Executive Summary
Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both Cybersecurity and physical security and requires coordinated efforts throughout an information system. Elements of cybersecurity include:
- Application security
- Information security
- Network security
- Disaster recovery
- Operational security
- End-user education
One of the most problematic elements of Cybersecurity is the quick and constant evolving nature of security risks. The traditional approach has been to focus resources on the crucial system components and protect against the biggest known threats, which necessitated leaving some less important system components undefended and some less dangerous risks taken for granted. Such an approach is insufficient in the current environment.
Adam Vincent, CTO-public sector at Layer-7 Technologies describes the problem:
“The threat is advancing quicker than we can keep up with it. The threat changes faster than our idea of the risk. It is no longer possible to write a large white paper about the risk to a system. You would be rewriting the white paper constantly..."
To deal with the current environment, organizations are promoting a more proactive and adaptive approach of continuous monitoring and real-time assessments.
12 Cybersecurity Best Practices
Is your sensitive data secure? Best cybersecurity practices and ways to protect data are becoming the focus of discussion among companies during the Covid 19 pandemic.
Constant reports on state-sponsored hacking attacks, denial of service attacks, ransomware, and leaks by malicious insiders reflect the number of cybersecurity threats that government organizations and top IT organizations, education and healthcare institutions, financial firms, banks, law firms, retail, non-profits, and many other companies are facing since March 2020. The increased number of successful high-profile attacks and data breaches are also indicative of the security weaknesses with the work at home policies being adopted due to the pandemic. The companies are struggling to keep their data protected due to the quickly evolving threats and ever-changing compliance regulations since the pandemic.
The question then is what can I, as a business owner, do to protect my data?
While there are the basic network security measures that everybody deploys, here is the list of the 12 very effective policies and procedures that not every company employs.
1. Employ a risk-based approach to security
The right approach is the key to effective cybersecurity. Unfortunately, many companies put too much focus on compliances, thinking that if they meet all regulations, their sensitive data is secure. Such companies often take the approach of simply going down the checklist, without putting too much thought into the risks that the company faces and how they affect the bottom line.
A much better approach is to form your data security strategy through risk-assessment. Here is what risk assessment identifies:
- All valuable assets,
- The current state of cybersecurity
- The most pressing threats your data faces and how they may affect your bottom line
Things like fines for failing to meet compliance, remediation costs for potential leaks and breaches, costs of missing or inefficient processes are all important factors. Taking all the above into account will allow you to correctly prioritize the risk assessment.
2. Form a hierarchical cybersecurity policy
Why written Cybersecurity policy is important? There are several reasons to that: First, it serves as a centralized formal guide on all best practices for cybersecurity and security measures used in the company. It also allows you to make sure that your security specialists and employees are on the same page and enforces rules that protect your data. However, the workflows of each department can be unique and easily affected by needless cybersecurity measures. This is why, while a centralized security policy can be very effective as a base guideline for the whole company, it should not cover every process in every department. Instead, departments should be allowed to create their own security policies, based on the central policy. There are many benefits of making sure your security policies are hierarchical: every department to be accountable for their workflow, and your bottom line will not be compromised in the name of security.
3. Update your software
Cybersecurity updates – an old and tired topic that cybersecurity experts keep repeating year after year. However, with the rise of malware and zero-day exploits, this seems like a particularly good time to reiterate it. So why are software updates so important? The main reason is that the majority of malware out there does not target the new and unknown security vulnerabilities. Instead, it goes for the well-known exploits already fixed in the latest version in hope that companies do not update. Some of the reasons that the companies use old software and do not update are:
- Removed or changed functionality may force staff to relearn or readjust certain established processes
- The update process may be too complex and may disrupt existing workflow.
- Sometimes, updates may be too costly, and sometimes they aren’t even available, forcing a company to switch to a recent solution
There is no easy solution for these issues, particularly for legacy software. However, it is worth noting that software vendors are also aware of this and these problems are mostly absent in the newest solutions, available on the market.
What’s more important is that despite all the pain updating is usually well worth it, as it allows preventing very costly breaches, leaks, and helps keep your sensitive data protected.
4. Backup your data
Data backup is another basic security measure that gained increased relevance in the latest years. With the advent of ransomware, malicious software designed to encrypt all your data, blocking your access to it until you pay a hefty sum for a decryption key, having a full current backup of all your data can prove to be a lifesaver.
How do you best handle backups? You need to make sure that your backups are protected and encrypted, and that they updated are frequently. It is also best to divide backup duty between several people in order to avoid insider threats.
5. Using the principle of the least privilege
Be aware: having too many privileged users accessing your data is extremely dangerous.
Many companies, particularly smaller ones, tend to grant new employees all privileges by default. Such an approach not only poses an additional risk in terms of insider threats but also allows external hackers to get access to sensitive data as soon as any of your employee accounts is compromised.
A much better solution is to use a principle of least privilege and revoke the corresponding privileges of the sensitive data when it no longer necessary.
We realize constant privilege management can be hard and time-consuming, particularly for large companies, but many access management solutions in the market can make it easier. Particularly, one-time password functionality can prove to be a lifesaver when it is necessary to grant additional privileges to a regular user.
6. Use two-factor authentication
Do you want to know the best way to protect the accounts of your employees? Two-factor authentication.
Two-factor authentication is an important security standard when it comes to account protection and provides a very reliable login procedure security if the secondary device is not lost or stolen. As an added benefit, it also allows distinguishing between users of shared accounts, making access control easier.
7. Handle passwords in a secure manner
While secondary authentication provides a great safety net in case of a compromised password, it is still not an excuse to ignore best practices regarding password handling. The first thing you need to know is that password needs to belong, complex and unique.
Here are the main bullet points regarding password handling:
It is better to use a longer easy-to-remember phrase as a password, than a short string of random characters.
- Each password needs to be unique—make sure to prohibit your employees from using their passwords on other accounts.
- Prohibit your employees from sharing credentials with each other. While it may be more convenient for them, it is extremely unsafe.
- All passwords should be switched periodically. Since you may not even know whether your password was compromised or not, it is very dangerous to keep using one for a long time. The best way to go about changing passwords is to automate it for the whole company.
8. Change default passwords for your IoT devices
Many internet-enabled devices come with a set of default credentials hard-coded inside. Such credentials are usually freely available on the internet and widely known to perpetrators. Most malware targeting IoT devices looks for devices that keep using their default credentials in order to hijack them and add them to its army of bots, ready to conduct massive denial of service attacks at the push of the button.
What can you do about it? The only way to make sure that your devices are safe from being infected is to change all default credentials as soon as possible and make sure that your new password is unique and complex. It is also a good practice to change this password periodically, although it is best to automate this process completely.
9. Keep an eye on privileged users
Here is the problem—users with privileged accounts enjoy an increased level of trust and often considered as one of the biggest assets for the company. However, at the same time, they also pose the biggest threat to data security among all employees. The best way to minimize the risks of an insider attack by privileged users is to limit their numbers. This is where the principle of least privilege comes in. You also need to make sure that a privileged account is immediately disabled whenever a person is terminated. More often than not, the disgruntled employee retains their access upon termination, allowing them to exact revenge for perceived wrongdoing.
However, if a privileged user is already stealing your data, it can be very hard to detect it, considering that such malicious actions may be indistinguishable from their everyday work. In this case, your best weapon is user action monitoring solutions. At the same time, the default-logging capabilities of most business software and operating systems have their limitations, particularly when it comes to users with a high level of privilege.
The simpler and better way to detect malicious actions by privileged users is to employ a user activity monitoring solution that is specifically designed to record any actions taken by such employees. Provided recording allows you to quickly see all the actions taken by the user in their original context and thus determine whether they were malicious or not.
10. Keep an eye on third parties accessing your data.
Today due to the pandemic almost every company has a network of third parties working remotely with it. Remote employees, sub-contractors, business partners, suppliers, and vendors—this is only a shortlist of people and companies that may access your data remotely. This not only provides a greater risk of an insider attack but also opens the way to malware and malicious hackers into your system.
The best way to protect your sensitive data from any breaches via third-party access is to use a temporary password. It allows to limit the scope of access and to make sure that you know who connects to your network and why. User action monitoring should be used in conjunction with one-time password in order to provide full logging of all user actions, allowing you to detect malicious activity and conduct investigations when necessary.
11. Be wary of phishing
It is worth noting that insider threats do not end with malicious employees. More often than not, regular well-meaning employees inadvertently help perpetrators by providing them with a way to get into your system. Today Phishing is a big problem for all, companies are drowning in spam e-mails containing malicious links.
So, here is what you need to do—get a properly configured spam filter and make sure that the most obvious spam is always blocked. Moreover, your employees need to be educated on the most popular phishing techniques and the best ways to deal with them, to protect themselves and your company data.
12. Raise employee awareness
It is hard to believe, but the key to the protection of your data lies with your employees just as much as with your defenses. Even if you have the best cyber security policies and procedures in place, your employees will ignore them in the name of convenience and productivity. Strict rule enforcement may make the situation better, but it does not guarantee results, while at the same time stressing out your employees and costing you additional money.
The best way to deal with negligence and security mistakes by your employees is to educate them on why security matters. Raise their awareness about cyber threats your company faces and how they affect the bottom line.
Make sure your employees know why certain measure is in place and why they are important. Recruit them as part of your defenses, and you will see that the instances of negligence and mistakes will become less frequent. It is much better to get your employees the proper training then to deal with a data breach, caused by accidental actions.