Good hygiene habits are drilled into us from a young age, and for good reason! Neglect to wash your hands, take a shower, use deodorant, or brush your teeth, and you could find yourself friendless, dateless, and quite possibly sick.
While they probably won’t stop you getting a date, bad cyber hygiene habits can be just as harmful to your company’s health. They leave you, your clients, and your customers vulnerable to a host of threats, including hackers, viruses, data theft, and data loss. Ultimately, they can damage your reputation beyond repair and even land you in serious financial and legal trouble.
What is Good Cyber Hygiene?
You’ve presumably mastered the art of personal hygiene by now! But what does good cyber hygiene look like? First, let’s look at exactly why it’s necessary. There are two key reasons: performance and security.
Just like brushing and flossing every day keeps your teeth in optimum condition, good cyber hygiene keeps your IT systems working at peak performance. When your systems are functioning at their best, you’ll save valuable resources and deliver a great customer/client experience to boot. And more importantly, regular maintenance will help you to spot and close security gaps before they can be exploited.
Security threats like hacking, viruses, malware, spyware, and data theft are becoming more sophisticated by the day, and they have the potential to bring your business to its knees. Just as you can ward off illness and stay healthy with good personal hygiene, you can stay ahead of threats and minimize their impact on your business with solid cyber hygiene routines.
Now let’s talk about what these cyber hygiene routines look like in practice…
The 12-Step Program
At CyberSheath, we recommend a thorough 12-step routine for impeccable cyber hygiene. To be truly effective, this routine should be:
• Part of an official company security policy.
• Built into your organizational culture.
• Universally adopted across your business.
Why is this necessary? Well, you’re only as strong as your weakest link. It only takes one careless employee to leave your entire business vulnerable to malfunction or attack. By formalizing your routine, promoting a ‘security first’ culture, and encouraging widespread compliance, you’re sending a clear message that lapses are not an option.
The program begins with a fundamental step…
1. Take an inventory
In order to properly protect your assets, you first need to document them. The most efficient way to do this is to group them into three categories:
• Hardware, such as computers, printers, scanners, smartphones, and tablets.
• Software programs installed on your devices, such as web browsers or messaging systems.
• Remotely hosted applications like cloud-based storage drives or smartphone apps.
Next, create an inventory of your assets under each of these categories and make a record of details like installation date, license expiry date, version number, date last used, and authorized users. This information will help you to identify security vulnerabilities, such as outdated software or unrestricted equipment usage.
2. Implement secure password practices
Password security is one of the easiest ways to practice cyber hygiene, but it’s also one of the most neglected. You’d be amazed just how much sensitive data is ‘protected’ with weak passwords such as… well, ‘password’!
Today’s computers, smartphones, and tablets come with security options ranging from simple text passwords to bio-recognition (think fingerprint and iris scanners), so there’s simply no excuse not to have your devices protected. The same applies to software and online applications, particularly those that are mission-critical or contain highly sensitive data.
The best text passwords are a complex mix of numbers, letters, and symbols, with no link to identifiable information like names, birthdays, or employee numbers. It’s important that they’re memorized, rather than written down, and they should never be shared. In fact, it’s good practice to incorporate a ‘no-sharing’ rule into your company’s formal code of conduct.
A final note on password security: encourage your team to log out of software, apps, and devices when not in use, especially if they’re leaving their desks.
3. Use multi-factor authentication
For particularly sensitive devices, programs, or applications, such as email accounts or mission-critical hardware, multi-factor (AKA two-step) authentication adds an extra layer of security.
After the user has entered their password, they’re typically required to enter another passcode, answer a question, or submit biometric information like a fingerprint in order to gain access. That means that, even if somebody does manage to obtain the user’s password, they still can’t access their accounts.
If you’re using a passcode, it’s good practice not to request the full code. Instead, ask for specific characters from the code at random. This reduces the risk of a malicious party obtaining the full code and gaining unauthorized access to your systems.
4. Keep up with software updates
We’re all guilty of ignoring those software update notifications when we’re in the middle of an important task. However, it’s essential to pay attention to these updates for several reasons.
Not only do updates increase the performance, functionality, and efficiency of your software, they usually include ‘fixes’ for security issues that have been identified after launch. If you fail to keep your software updated, you might find yourself missing out on great new features at best, and exposing yourself to serious security breaches at worst.
Another problem is that software developers often phase out support for previous versions of their software. In the same way that Apple will no longer help you with an iPhone 5, you may find that your developer will no longer be able to fix issues in software that’s five versions behind the most current one. If your essential software packs up and the developer can’t help you, where does that leave your business?
For peace of mind, resist the urge to snooze your software notifications, or even set them to automatic. Note that some malware can disable your automatic updates, so check back periodically just in case.
5. Patch up security holes regularly
Security vulnerabilities are often picked up by software developers between versions. Rather than leave their users exposed until the next update, developers will release ‘patches’ to protect them in the meantime.
Like software updates, patches are often neglected, but they’re one of the biggest security risks for your business. Think about it — if you know there’s a security hole, so do hackers. They then actively look for unpatched software that they can exploit.
Patching can be a tedious process, especially in larger organizations, but it really is worth taking the time to keep your software protected. That applies to the software on connected devices like printers, too.
6. Replace outdated hardware
Just like software, hardware is continually being updated and improved. And like software, falling behind on your hardware updates will leave you vulnerable to poor performance and avoidable security threats.
If you’ve identified outdated hardware in your inventory, update it now to maintain peak performance and full security compliance. If the hardware is no longer being used, disconnect it from your network and properly remove any sensitive data within it.
7. Control installations
Software downloads can be used as a vehicle to implant viruses, malware, and spyware on your systems. For that reason, it’s essential that users are not given free rein to install software on their company devices.
Develop a policy that governs which employees can install which software on which devices. You might decide that only certain groups of users are allowed to install software, or you might allow installations from trusted sources, or you might require that all installations are approved first. Whatever your specific policy looks like, it should be controlled centrally by you or your IT team, and not on an individual basis.
8. Limit users
In order to minimize the potential damage from a hacking or malware attack, it’s important to carefully control the level of access your employees have to devices and programs.
For example, if 200 of your employees can access a system, that’s 200 routes by which a hacker can enter that system. If only 100 of them actually need to use that system, you can cut your risk in half by restricting access to an ‘as-required’ basis.
If all 100 of those users have admin rights, that’s 100 opportunities for a hacker to inflict damage on your system. If you restrict admin rights to the 10 employees that need it, you’ve cut your risk again by 90%. You get the idea!
For each item in your inventory — hardware, software, and applications — evaluate which of your employees needs access, and what privileges they need within the system to in order to do their job. Everybody else should be restricted accordingly.
9. Back up data
Even with the very strictest of security, life still happens. Loss, damage, technical malfunction, sabotage, and theft can never be fully prevented, so make sure you have a reliable system for backing up your data — both yours and that of your clients and customers.
Ideally, you’ll have back-ups of your data in multiple formats and locations. Copies of digital data should be stored on an encrypted, cloud-based server, while copies of physical data and documents should be stored in a secure off-site location.
Build regular data back-ups into your security plan. If possible, automate the process to save time and money, and of course, to eliminate the risk of forgetting.
10. Invest in training and awareness
When it comes to keeping your business safe, knowledge truly is power, so take the time to identify knowledge gaps within your team and provide training as necessary. This will fortify your business from top to bottom, teaching everything from password etiquette and best-practice software usage to threat identification and crisis management.
11. Develop an incident response plan
Despite your best efforts, the worst has happened — you’ve been hacked. What do you do?
If you don’t have an answer to that question, then now’s the time to find one! The best incident response is the one that’s planned, rehearsed, and perfected ahead of time, ready to be rolled out seamlessly if and when disaster strikes.
Work with your IT team on developing responses to all possible threats you might face. Consider what actions will be needed, who will take responsibility for them, and whether they have the skills and knowledge necessary to do so. Make sure everyone understands their role and hold regular drills to keep the procedure fresh in everybody’s minds.
12. Employ a cybersecurity framework
For organizations that deal with particularly sensitive data — think government or defense suppliers, for example — it may be wise to consider adopting a more advanced security framework. Industry-standard protocols like the NIST Framework and the CIS Benchmark offer you standards, guidelines, and best practices to manage cybersecurity risks in critical environments, protecting both your business and your clients from a threat.
And finally, the Golden Rule…
If in Doubt, Leave It to the Experts
When it comes to cybersecurity, you can’t just wing it! If you don’t have the resources or the expertise to properly manage your security in-house, then don’t take the risk — outsource it to professionals. A Managed Security Services Provider (MSSP) like CyberSheath can take all of the work and the worry out of cybersecurity. We already have the infrastructure and the experts in place, so we can quickly set up a bulletproof, fully staffed security system with minimal effort on your part.
CyberSheath’s MSSP is also one of the most cost-effective security options available to businesses like yours. We keep your costs consistent and predictable, which gives you much more control over your budget, and you benefit from the latest in security technology without having to invest in research and development.
To learn more about cyber hygiene and discuss how your business could benefit from the cost-effective, comprehensive protection of an MSSP, contact us now for a no-obligation discussion.
Recently, Verizon released its 2016 Data Breach Report, which has served to assist the security community in managing risk and avoiding security incidents since 2008. In the report, one can find data on almost all aspects of the current cybersecurity risk landscape. With that being said, I was most intrigued by the findings related to phishing attacks, a form of social engineering that seeks to exploit an organization’s greatest risk – humans.
The motivation behind phishing attacks is no different than any other information security incident. Generally, attackers will be looking to trick the target user into divulging credentials on a pharming website. These sites look and feel like they are genuine websites for banks, enterprise applications, etc. Another common tactic in phishing attacks is having the targeted user click an attached file containing some sort of malware, thus granting the attacker access to the machine and by association, whatever network it connects to. These attacks are troubling because they allow an attacker to simply avoid many of the technical controls an organization may have in place.
The Data Breach Report has included metrics on phishing cases for years, this year the report stated that 30% of users open phishing emails. While this may not be harmful in itself, 13% of users will go on to click on the malicious attachment or navigate to the phony website where credentials are collected. These numbers are somewhat higher than last year, which reported a 23% open rate and an 11% click-through on the attachments. Another important thing to note is how quickly this all happens, the report states that it often takes less than five minutes to see a targeted user click on the attachment or link.
Social Engineering attacks, phishing specifically, are on the rise because the attacks are much easier to execute than technical attacks targeting an organization’s vulnerable assets. It enables an attacker to compromise a network with much less effort than would normally be required, and often times in much less time.
The good news is that phishing attacks can be defeated in multiple ways. First, two-factor authentication would nearly eliminate all the risk associated with credential-stealing activities. Even if an attacker did acquire the main credentials for an employee, they would still lack the secondary credentials that are required. Second, and probably the most direct way to decrease human risk, is through a mature security awareness program. While awareness and training programs have been given more attention as of late, several organizations still do not take them seriously. Without training your employees on simple, human targeted attacks like phishing, they cannot be expected to protect your critical assets and data when they become the targets.
Curious how your organization stacks up? CyberSheath can help, contact us today.
Many of us travel for work, and as such, we must connect to a number of untrusted networks in order to stay on top of things. These public networks, while seemingly non-threatening, can be a hostile environment with malicious users seeking to extract any sensitive data they can, such as credit card information, personal information, and passwords. Some may say that this is unlikely and that if there was a malicious user on a public network, they would be protected with the use of encrypted services. However, I would argue that this is not the case at all. Often adverse agents will use “passive” monitoring techniques to intercept data being sent over the network. This can be accomplished with any packet sniffing tool but will only allow an attacker to see traffic that is “in the clear” or unencrypted. If an attacker intends to intercept data transported via TLS, SSL, HTTPS, or from encrypted services like Gmail, Slack, or Dropbox, they need a way to subvert the in-transport data protection mechanisms.
One of the most common methods an attacker can utilize to defeat transport encryption is a Man-in-the-Middle (MIM) attack. At a high level, an attacker can sit in-between a target user and the secure service they are communicating with, break the established secure connection between the user and the service, and force unencrypted clear-text communication of information back to the victim – data that can be easily captured by the attacker. This all happens in the background, almost seamless to the user. In such an attack, the only noticeable difference is likely to be the use of “http” vs. “https” in the address bar of a browser or a missing lock icon, which is likely not enough of a warning to alert the user to what is happening unless they have been trained to detect such an event.
If users do not understand basic attacks that can deceive them into letting attackers through the front door, it is bound to happen and remains a legitimate concern for their organization. Human risk is difficult to mitigate, even though it is one of the easiest and most common weaknesses for an attacker to exploit. Organizations are realizing this, and rethinking how they provide security awareness training to their employees. Security Awareness has long been a compliance-based necessity, but more and more organizations are reaching beyond compliance and trying to achieve best practice standards.
Educating your employees on common cyber threats like SSL spoofing, phishing attacks, and social engineering can reduce your organization’s human risk level. According to Forbes magazine, in 2015, companies spent $1 billion annually on security awareness training in attempts to reduce human risk. When combined with testing procedures to collect relevant metrics, a security awareness program can have very real, tangible effects on your organization’s overall risk. However, building out an effective, mature, security awareness program is not a small undertaking. Understanding what training to provide to particular employees, and how to then test them to ensure they are able to apply the information can be difficult and time-consuming. As organizations begin to recognize the value in addressing human risk, the need to implement security awareness capabilities programmatically and strategically becomes ever more necessary. Approximately 70% of cyber attacks use a combination of phishing and hacking techniques, with the increase in technical security and hardened defenses, end users are proving to be easy targets for attackers.
If your organization is struggling with controlling human risk and implementing an effective security awareness program to do so, CyberSheath can assist you in constructing a program to train your employees on a variety of security topics in order to enable a broad security mindset, and address behavioral risks as they relate to security and ultimately reduce the number of security events due to human risk. We provide services that assist clients in building and maintaining security awareness programs that not only meet compliance requirements but go above and beyond to impact an organization’s human risk level through effective policy/program design, implementation and a proven metrics framework.