Small to medium-sized businesses (SMBs) are starting to improve their security postures, thanks to more accessible security tools and platforms. By 2025, cybersecurity spending by SMBs is projected to hit $90 billion. Of course, whether or not these investments will yield positive results is yet to be seen.
Security leadership is still a major contributor to an organization's cybersecurity success. Unfortunately, hiring a full-time chief information security officer (CISO) is still a luxury many smaller firms cannot afford. Managed service providers (MSPs) and consulting firms are addressing this by offering virtual CISO services. With this model, SMBs now have cost-effective means to outsource high-level security tasks such as strategic security planning.
Virtual CISO platforms are also emerging to help these MSPs serve SMBs better, with some using artificial intelligence (AI) to automate CISO tasks like risk and compliance assessments and detailed remediation planning, allowing MSPs to provide comprehensive cybersecurity guidance to SMBs efficiently.
Such innovations should be a boon to CISOs, considering the pace at which cybersecurity threats are evolving. Some threats are more difficult to thwart than others. Take zero-day exploits, for instance. Here, hackers use systems and software vulnerabilities that are otherwise unknown to the public to gain access to networks and launch cyberattacks.
A report by Mandiant revealed that a record 80 zero-day vulnerabilities were exploited in 2021, underscoring that hackers have been using such exploits actively. Larger organizations with better cybersecurity resources are already struggling to mitigate such threats, making them quite challenging for SMBs to address.
“Zero-day exploits” are called that because the public has zero days to prepare for them. These vulnerabilities can exist in various forms. They can be system and application bugs. They can be misconfigurations in machines, appliances, and servers. They can even be faulty interactions between apps and operating systems.
Through these exploits, hackers can breach systems and launch various other cyberattacks.
Some of the most famous cyberattacks sustained by large corporations were supposedly due to zero-day exploits. In 2014, Sony Pictures suffered from a massive data breach. Hackers used a vulnerability to gain a foothold inside Sony's network. Over several weeks, they were able to steal 100 terabytes of information, including business plans and emails. The attack remained undetected until the hackers leaked Sony's data online.
Another example of a worrying zero-day exploit involves Log4j, a popular logging framework deployed in many servers and used in applications. A bug in Log4j allowed hackers to execute code remotely on machines that use Log4j. Among the popular services that used Log4j were Apple iCloud and Minecraft. While these services were already able to patch the vulnerability, all apps and their users have been theoretically at risk.
SMBs should be particularly wary of the risks that zero-day exploits bring. Smaller companies’ networks are usually comprised of multiple devices that use different operating systems and applications, meaning vulnerabilities can always be present in the network. All it takes is just one fault in any of these components for the organization to become easily hackable.
What makes these vulnerabilities particularly worrying is that malicious actors often know about them before security companies and software developers become aware that they exist. While undiscovered, malicious actors can exploit the vulnerability until fixed or patched. And, even in cases where the exploit has been uncovered and a fix is made available, hackers can continue using them against unpatched machines and apps.
Hackers look for infrastructures affected by these faults. Attacks today are also largely automated, so hackers can scan work devices and networks connected to the internet for vulnerable systems using bots and scripts. Innately, SMBs with fewer mitigation tools are more exposed.
Falling victim to a cyberattack is costly. An attack can cause downtime and data loss. It also opens up the company to potential fines. Loss of customer trust is also possible. According to the Hiscox Group, the median cost of a cyberattack is around $19,000 in the US. For SMBs, this scale of damage can be fatal.
Through the guidance of CISOs, small businesses can minimize the risks associated with zero-day exploits. Using risk assessments, CISOs identify all weak areas of concern and create a clear picture of the company's security posture. CISOs can then create actionable remediation plans.
Essential tasks often include keeping machines and software up-to-date to help resolve existing faults. In addition, protection tools like anti-malware and firewalls can be deployed to prevent malicious files and traffic from entering their networks. CISOs can also define policies that could guide employees on the best security practices.
Monitoring crucial advisories and security bulletins for trending attack strategies is likewise key to the CISO’s purview. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), for example, offers a helpful feed of threat alerts.
With this approach to readiness, as soon as a zero-day vulnerability becomes known, they can immediately tell if their organizations are affected and even identify which infrastructure components are involved. Interventions can be made by applying fixes or temporarily taking down vulnerable endpoints until patches can be deployed.
Platforms can also greatly enhance CISOs’ capabilities. By leveraging AI and automation, CISOs can continuously update their strategies based on emerging threats. Guided by up-to-date plans, security staff can immediately work on remediation efforts.
There is always a possibility that zero-day vulnerabilities are present in any company's infrastructure. It may be challenging to protect against the unknown, but measures can be taken to minimize any organization's cyberattack exposure.
SMBs are particularly vulnerable, so they should prioritize building their security strategies. Fortunately, CISOs and CISO services can bring the expertise needed by SMBs. This way, smaller organizations can minimize the risks brought about by zero-day exploits, even with limited budgets.