Midsize is the right size

You’ve been at this a while. You’re not tiny, but you’re not quite at the enterprise level just yet. You have been working diligently at maturing your processes in both IT operations and in information security. You have put in place the Controls in IG1 and are now eyeing IG2 to take your company to the next level of protection.

With that in mind, let’s take a look at the IG2 controls that cover the Social Engineering pattern, which is the second largest threat for SMBs. The first two controls are the same main categories as they were for System Intrusion, Control 5 (100%) and Control 14 (100%). However, the third control is different for this pattern:

• Control 17 – Incident Response Management Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training and communications) to prepare, detect and quickly respond to an attack.

An Incident Response Management plan is key to all areas of security but perhaps especially so when it comes to Social Engineering attacks for a few reasons. Many of these attacks, such as pretexting, tend to escalate quickly and can have a high impact. Perhaps just as importantly, employees need to feel secure in the knowledge that they have a place they can report these incidents to when they occur because the sooner they report them, the more quickly you can address them.

“You get a resource! You get a resource! Everybody gets a resource!”

Now let’s pivot to look at the larger organizations in the SMB area. To clarify, we are still writing with regard to SMBs, we simply mean the larger companies that still fall into that category (<1,000 employees). When your company reaches this point, there are more resources available to throw at problems, whether in the form of more people, more technology options or just plain more cash,56 and bringing those resources to bear can yield substantial benefits. At this level you have already tackled IG1 and IG2 and are ready for IG3 controls.

These Controls mature along with your organization. Therefore, let us examine the IG3 Controls with regard to the third most common pattern for SMB: Basic Web Application Attacks. The first, Control 17 (100%), we talked about in the section above, but Controls 16 (100%) and 18 (100%) we have not yet discussed.

• Control 16 – Application Software Security Manage the security life cycle of in-house developed, hosted or acquired software to prevent, detect and remediate security weaknesses before they can impact the enterprise.
• Control 18 – Penetration Testing Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes and technology), and simulating the objectives and actions of an attacker.

Control 16 is certainly timely, considering the SolarWinds case from last year’s report and the Log4j impact discussed in this year’s report, so we should have no problem seeing the relevance of this Control. Sub-Controls 16.2: Establish and Maintain a Process to Accept and Address Software Vulnerabilities, 16.4: Establish and Manage an Inventory of Third-Party Software Components, and 16.5: Use Up-to-Date and Trusted Third-Party Software Components would have gone a long way to defending against both of those cases.

Once an entity has reached the larger end of the SMB scale, Control 18 also comes into play. Establishing penetration testing capabilities and incorporating their findings into the security processes can only improve the information security posture of a larger SMB. This is basically real-world testing of your controls to make sure they are performing how you expect them to. Like backups, only controls that have been tested and verified should be trusted.

Now that you’ve already looked at the Controls and prioritized them, you know what you’re most likely to be hit with and you’re working your way through to the end—your ducks are almost all in a row. You have balanced preventive and detective capabilities and are on your way to being able to not only detect when something bad has happened but also respond quickly and appropriately. You have moved from the basics of putting your plan together to implementing a road map.

A few final things to consider at this point: Are you looking at aligning with a particular compliance framework? Do you track metrics around security in your environment? Do your efforts result in ongoing improvements to your security posture, or do they just provide a point-in-time snapshot that says, “I was good at this moment, but then things changed”? There is quite a bit you can do when you use good information about what is happening in your organization to steer your security strategy.