Good hygiene habits are drilled into us from a young age, and for good reason! Neglect to wash your hands, take a shower, use deodorant, or brush your teeth, and you could find yourself friendless, dateless, and quite possibly sick.
While they probably won’t stop you getting a date, bad cyber hygiene habits can be just as harmful to your company’s health. They leave you, your clients, and your customers vulnerable to a host of threats, including hackers, viruses, data theft, and data loss. Ultimately, they can damage your reputation beyond repair and even land you in serious financial and legal trouble.
What is Good Cyber Hygiene?
You’ve presumably mastered the art of personal hygiene by now! But what does good cyber hygiene look like? First, let’s look at exactly why it’s necessary. There are two key reasons: performance and security.
Just like brushing and flossing every day keeps your teeth in optimum condition, good cyber hygiene keeps your IT systems working at peak performance. When your systems are functioning at their best, you’ll save valuable resources and deliver a great customer/client experience to boot. And more importantly, regular maintenance will help you to spot and close security gaps before they can be exploited.
Security threats like hacking, viruses, malware, spyware, and data theft are becoming more sophisticated by the day, and they have the potential to bring your business to its knees. Just as you can ward off illness and stay healthy with good personal hygiene, you can stay ahead of threats and minimize their impact on your business with solid cyber hygiene routines.
Now let’s talk about what these cyber hygiene routines look like in practice…
The 12-Step Program
At CyberSheath, we recommend a thorough 12-step routine for impeccable cyber hygiene. To be truly effective, this routine should be:
• Part of an official company security policy.
• Built into your organizational culture.
• Universally adopted across your business.
Why is this necessary? Well, you’re only as strong as your weakest link. It only takes one careless employee to leave your entire business vulnerable to malfunction or attack. By formalizing your routine, promoting a ‘security first’ culture, and encouraging widespread compliance, you’re sending a clear message that lapses are not an option.
The program begins with a fundamental step…
1. Take an inventory
In order to properly protect your assets, you first need to document them. The most efficient way to do this is to group them into three categories:
• Hardware, such as computers, printers, scanners, smartphones, and tablets.
• Software programs installed on your devices, such as web browsers or messaging systems.
• Remotely hosted applications like cloud-based storage drives or smartphone apps.
Next, create an inventory of your assets under each of these categories and make a record of details like installation date, license expiry date, version number, date last used, and authorized users. This information will help you to identify security vulnerabilities, such as outdated software or unrestricted equipment usage.
2. Implement secure password practices
Password security is one of the easiest ways to practice cyber hygiene, but it’s also one of the most neglected. You’d be amazed just how much sensitive data is ‘protected’ with weak passwords such as… well, ‘password’!
Today’s computers, smartphones, and tablets come with security options ranging from simple text passwords to bio-recognition (think fingerprint and iris scanners), so there’s simply no excuse not to have your devices protected. The same applies to software and online applications, particularly those that are mission-critical or contain highly sensitive data.
The best text passwords are a complex mix of numbers, letters, and symbols, with no link to identifiable information like names, birthdays, or employee numbers. It’s important that they’re memorized, rather than written down, and they should never be shared. In fact, it’s good practice to incorporate a ‘no-sharing’ rule into your company’s formal code of conduct.
A final note on password security: encourage your team to log out of software, apps, and devices when not in use, especially if they’re leaving their desks.
3. Use multi-factor authentication
For particularly sensitive devices, programs, or applications, such as email accounts or mission-critical hardware, multi-factor (AKA two-step) authentication adds an extra layer of security.
After the user has entered their password, they’re typically required to enter another passcode, answer a question, or submit biometric information like a fingerprint in order to gain access. That means that, even if somebody does manage to obtain the user’s password, they still can’t access their accounts.
If you’re using a passcode, it’s good practice not to request the full code. Instead, ask for specific characters from the code at random. This reduces the risk of a malicious party obtaining the full code and gaining unauthorized access to your systems.
4. Keep up with software updates
We’re all guilty of ignoring those software update notifications when we’re in the middle of an important task. However, it’s essential to pay attention to these updates for several reasons.
Not only do updates increase the performance, functionality, and efficiency of your software, they usually include ‘fixes’ for security issues that have been identified after launch. If you fail to keep your software updated, you might find yourself missing out on great new features at best, and exposing yourself to serious security breaches at worst.
Another problem is that software developers often phase out support for previous versions of their software. In the same way that Apple will no longer help you with an iPhone 5, you may find that your developer will no longer be able to fix issues in software that’s five versions behind the most current one. If your essential software packs up and the developer can’t help you, where does that leave your business?
For peace of mind, resist the urge to snooze your software notifications, or even set them to automatic. Note that some malware can disable your automatic updates, so check back periodically just in case.
5. Patch up security holes regularly
Security vulnerabilities are often picked up by software developers between versions. Rather than leave their users exposed until the next update, developers will release ‘patches’ to protect them in the meantime.
Like software updates, patches are often neglected, but they’re one of the biggest security risks for your business. Think about it — if you know there’s a security hole, so do hackers. They then actively look for unpatched software that they can exploit.
Patching can be a tedious process, especially in larger organizations, but it really is worth taking the time to keep your software protected. That applies to the software on connected devices like printers, too.
6. Replace outdated hardware
Just like software, hardware is continually being updated and improved. And like software, falling behind on your hardware updates will leave you vulnerable to poor performance and avoidable security threats.
If you’ve identified outdated hardware in your inventory, update it now to maintain peak performance and full security compliance. If the hardware is no longer being used, disconnect it from your network and properly remove any sensitive data within it.
7. Control installations
Software downloads can be used as a vehicle to implant viruses, malware, and spyware on your systems. For that reason, it’s essential that users are not given free rein to install software on their company devices.
Develop a policy that governs which employees can install which software on which devices. You might decide that only certain groups of users are allowed to install software, or you might allow installations from trusted sources, or you might require that all installations are approved first. Whatever your specific policy looks like, it should be controlled centrally by you or your IT team, and not on an individual basis.
8. Limit users
In order to minimize the potential damage from a hacking or malware attack, it’s important to carefully control the level of access your employees have to devices and programs.
For example, if 200 of your employees can access a system, that’s 200 routes by which a hacker can enter that system. If only 100 of them actually need to use that system, you can cut your risk in half by restricting access to an ‘as-required’ basis.
If all 100 of those users have admin rights, that’s 100 opportunities for a hacker to inflict damage on your system. If you restrict admin rights to the 10 employees that need it, you’ve cut your risk again by 90%. You get the idea!
For each item in your inventory — hardware, software, and applications — evaluate which of your employees needs access, and what privileges they need within the system to in order to do their job. Everybody else should be restricted accordingly.
9. Back up data
Even with the very strictest of security, life still happens. Loss, damage, technical malfunction, sabotage, and theft can never be fully prevented, so make sure you have a reliable system for backing up your data — both yours and that of your clients and customers.
Ideally, you’ll have back-ups of your data in multiple formats and locations. Copies of digital data should be stored on an encrypted, cloud-based server, while copies of physical data and documents should be stored in a secure off-site location.
Build regular data back-ups into your security plan. If possible, automate the process to save time and money, and of course, to eliminate the risk of forgetting.
10. Invest in training and awareness
When it comes to keeping your business safe, knowledge truly is power, so take the time to identify knowledge gaps within your team and provide training as necessary. This will fortify your business from top to bottom, teaching everything from password etiquette and best-practice software usage to threat identification and crisis management.
11. Develop an incident response plan
Despite your best efforts, the worst has happened — you’ve been hacked. What do you do?
If you don’t have an answer to that question, then now’s the time to find one! The best incident response is the one that’s planned, rehearsed, and perfected ahead of time, ready to be rolled out seamlessly if and when disaster strikes.
Work with your IT team on developing responses to all possible threats you might face. Consider what actions will be needed, who will take responsibility for them, and whether they have the skills and knowledge necessary to do so. Make sure everyone understands their role and hold regular drills to keep the procedure fresh in everybody’s minds.
12. Employ a cybersecurity framework
For organizations that deal with particularly sensitive data — think government or defense suppliers, for example — it may be wise to consider adopting a more advanced security framework. Industry-standard protocols like the NIST Framework and the CIS Benchmark offer you standards, guidelines, and best practices to manage cybersecurity risks in critical environments, protecting both your business and your clients from a threat.
And finally, the Golden Rule…
If in Doubt, Leave It to the Experts
When it comes to cybersecurity, you can’t just wing it! If you don’t have the resources or the expertise to properly manage your security in-house, then don’t take the risk — outsource it to professionals. A Managed Security Services Provider (MSSP) like CyberSheath can take all of the work and the worry out of cybersecurity. We already have the infrastructure and the experts in place, so we can quickly set up a bulletproof, fully staffed security system with minimal effort on your part.
CyberSheath’s MSSP is also one of the most cost-effective security options available to businesses like yours. We keep your costs consistent and predictable, which gives you much more control over your budget, and you benefit from the latest in security technology without having to invest in research and development.
To learn more about cyber hygiene and discuss how your business could benefit from the cost-effective, comprehensive protection of an MSSP, contact us now for a no-obligation discussion.
The threat posed by someone inside an organization is often overlooked and poses the highest risk. A survey from SANS found nearly a third of organizations have no capability to prevent or mitigate an insider attack or incident, while over a third estimated the potential loss from an insider threat to be over $1 million, before including the immeasurable damage to brand and reputation. Overall, the survey identified there is a positive trend of organizations starting to recognize the risks posed by insider threats but organizations are struggling to deal with them.
Recognizing the Risks
The SANS survey focused on threats posed by insiders because people inside the organization “may have unfettered access to sensitive data, as well as the means, methods, and motives to access information, virtually undetected.” The survey found a pattern of organizations correctly voicing concern for risks posed by negligent or malicious employees, but are too often failing to focus on solutions.
Following that same trend, the survey determined prevention is currently more a state of mind than a reality. More than 68% of organizations surveyed considered themselves able to prevent or mitigate an insider attack; yet over a third of organizations indicated they have still suffered actual insider incidents or attacks. The costs of these types of attacks are very often immeasurable damage to brand and reputation.
Identifying Types of Insider Threats
Threats from an insider often go unprevented because they go undefined. The first step towards an effective solution to the problem posed by insiders is to identify and understand the types of insider threats. CyberArk offers excellent solutions for insider threats and recently published an eBook that helps to identify these types of threats:
The Exploited Insider
- 49% of accidental insider breaches are caused by phishing. (Source)
- Attackers gain access to the user’s machine and capture all privileged credentials available.
- Can also be an insider acting in response to external coercion.
The External “Insider”
- Most organizations allow third-party vendors access to their internal networks.
- Just like employees, these external “insiders” are also a target exploited by cyber attackers.
- In 70% of cyber attacks with a known motive, there is a secondary victim, targeted due to their trusted access. (Source)
- Most leading institutions have 200-300 high-risk third-party relationships. (Source)
The Malicious Insider
- Usually the most difficult to detect. (Source)
- Commonly have the highest potential costs. (Source)
- 50% are current employees and 50% are former employees. (Source)
The Unintentional Insider
- 56% of internal incidents in 2015 were attributed to the inadvertent misuse of data or an accident. (Source)
- Do not intend to jeopardize sensitive data.
- Risks are often introduced in attempts to increase productivity or efficiency.
Detecting and Mitigating the Threats
Excellent privileged access management practices are at the heart of detecting, preventing, and containing threats posed by insiders. Least privilege access and monitoring solutions are more crucial today than ever before, for organizations of all types and sizes.
Important solutions for securing against insider threats:
- Privileged user access control & credential management
- Privileged session monitoring
- Session isolation and control
- Granular, on-demand privileged access control
- Behavioral analytics and threat detection
Implementing effective solutions to reduce and eliminate risk from insider threats requires detailed knowledge of the solutions available as well as how they can be most effectively applied to your unique organization. Get a free risk assessment from CyberSheath’s innovative Privileged Access Management team by clicking below, and start securing your organization from the inside out.