Cyber protection for the 90%

The introduction of a Cornell University study said, “Small and Medium Enterprises (SMEs) are pivotal in the global economy, accounting for over 90% of businesses and 60% of employment worldwide. Despite their significance, SMEs have  disregarded from cybersecurity initiatives“

This is not just a reality for SMEs it is also true when you look at what cybersecurity companies provide. Most focus on medium to large customers, solving problems only corporations with complex IT landscapes have. And if that isn’t the focus they solve largely non-existant or hypothetical problems (but that is another story for another day).

The study went on to say. “The existing research indicates that the main challenges to attaining cybersecurity resilience of SMEs are a lack of awareness of the cybersecurity risks, limited cybersecurity literacy and constrained financial resources.”

That second point — security awareness — is a founding issue for Cyber Protection Magazine. And ever since we started, we were looking for a partner who could take care of the rest: providing a toolset for those cybersecurity risks that really matter and raising awareness through training.

Finally, we have found that partner: Lupasafe. Their target customers are either SMEs directly – or MSP (who usually serve SMEs). Lupasafe essentially brings two things to the table: A tool which gives an overview of the security status for the most important topics. And a cybersecurity training module, including phishing tests. If you know how Cyber Protection Magazine works, you will know that we’re not falling for marketing speech. In this case we’ve actually tried and tested (and will keep) the Lupasafe solution for ourselves, as it gives us just the amount of insight we need, not trying to scare us with hypothetical risks which we actually don’t have.

Here’s our honest review about Lupasafe and what it does for us.

A little background: The team behind Cyber Protection Magazine is small, but nevertheless scattered across the globe. It’s also not one company, but a joint venture of two companies. Which means we have different e-mail addresses, different websites (besides our main website at cyberprotection-magazine.com), quite a few cloud services for collaborating and file storage. So far, so common for SMEs. The one thing we don’t have is our own internal network, but then our two companies do have their own networks, too.

How does Lupasafe secure us then? The first thing we did is we entered those assets we have – our websites, domains and e-mail addresses. And within a few minutes we’ve had the first report on potential risks of these assets, shown in a dashboard-like overview.

For the domains and websites, Lupasafe shows all relevant information, which are:

• Open ports
• Security headers
• DKIM/DMARC/SPF Scan
• SSL/TLS Scan
• Vulnerabilities
• Dmarc reports

If you don’t know what all of these mean – don’t worry, your admin should know. And if they don’t, Lupasafe has a really helpful documentation. At least myself, as a half-nerd, was able to quickly grasp what’s behind those terms I didn’t know previously. Also, that list pretty much represents the most common risks on domain and website level you can have.

For each topic, you can then drill further down and see the risk level (high, medium or low), a more detailed list and explanation where applicable.

Similarly, Lupasafe will look at cloud instances. Currently, they support Microsoft Office 365 and Microsoft Entra ID – since at CPM we have neither, we couldn’t verify how these assets are handled. What we could do was scanning our internal network. That was a little tricky, since our network(s) are so small that we don’t have a real server – the networkscanner Lupasafe is providing, though, can only run on Linux and Windows machines. Luckily, there is a virtual Windows machine which is hardly ever needed which we could use for this purpose. Hence, we installed the network scanner and after a bit of crawling through our network, it also presented us the results. “Unfortunately”, the risk within our small network seems to be comparatively small: none of the devices in the network returned a risk.

Domains, Cloud services and the network scanner covered the technology side of things – more interesting is the what Lupasafe refers to as “people”. This section covers two topics: Leaked data and the actual Lupasafe cybersecurity training.

The leaked data sections shows – based on the e-mail addresses of your employees – whether those were “pawned” in any known data leaks which occurred in the past few years. It even shows you the first and last letter of your password, so that each employee can verify if that password might still be in use, and, if that leak was actually linked to an employee. It also gives you the name of the breach and the year of occurrence. Again – pretty much all information you need in this context. However, those more technology related topics, which essentially require scanning the web and the different company assets, are reactive, not proactive.

Enter the main part of the “people” section: phishing – divided into regular phishing and spear fishing, and the e-learning program. Phishing is one of the most commonly used techniques for cyber criminals to retrieve credentials. Usually, they will send an e-mail which sounds like it’s an official e-mail from your bank, insurance company or other provider, asking you to click a link. The clicked website looks almost identical to the actual website of the provider, so you might be inclined to enter your credentials there. In the past, both the phishing e-mail and the fake website were often easy to identify. These days, with AI and other tools, they are almost not distinguishable from their real counterparts.

The phishing module in Lupasafe will send a fake e-mail to your employees to see whether they’ll fall for that technique. Lupasafe also offers spear phishing – same thing as phishing, just personalized. If your employees fall for the phishing, they will be directed to the e-learning module. As an administrator, you can plan phishing campaigns for your company or start an “instant” campaign – after running this, you will also see the results of these campaigns.

Last, but not least, is the e-learning module of Lupasafe. This, however, as well as our conclusion for their solution will be covered in the second part of this article.

Since the Lupasafe solution covers all of our needs and we can imagine that it will also cover the needs for most SMEs, we partnered with Lupasafe, providing you, our readers, with the possibility to secure their assets and people just like we are doing. If you want to sign up for Lupasafe, sign up here:

For more information on Lupasafe visit https://lupasafe.com/