April 16, 2019 | Categories: Blog CISO |

Up Your Information Security Without Breaking the Bank

You know the drill. You spend days or weeks gathering data points, best practice references, conference notes, and recommendations for reporting security to the board. You put a great information security plan together for your organization and ask for the budget — only to get about half of it approved. It’s the great common paradox of corporate dictum: do more with less.

When this happens (and it will), don’t get frustrated — get creative. Organizations have to run lean to survive and thrive, and when the financial allocation just isn’t there, we still have to get things done. It’s not always sophisticated. It’s not always fun. But, you can still make an impact and duct-tape your way to problem-solving that fits within the budget.

Here are five cost-effective information security solutions to get you started.

1. The Dusty Scanner

What You Want: A full vulnerability management solution such as Tenable or Digital Defense, Inc. (DDI), a monthly scanning schedule, and vulnerabilities tied to assets and appropriately scored.

What You Get: A single laptop and a single copy of Nessus (or OpenVAS).

The Upside: Even though you may not get the tools you requested (such as enterprise-level vulnerability management tools and services), you can still scan and find more vulnerabilities than you’re able to fix. There’s a class of security tools called vulnerability scanners that are designed to look for bad passwords, flaws, and other weaknesses. Using open-source tools that you can often find for free, you can still identify vulnerabilities.

Takeaway: It’s better to fix some vulnerabilities than none.

2. Stop the Phisher

What You Want: An enterprise-level email security solution like Mimecast or Proofpoint, URL rewriting, impersonation detection, and attachment sanitation.

What You Get: A basic spam filter.

The Upside: You’ve probably got a backlist of issues already, so step one is to run an open-source tool like URLCrazy in Kali Linux to generate typo-squatting domains and block them. This is a technique to stop impersonation emails coming from misspelled company names and/or linking to misspelled URLs. (For example, an ACME employee gets an email from security@akme.com asking them to reset their password.) Running an open-source tool is a bit more manual, but it’s a solution that can help you catch phishing attacks.

Takeaway: Stop the obvious phishing attacks.

3. Patch Your Stuff

What You Want: Enterprise-grade patching tools, all software completely current, rigorous testing, and no outstanding vulnerabilities.

What You Get: Windows Server Update Service (WSUS) and auto-updates.

The Upside: You can still be proactive in protecting your company. Own the process if no one else will, and apply the monthly Microsoft security patches. Do a manual review if necessary, and patch any issues that are revealed.

Takeaway: This is obvious — but many companies don’t do it. Don’t be one of them.

4. Pizza-Powered Security

What You Want: E-learning tools like Wombat, Proofpoint, and DDI; elaborate anti-phishing tools like Sophos Proofpoint, or Mimecast; and the authority to force everyone to do security right.

What you get: Pizza.

The upside: First of all, any opportunity for pizza is a no-brainer. Order a couple of sheets and set up lunch-and-learns with your IT, human resources, finance, and other key departments to walk through basic information security, attack recognition, strong password setting, and other helpful cybersecurity lessons. Buy their time with pizza, and keep doing it as often as necessary.

Takeaway: You can build an army of human sensors one slice at a time.

5. Turn It Off

What You Want: Minimum security baselines, Tripwire or another file integrity monitoring system, and enterprise endpoint security tools such as Crowdstrike, Cylance, or Sophos InterceptX.

What You Get: Literally nothing.

The Upside: There are a few enterprise endpoint security tools that are priced low, but the easiest (and free-est) way to reduce vulnerabilities is to turn off the stuff you have that you don’t use. Get rid of legacy protocols, legacy services, and legacy systems that aren’t doing your company any good and are security risks.

Takeaway: Turning stuff off costs $0. Only time. If it doesn’t bring joy to your organization, Marie Kondo it!

The bottom line is, information security threats are too important to ignore. Even if the budget isn’t there to get the best program in place, there are steps you and your team can take to limit the risk for a major breach or incident.

Have questions or need help putting together a plan that fits within your budget? Contact the experts at MRK. We have extensive experience with security solutions, customizable to fit your needs. Fill out the form below and we’ll be in touch.