14. March 2017–
We all know it should be on top, yet even the biggest corporations struggle to keep up the standards — is there always something you will miss? Some might think: “If the big companies with all their specialists can’t fight mysterious hackers from stealing their data, I’m not Batman, what can I do?”
Though they might be mistaken. Think about the following 9 topics in your business and fight cyberattacks more effectively.
1.You are as strong as your weakest link
Executives and security teams usually pay the most attention to securing all the critical assets, including the high profile employees, which is essential but definitely not enough. Eventually, everything potential attackers need is one single entry point to the organizations network. From there it’s practically “game over.” Securing the regular employees is a top priority, they are usually less aware of cybersecurity and the potential consequences of a breach. Otherwise, it’s like closing the door but keeping the window open. Delineate a culture of cyber security awareness!
2. GDPR (General Data Protection Regulation) — pay attention to regulations, be prepared so you won’t be surprised
The new regulation within the European Union should enter application by May 2018. Although it looks like a great initiative that intends to give citizens back the control of their personal data and to simplify the regulatory environment, it has a lot of implications on organizations that take time and are hard to implement, some of them are even practically impossible such as the 72-hour breach notification rule — How can a company do that, if the average breach discovery is more than 200 days? Fines for not following the regulation are enormous. Organizations must start preparing themselves today in order to be ready on time. Ask any 3rd party vendor you are working with if they meet the requirements, and demand they will do anything needed for that matter.
3. Business process
When was the last time you’ve reviewed the company’s business process with your IT team to discuss possible risks? Despite all the efforts, eventually, you can’t make all your cyber security bullet proof. Make sure you give priority to risks that might affect and harm business flow and make sure the IT team clearly understands the business process. In today’s world, a bank for instance, must secure its website and mobile application not any less than its vault. The impact of a defaced website and the loss of reputation, extends directly to huge amounts of money. In many cases, it’s the CEO’s responsibility to make sure the technical team understands that.
4. Backup, Backup, Backup
You can’t overstate the importance of a solid backup, and a quick ability to recover all the data. The rise of ransomwares, which is a type of malicious software designed to block access to a computer system until a sum of money is paid, will most likely continue significantly in 2017. You can’t assume that paying the money will always release your assets and data. So you must have a good backup mechanism, that in case it is needed restores all your data. Make sure your data is backed up on a regular basis, and there is a clear recovery procedure which has been practiced.
5. 123456 — if you allow these types of passwords in your organization don’t be surprised when a breach happens
“123456” and “password” were the most used passwords in 2016. In general, it’s much easier and cheaper for an attacker to break into your system, than for you to protect it. Don’t make it too easy and trivial. Make sure people change their passwords and don’t use default passwords. Enforce a password policy, there are plenty of good tools for that. Encourage long and strong passwords, preferably 2-factor authentication if possible.
6. Limit access — Should Snowden have had access to all that data?
Implement and enforce a very strict policy regarding access control. Everyone should have as little permissions as possible. For an IT team, it’s easy and natural to give default, full access to everyone. It makes life easier: no need to control and manage permissions, no service calls for granting additional permissions, no technical service faults for denied access. From a cyber security point of view, it’s a catastrophe. Not only are you giving uncontrolled and unlimited power to the “enemy within,” a potential malicious, frustrated or just bored employee, you also make a hackers life ridiculously easy. Once he compromised a single account on your system he got access to all he could have been longing for. Everyone should get access to the minimum they need for their daily job.
What’s your cyber security budget? Is it updated and fits your needs? The landscape of cyber threats and attackers are evolving at an astounding pace. You must keep up and understand the threats.
Set semi-annual talks with the IT team, understand their needs and make sure you do everything possible to offer them the resources they need.
8. Be ready for the next breach
You can always hope it won’t happen, but be ready like it’s going to happen tomorrow. Hackers love to attack during the worst times. They know when you can’t afford yourself a downtime, the whole IT department is on vacation, and you must install a new version on your biggest client’s network. Every aspect of the company should be prepared for the worst. Businesses need to practice their security operations by simulating emergencies, and they should have a public relations strategy for reporting incidents to employees, customers, and media.
9. Tactic vs. Strategy
Are you just trying to meet compliance/regulations and having the minimum security needed? You will most likely find yourself putting out fires very often, instead of dealing with the problem for the long term. A secure organization is something you implement, inspect and enforce. It’s not running a sprint, it’s a marathon. You should build security awareness and a secure culture, very similar to any other culture you want to have in the organization. Step by step, policies, simulations, information assurance trainings, etc.
Are you still thinking about how much easier cyber security life would be if you were Batman? It’s ok, we understand. But implementing the tips above to your business will be a start!
Anna Kletzmayr contributed to this text, which originally appeared on Medium.