With spring in full swing, organizations should definitely dedicate some time to scrubbing and sprucing up their security. While for many households clearing clutter is an annual ritual that marks the end of the winter and the beginning of the spring, digital spring cleaning is key for companies to avoid data breaches.
Over 4.5 billion records were compromised in the first quarter of 2019, reported IT Governance. Last year, the global average cost of a data breach was $3.86 million and the average cost for each lost or stolen record containing sensitive and confidential information was $148, according to a Ponemon Institute study.
While many CISOs still consider zero-day threats one of their chief concerns, they are actually being employed much less frequently. Most cyberattacks are surprisingly unsophisticated – so simple, in fact, that the NSA reports 93% of them could be prevented just by incorporating some basic best practices.
It’s important to highlight that hackers no longer need to put in the time-consuming effort necessary to elaborate new attacks, because they know they can sneak through companies’ defenses just by taking advantage of poor IT hygiene.
This is the very reason for this article. To kick off the new season, XM Cyber has pulled together a few wise steps to improve your IT hygiene and reduce the risks of your company joining the year’s feared list of breach victims:
1. Polish your password management
Using a different password for each of your online accounts seems tough for most people. After all, remembering them all can be nearly impossible, particularly if you want to use strong logins that are difficult to crack. The solution to both of these problems is a secure password manager, which will generate strong passwords for you using a combination of letters, numbers and special characters, and store them all in an encrypted vault. My tip: cloud-based password managers can get hacked. Oh, yes, any online-based solution may itself a target. Use an offline password manager with multi-layer encryption, like a private key together with a strong but memorable unique password.
2. Eliminate login risk with multi-factor authentication
Using multi-factor authentication is currently the best way to add an extra layer of security to your online accounts for services like Google, Facebook, Twitter, Dropbox, and many others. Usually, it involves sending a unique code sent to your smartphone that you enter along with your password. Or you can generate an individual code, using your phone using apps like Google Authenticator or Microsoft’s Authenticator app. It’s also done using something you have like a special USB key with a unique token or using biometric data from an iris scan or fingerprint. It’s important to say multi-factor authentication is relevant only during the login phase. It doesn’t help protect your device in other attack phases.
3. Sweep out unauthorized applications
Applying application whitelisting in your organization and only authorized software will be allowed to run. This way, unknown executable files, malware or ransomware will just not be able to run. Whitelisting is a very good practice that I strongly recommend to most IT administrators to prevent unauthorized executable files or programs from running on their system. Home users too can take advantage of whitelisting.
4. Clear out employees’ doubts by educating them
One of the biggest vulnerabilities in organizations’ IT is their people. Protecting your systems from online threats starts with educating your employees, it’s the best way to prevent high-profile breaches. Ironically, one aspect of IT security that is often overlooked is the easiest – and usually cheapest – to implement: employee education. Training and educating your employees, no matter what size of your business, should be one of your top priorities. That may include internal campaigns against phishing attacks (e.g. sending reminders about suspicious links and attachments) and several other topics. Be creative and overall communicative.
Email is one of the main delivery vehicles for phishing attacks, along with malware campaigns such as ransomware attacks. Bad actors are using increasingly complex psychology techniques to send credible emails, getting even the most trained and sophisticated users to click on links and attachments. Phishing simulator tools monitor millions of emails, URLs, files, and other data points each day for the latest threats. This tip is supplementary to educating your employees. Help them understand how to spot an advanced attack and prevent future breaches.
5. Wipe out admin privilege to users who don’t need them
That means you must revoke the rights of those who don’t need them. When more people have access to company data but are not knowledgeable about information security, this means a higher risk of data and security breaches for your business. Limit the number of users with administrative privileges. The rule is: don’t be generous, ask the real need for the user’s everyday work. Don’t give security shortcuts.
6. Eliminate joint WiFi connections for employees and guests
Companies should provide a guest WiFi network that is separate from their private network infrastructure. Hackers can penetrate a victim’s computer without their knowledge and then pivot to other information systems. Ensuring that only computers and devices approved by a company’s information security personnel have access to the private network will make it more difficult for attackers to penetrate that barrier.
7. Cleanse (or at least limit) BYOD
While a large majority of companies now permit employees to use their own devices for work, they have concerns over security and privacy. What can be scarier is that some organizations are extending the BYOD (bring your own device) practice to contractors, partners, customers, and even suppliers. Security concerns are the main barrier to BYOD. The main worry is data leakage, followed by unauthorized access to data and an inability to control uploads and downloads.
8. Clean out public connection risks with VPN
Many employees work remotely through network access points or “hotspots” that are outside of the company’s IT team’s control. What they are all too often unaware of is the fact that bad actors can spoof what may look like legitimate hotspots to lure victims to send traffic such as emails, passwords and documents through their equipment, and thereby steal data. Mitigate this risk by offering users a virtual private network (VPN) that provides end-to-end encryption for the data the employee is transmitting so that it is much more difficult for the adversary to exploit the data.
9. Clear exposed sensitive data by enabling full-disk encryption
Ensure your organization’s computers have full disk encryption enabled. This will protect information by converting it into unreadable junk that cannot be deciphered easily by unauthorized people. Full disk encryption has several benefits compared to regular file or folder encryption, or encrypted vaults. Nearly everything including the swap space and the temporary files is encrypted. With full disk encryption, the decision of which individual files to encrypt is not left up to users’ discretion.
10. Shine your crown jewels with an automated purple team
Simulate, validate and remediate attack paths to your critical assets with a fully automated breach and attack simulation (BAS) platform. XM Cyber’s HaXM continuously exposes attack vectors, above and below the surface, from breach point to any organizational critical asset. This continuous loop of automated red teaming is completed by ongoing and prioritized actionable remediation of organizations’ security gaps. In effect, HaXM by XM Cyber operates as an automated purple team that fluidly combines red team and blue team processes to ensure that organizations are always one step ahead of the cyber-attackers.