Crypto-mining, ransomware, and third-party and supply chain attacks – oh my!
Phishing, maleware exploits, and DDoS attacks – oh no!
“An unprotected business today is a sitting duck. There is always someone attempting to penetrate your cyber firewalls to steal anything they can access,” says Melissa DeDonder, technology advisor for K·Coe ISG.
With the list of IT concerns ever growing and becoming more sophisticated with each day, it’s vital that all organizations, regardless of size or industry, practice basic cyber ‘hygiene’ and implement and follow best practices – your employees, customers, and business longevity all depend upon it.
A Profitable Return on IT Investment
“You don’t need to understand every cyber threat out there to protect your business. The first step is awareness that your organization is vulnerable,” says DeDonder.
“For those businesses who don’t have the IT resources or bandwidth to handle a comprehensive cybersecurity evaluation, making the small investment in a third party to evaluate, guide, and implement best practices is a drop in the bucket when compared to the amount of crippling losses we are seeing across the country due to cyberattacks.”
4 Critical Security Steps
There are four primary areas that every business should implement, and reevaluate at least annually. The cycle to follow includes: identification, protection, detection, and response.
- Identify risk. A company should identify and quantify the level of risk associated with information technology and their IT assets by completing and maintaining a written risk assessment.
Considerations that may be on the assessment include: web-based interfaces, third-party risk, and physical security. A data flow diagram should also be in place so there is a clear understanding of how all assets are connected to the network and each other, segregated, and protected.
Organizations also need a comprehensive group of policies and procedures to govern the IT assets. These items are a roadmap and set expectations for the enterprise assets. Employees and owners cannot be expected to understand all relevant and critical expectations if they are not laid out in a clear, concise, written, and professional manner.
- Protect with controls. Upon identification of risks, a plan to mitigate and protect against those risks must be implemented.
Technical controls: Protective action incorporates the use of technical controls, including content filtering, anti-spam, anti-malware, endpoint protection, reputation services, quarantine/sandboxing services, and email filters, which will help to stop hackers from getting into your organization.
Education: No matter the technical controls, some phishing and social engineering will likely make it past your defenses. This is why it is important to educate and test employees so they can spot and respond to phishing and other forms of social engineering before they become damaging.
Testing: Ensure all critical patches are tested and applied in a timely manner. Patches may need to be dispatched on operating systems, browsers, browser-add-ons, web server software, database software, and remote management software.
Enforcement: Ensure written password guidelines are current and enforced. This could include password length, complexity, and allowable attempts. Another best practice is to turn on account logons to lock out an account after so many guesses.
- Detect and monitor activity. Next the organization should establish a baseline for normal operations. This will allow for early warning when the inevitable occurs.
Detection controls could include, intrusion detection systems, endpoint detection, network traffic analysis or honeypots. An individual with the correct capabilities, either within the company or through a managed service provider, should be monitoring these systems on a daily, weekly, and monthly basis.
It is becoming more common for a hacker to have access to a system months before an exploit. This extra time allows the criminal to infiltrate your systems, explore your network and learn your habits, and understand what is important to you and the company. An early detection system could help discover these threats and shut them down (response) before a crisis strikes.
- Respond immediately. Breaches are common, and even with the best defenses the worst can happen. If your data and credentials are stolen (and data encrypted), you will need to stop the damage the best you can, find out how the hackers got in, shut off continued access, and plot a recovery plan.
It is important to have an incident response management plan in place to address these items. The plan should address how to best protect and defend your organization, customers, and employees and should be updated regularly to include the ever evolving threats.
And finally, once the threat is maintained, a business continuity management plan would need to be enacted quickly to get operations running and back to normal.
Behavior plays a key role in combatting cybercrime, and prevention is the best defense. The worst thing any business can do, is put it off until later – a lack of attention to cyber prevention and security in this day and age becomes a matter of not if, but when.
K·Coe ISG is an affiliate of K·Coe Isom that provides technology advisory and risk assessment for businesses. Our advisors can evaluate the efficiency of your system, and recommend and implement best practices and controls for prevention. In addition, we can provide the level of education and guidance that your organization needs.
Contact a K·Coe ISG advisor to learn more about protecting your business and how to lower the risk of cyberattacks.