October is Cybersecurity Awareness Month. For most organizations, maybe yours, cybersecurity is not their primary business or area of expertise. And for organizations who don’t live and breathe cybersecurity, the whole idea of trying to protect your assets, your intellectual property, and your customers’ private information can seem daunting. There is a lot to cybersecurity, and much of it can be very specialized.
There is good news though.
There are a some smart and relatively easy things you can do to protect your organization – a few fundamental steps can put you ahead of the game in terms of preparedness and protection. Some of these precautionary measures don’t require any technical tools at all, and others are relatively simple to employ using modern tools.
First, take care of the basics: Passwords, Patches, and Proven Plans for data backup and restoration. Second, make sure your IT policies and practices have been updated to account for remote access, even if your organization doesn’t support work from home (WFH) per se. Finally, support your employees with the right information to make good decisions, both at work and on social media, to avoid a data breach or other cyber compromise.
Basic Security Policies Reap Huge Benefits
A few basic security policies will put your organization ahead of the curve in terms of avoiding a cyber intrusion. Enforcing something as simple as a proper password policy is one of those basics. A decent password policy on endpoints can be enforced directly by the OS in most cases. In addition, you should investigate utilizing a company-wide password manager to prevent so-called credential stuffing attacks. Finally, you should implement multi-factor authentication (also called MFA), specifically two-factor authentication (2FA) – this really not optional anymore, as evidenced by Google’s previously announced push to enforce their 2-step verification (2SV) process by default by the end of 2021. Oh, and consider signing up for domain monitoring with Have I Been Pwned (free) or SpyCloud (enterprise).
The next basic security policy you want to have in place is keeping up-to-date on patching the operating systems and applications in your organization. Your vulnerability or patch management process should be centrally managed by IT – don’t leave it up to your end-users to upgrade on their schedule.
Another basic security policy you want to have in place is an exercised and proven data backup and restoration process. This is a key part of a business continuity plan for disasters, both natural and manmade. Make sure you understand the time needed to recover, and how that fits into an overall business continuity plan. And make sure you test your backup and disaster recovery process regularly.
Remote Workers Have Your Data
Remote access to your network is a fact of life these days. Even if your organization does not support remote work, the odds are that one or more of your vendors, or their vendors, does – which could result in so-called supply-chain attacks which have been in the news lately.
For your own remote work force, from traveling salespeople to WFH employees, make sure that security considerations are taken seriously in the practical implementation of supporting them. Be sure that the organization’s needs and expectations are understood (and not just what, but why), that you have provided them with the proper tools and training during onboarding (and regularly thereafter), and that your security team has adapted appropriately to the realities of expanded remote access to your systems.
In addition, if any of your outside vendors have remote access to your systems or customer data, you should meet with them to understand what their remote access and remote worker security policies are. Be sure that your security policies, compliance requirements, and liability transfer concerns are covered in your contracts – to ensure that there is a good mutual understanding of the necessary security foundations, and that you and your customers are covered legally.
People Need More Information
The most common vector of compromise is, and has long been, through people. Cyber Security Awareness Month is a great time to train your people to recognize something suspicious when they see it. Help them learn to recognize phishing attempts and other efforts at social engineering. And don’t neglect physical security, like shredding paper documents and password protecting access to laptops & computers. Finally, help them to appreciate the dangers of social media – sure, sharing is caring in some instances, but oversharing can lead to an expensive cybersecurity misadventure.
Take These Simple Steps Today
For small and mid-sized organizations, you probably don’t need a team of IT security professionals on staff. Remember, successfully implementing even these cybersecurity basics significantly increases the effort required to breach your network. Password policies, up-to-date patching of OSes and applications, and a truly viable data backup and recovery plan will all help in a big way.
Remote access is here to stay, and requires a new mindset to protect your endpoints, network and data. Make sure your remote workers are educated and set up for success. Also, make sure you know which of your vendors have remote workers, and how your data is being handled by them.
Finally, make sure your employees are aware of phishing techniques and other forms of social engineering, know what over-sharing on social media looks like, can shred sensitive documents at home, and so on.
Cyber Security Awareness Month is a great time to identify resources available to you, to help get started on – or indeed continue on – your cybersecurity program. Here are some useful links:
- In the EU, ENISA and the EC have put together the European Cyber Security Month website for resources, activities, education plans, and campaign tools.
- Various European National campaigns can be found by selecting the country from the map on the EU site.
- In the US, Cybersecurity Awareness Month resources and campaign efforts are hosted by the Cybersecurity & Infrastructure Security Agency (CISA).
- Business executives may find the CISA Cyber Essentials Starter Kit [PDF] a good next step.