Cyber security is a growing concern for every organization in every industry. Already, many experts predict cyber-attacks like phishing schemes and ransomware to significantly increase in 2021. As devastating as these attacks can be, there are a number of safeguards you can implement to better protect your organization. Here are 10 of the most effective ones we recommend for organizations of all sizes.
Review your security solutions.
The cyber security threat landscape is always changing and becoming more complex. Performing a regular review of your cyber solutions (e.g., tools, services, vendors) is important, because while a solution may have worked for you in the past, it may not be fully working for you now. This includes looking into new or updated solutions and how your existing ones stand up. You should also review your services and vendors to make sure they continue to be effective at protecting your systems and data.
Perform a cyber security risk assessment of your critical systems.
You can’t address your risks if you don’t know what they are and how they can impact your organization, which is a *big* problem. If performed correctly, a cyber security risk assessment not only will show you the risks, but also provide a prioritized ranking of which ones should be addressed first and how to fix them. There are a number of people who will charge a lot of money to tell you about your risks, but then try to charge you again for providing the solutions. A true cyber security professional is going to tell you both.
Conduct a vulnerability scan where the results are interpreted for you.
A vulnerability scan of your systems is going to show you existing vulnerabilities and the likelihood/risk level of them being exploited by hackers. These scans can be performed inside your network or outside against your website and externally facing systems. These scans also take inventory of your systems and check for things such as patch levels and software versions, which can result in a lot of data.
You need to have someone knowledgeable go through the information and separate the real risks from the junk. They should also prioritize the risks based on likelihood and impact, and work with you on how to fix it. The person should also be available to get their hands dirty and help fix the issues if you don’t have someone on staff who can. If you have vendors, they can also perform oversight of those folks to ensure they fix the problems in the environment.
Have a penetration test performed.
A penetration test (or pen test) can include vulnerability scanning, but it goes one step further by having a tester try to exploit the vulnerabilities they find to see how far they can get into the network. Never fear, experienced testers know how to test the controls of a network without breaking it and causing downtime or service issues. The biggest value of a penetration test is to have someone act just as a hacker would because, believe me when I say, there are hackers trying this against your network every second of every day.
Have a tabletop exercise simulating a data breach.
If you truly want to have a comfort level for how your organization can handle a cyber event (without throwing everyone into crisis), then perform a tabletop exercise. These exercises are discussion-based sessions where the team talks through their roles during an emergency and how they will respond.
They allow your team to think through how they would detect, identify, and respond to a cyber security incident, ultimately serving as a litmus test for the organization’s ability to handle such an event. Do they have the skills? Do they have the tools? Do they know how to interface with law enforcement, the media, or clients if there is a breach? What happens if your organization has to report the data breach to the authorities or regulators?
If the exercise is led by a qualified cyber or continuity planning professional, they will know just how to structure the test where it not only identifies opportunities, but also what capabilities in your organization are currently working to protect everyone.
Get low-cost cyber security training for employees, contractors, and vendors.
The No. 1 way that attackers get into an environment is by getting unsuspecting employees, contractors, or vendors to provide access to the network – either through clicking on links in emails (phishing) or accidentally sharing passwords and other credentials. Hackers have become so advanced at phishing schemes that it is hard to tell if an email, text message, or other communication is legitimate.
Good cyber security training can be timely, engaging, and inexpensive. Many training tools can integrate with your company’s email so that if a person accidentally clicks on a link, not only can it be blocked, but then targeted training and awareness messages can be sent to the user to educate them on how to avoid these risks in the future. There are even training modules that use cartoons and games. Who doesn’t love that?
Make sure your security patches are all up to date.
This is one of the simplest ways for your IT team to prevent attacks. However, you’d be surprised at how many times we find that servers, databases, and other applications have not been appropriately patched. If your organization does not have a process for testing and applying patches, this is a low-cost *and critical* practice to protect your systems and data that you can start on today.
Invest in cyber security monitoring for your systems and endpoints.
Cyber security monitoring is not like network monitoring, but they do complement each other. Cyber security monitoring is your first line of defense, alerting you of any unusual behavior in the environment, unauthorized access, and indicators of compromise from hackers, which saves your staff a lot of time and stress.
A word of caution: the system admins who run the network should not be the same ones doing the security monitoring. This is a widely held best practice. System admins are commonly too close to the network to adequately identify risks, not to mention overwhelmed with keeping the network up.
Refresh and refine (or for some create) policies and procedures for your cyber security program.
Many organizations have homegrown cyber security programs and capabilities, which can lead to gaps in cyber coverage – not only from a tool’s standpoint, but from a security management perspective as well. Having a set of policies and procedures that align with your industry (or your regulatory requirements) ensures that your cyber security efforts and resources are strategically supporting your organization’s needs. No more Whack-A-Mole with managing security risks!
It’s also a great tool for people coming into the organization to educate themselves on how cyber security management activities are performed. If you already have policies and procedures, then make sure they are reviewed at least annually and approved by the executive in charge of cyber security or the head of the organization.
Implement Multi-Factor Authentication (a.k.a. MFA).
This software prevents attackers, many of whom have obtained or guessed a user’s credentials, from accessing your environment by forcing a secondary authentication from a device or software that the user possesses (e.g., cell phone or DUO software). According to Google, MFA prevents more than 96% of bulk phishing attempts and more than 76% of targeted attacks. While DUO is widely recognized as one of the best MFA solutions on the market, there are others that work just as well. Talking to a cyber security engineer can help you determine what solution is best for your organization.
Starting with any of these can go a long way toward improving your organization’s cyber security posture. Making steady, incremental improvements over time is better than doing nothing at all simply because it sounds overwhelming or confusing. If you need help figuring out where to start or how to implement one of these steps, let us know. We believe effective cyber security should be available for every organization, no matter their size or budget.