As the rate of ransomware and cyber incidents continue to explode, small and medium-sized businesses must take active, precautionary steps. They need to protect their applications, assets and sensitive customer data and from threat actors and roving cybercriminals.
Today’s small to medium sized businesses are digitally sophisticated. Just about every process or business activity depends on some form of key software or data sharing. Hackers and cybercriminals can breach these systems from a menu of entry points. These ‘attack vectors’ include laptop and compute devices, smartphones, on-premise systems, hosted cloud applications, and your network infrastructure.
It is thought hackers can breach up to 93% of company environments and networks
A useful approach that can help minimise the risk of a hack is threat modelling. This a process where you proactively identify potential threats and where your environment is weak to a damaging breach.
The value of threat modelling is that it provides you a view of where your risks are and in order of priority which then helps you figure out appropriate mitigation strategies. Your aim should always be to think ‘how can I mitigate these risks? How can I implement best practice to protect my critical assets?”
We’ve devised a set of steps for small and medium-sized businesses to follow when performing a threat modelling exercise.
Categorise your assets by business criticality
Understand which of your assets are most critical to your operations. Review and catalogue your sensitive data, your applications and your core assets. Where are you most vulnerable? What would a potential threat actor be going after? Don’t forget to review your email environment. Email compromise is among the fastest growing attack vectors and makes full use of compromised company email accounts.
Map out every possible threat
Think about the potential threats to your assets and your data. Phishing is among one of the most common threats out there – it’s inexpensive and easy to deploy for cybercriminals and easy to set up. Ransomware and social engineering are other threats – just as pervasive and damaging.
Threats aren’t always malicious. Basic human error accounts for an estimated 88% of all data breaches so make sure your cognisant of some of the more common mistakes which leave you open.
· Weak passwords i.e., password123
· Limited to no password policies
· No training or cyber awareness for employees
· Zero Bring-Your-Own-Device policies
Classify by likelihood and impact to your business activities
This is where you closely assess the likelihood and impact of these threats. Think about how likely each threat is to occur as well as the estimated impact to your business, your reputation in the market and financial health. This will feed into your risk management and risk mitigation playbooks.
Consider reaching out to a trusted IT provider who will have advanced tooling and a wide array of threat modelling techniques to plug the gaps you might miss.
Prioritise your risks and build mitigation strategies
Most businesses, especially SMBs simply don’t have the resources or time to address every risk. So it’s imperative you rank your risks and mitigations based on the biggest impact on your security posture.
The below are some common best practices you can implement to give you a level of baseline protection:
1. Role-based access control
2. Firewalls and Security Groups
3. Active Directory fortifying and hardening
4. Endpoint protection and management
Think about which approach is most cost-effective and provides maximum value.
Threat modelling should never stop
Threat modelling should never be a one-time exercise. The cyberspace is continuously evolving. Cybercriminals are getting smarter and better at evading protective measures. SMBs must continuously review and update their threat models to reduce the risk of being hit with devastating ransomware.
Get started with our easy to deploy threat modelling service
Want to learn more about how you can use threat modelling to protect your business? Our experts can help you implement a comprehensive end-to-end threat modelling programme.
Get in touch today and book a discussion.