I've been spearheading a security overhaul for a small business that still relies on an on-prem Windows setup, and we're two months into this initiative. The environment is set up with a local domain controller, on-prem file shares, and a mix of laptops and desktops—no cloud identity management like Intune or Azure AD in place yet, but we're planning to activate Purview soon.
My aim is to bring us closer to compliance with HIPAA, CMMC, and NIST 800-171 standards. I'd love to share what we've achieved so far and hear insights from others who have tackled similar projects. What have you found effective? Are there any blind spots you've learned to recognize in the process?
Here's what we've implemented till now:
- **Identity and Access**: We're using YubiKeys for all users to enforce PIV/FIDO2 logins, dramatically reducing the risk of phishing attacks.
- **Endpoint Encryption and USB Control**: BitLocker is enforced with recovery keys stored in Active Directory. USB access is strictly controlled using Bitdefender GravityZone, allowing only designated devices while globally blocking write access.
- **Antivirus and EDR**: We have Bitdefender GravityZone deployed, and in July alone, we recorded 2,562 threat events, mostly related to web and email—about 94.5% were stopped in real time.
- **Patching and Management**: NinjaRMM manages OS and app patching effectively, but reboot compliance remains a challenge, particularly after third-party updates.
- **Documentation and Visibility**: We are utilizing Hudu for centralizing SOPs and policy tracking.
- **Backups**: We're using NinjaOne for file-level backups on workstations, and full image backups for servers. We've successfully tested recovery already.
- **Future Plans**: We're considering SpamTitan and PhishTitan for enhanced email filtering and phishing simulations, along with Teramind for monitoring insider threats.
By the end of July, we had managed 2,562 threats with zero successful infections and successful patch rollouts. If you've undertaken similar security hardening measures or have tips on DLP, USB controls, or reboot management with RMMs, I'd love to learn from your experiences. What tools or strategies have confirmed your encryption coverage or helped with identifying insider risks?
5 Answers
Setting up this security framework can vary in cost based on your chosen tools. For example, Teramind for DLP logging costs about $25–$30 per user per month. Overall, expect monthly fees for backup solutions and monitoring tools to build up. It really depends on the scale of your security needs and how many devices you’re backing up.
A few enhanced security measures you might consider:
1. Make sure your backups are immutable; ransomware can easily hit non-immutable backups.
2. Set up AD tiering for better control over administrative access, reducing the risk of lateral movement in case of a breach.
3. Consider implementing network segmentation and strict traffic control with VLANs.
4. Limit local admin access for end users and keep the Windows Defender Firewall tightly controlled.
These strategies can bolster your security significantly.
Pointing out AD tiering is crucial. It seems like a lot to manage, but having multiple accounts can really help in reducing risks by isolating access to sensitive systems.
NinjaOne is a great tool! You should also think about airgapped or immutable backups to fulfill your business continuity requirements. If the business is still entirely on-premises, having offsite copies is absolutely critical.
Absolutely! It's crucial to balance the need for on-site flexibility while securing against significant risks like ransomware.
2562 threat events for a small business sounds high. Are these from actual incidents triggered by users? Since implementing your current measures, have you seen a noticeable drop in events? It might highlight where the weak spots are in your security approach.
These figures include threats detected and blocked. Many are duplicates where users attempted to open risky links or websites, indicating a lack of user training which could certainly be a key area to address.
Backing up user machines seems unnecessary if you can quickly restore via zero touch installs. If there's an infection, restoring from a backup might bring back the same issue. I'm inclined to think that data should be kept in OneDrive or SharePoint for easy recovery.
I actually find comfort in having 7-day file backups. My file backup takes roughly 7 minutes after hours, while image backups can take about 2 hours. The flexibility and quick restoration options help me avoid complications from infections.
It sounds like costs can stack quickly! If a small business wants to enhance security, following CIS IG1 guidelines might help. Many measures are low-cost and primarily require time investment.