do this monthly or for nightly making sure because there's
07:46always changes in the field backup testing making sure you have document the
07:51testing of your backups and when it was last tested and the backups are running
07:58correctly access audits try to audit your systems see in three months two months six
08:07months depending on your team and your onboarding and offboarding to ensure that it's aligned
08:19example of implementation plan month one MFA and patching month two administration review
08:28and three backup and testing so MFA should enable forcing the backups forcing the MFA so the two
08:38factor authentication ensuring that the backup updates running the critical updates reviewing the
08:46privileges making sure that people that just need access and have access to what they only need they do not
08:52need admin access
08:55backing up making sure backups are running properly moving that the backups can work
09:02coming up with a test report which you can keep in case something happens
09:10so key implementation principles so the goal is continuous improvement rather than perfection
09:17progress over perfection so there's always be things that you can improve and focus on so focus on risk reduction
09:27um so reducing the surface area where attacks can happen um consistency in matters making sure that you're
09:38consistent you're paying attention to all the things that you have that you know the details it's fully
09:44documented what are the passwords where it is um used um using a password management tool and things like that
09:55in the end so i hope this helped you um if you want more detailed uh instructions so part one
10:05was awareness
10:07point two was security controls part three was implementation and uh thank you for watching
Comments