There is a new data breach in the news every day. Today’s report comes via security awareness training firm KnowBe4 but is attributable to an FBI Alert released on Sept 18, 2018. They say, “Cybercriminals target employees through phishing emails designed to capture an employee’s login credentials. Once the cybercriminal has obtained an employee’s credentials, the credentials are used to access the employee’s payroll account in order to change their bank account information. Rules are added by the cybercriminal to the employee’s account, preventing the employee from receiving alerts regarding direct deposit changes. Direct deposits are then changed and redirected to an account controlled by the cybercriminal, which is often a prepaid card.”
In this ever changing world of cybersecurity, the criminals are getting craftier and more aggressive. All it takes is one slip-up and access to bank accounts, our internal network, and other privileged data is at risk. How do we know if we are secure and doing the right things to protect our organization?
Here are 7 Keys to Keeping your Organization Cyber-Secure:
1. People Awareness – This is the often-assumed area of cybersecurity. We say, “My people know better than to do that. They have been told. We send an email periodically reminding them.” While these things are good, they do not comprise a real cybersecurity awareness campaign. Is this how we approach training our teams about other things? Hopefully not! It is proven that people need solid training and regular reinforcement to truly be aware. We recommend quarterly video-based training that addresses actionable information on avoiding the latest scams. We also recommend a follow up real-life test with an email that tests them with a little temptation to click. Let’s face it, even some of us who should know better have clicked. The only way to increase safety is to keep the issue front and center.
2. Perimeter Security – Almost everyone has perimeter security these days, but not everyone has good perimeter security. Perimeter security is most often represented by a firewall, but could also include your wireless solution. It is the device/software at the edge of your network. The firewall stands between you and the Internet. It allows and disallows traffic based on how it views that traffic. We sometimes liken it to a traffic cop at an intersection. He blocks and directs and keeps the good stuff coming in and the bad stuff turning away. Wireless has to have the smarts to direct traffic a little differently. It should only allow the right people access to the internal corporate network. If you have old devices or cheap devices, they could be likened to a traffic cop whose eyesight has failed, and he can’t tell what he is letting through the intersection.
3. The New Anti-Virus/Anti-Spyware/Anti-spam – These tools and technologies have been around forever. We all have them, and it often seems they don’t do much. At one point the word in the industry was, “Anti-Virus is dead”. Others have said the free stuff is just fine. I strongly recommend the best commercial paid-for protection you can get. Things are evolving with these technologies. Most commercial Anti-Virus, Anti-Spyware, and even Anti-SPAM packages have also released a new “next generation” package of some sort and these new features have credibility. Many automatically open a suspicious attachment in a web-hosted sandbox before allowing you to open it. Some new versions of Anti-SPAM will scan and block URL’s that are not good and force them to be analyzed before you can follow them. The key is to ensure that you have one of these new products. The old standby is not the best way to go anymore.
4. Data Protection – Knowing where your data is and what is at risk is a huge part of staying safe. Most companies have employee information that must be secured along with their own banking and financial information. Some have trade secrets, formulas, or proprietary information they would not want leaked. And then, there is customer information, which is what we hear the most about when there is a leak. All of these are huge risks. Over time, we tend to lose track of where this data exists. When we do PII (Personally Identifiable Information) scans during Security Assessments, we find PII scattered all over different servers and machines. Once you know where the information is that you need to protect, using a method of encryption is important. Encryption locks the data with a passcode, so that there is an extra level of protection on it. This sounds intrusive, but modern systems make it as simple as possible. It is a necessity and gives you some security should you have a breach or theft of equipment. Keep in mind, we are protecting the data, but sometimes more importantly, your reputation as a company. Nobody wants their organization to be in the news for a data breach.
5. Systematic Updates – It is such a simple thing, but many companies fail here. Every organization needs a method for pushing patches to endpoints (PCs and Laptops). Without these updates, your systems are vulnerable to attack. The only way to ensure this happens is to use an automated tool, either Microsoft’s WSUS or a commercial tool that also allows you to push 3rd party updates. Or better yet, an IT service provider who manages these updates for you. In addition to these pushed updates, many devices like switches, firewalls, wireless units, cameras, and others, need manual firmware updates to stay secure. Make sure your organization is doing these in a systematic way.
6. Network Policy – Every organization should have a network security policy in place that enforces certain criteria on the users of the network. The most common of these policies is a password complexity and change policy. There are many more that are important; controlling use of USB drives, rogue devices, use of file sharing utilities and more. Having these policies defined and enforced is an absolute necessity. The most resisted in companies under 200 users is a password change policy. The resistance is understandable. It creates extra work for everyone to change and remember passwords. This policy is an absolute must. Without it, accounts that are no longer in use can become an entry point, simple password cracking utilities can get a hacker in, and a breach becomes likely.
7. Behavioral Policy – Policy about how our users use the technology infrastructure is important. We can’t control everything with a network policy. Specific policy should be in place about sending files, using public WiFi, using public or shared computers for access to company systems, sharing of accounts and passwords, and more.
October is Cybersecurity Awareness month and a good time to re-assess your level of security. It may be time to take a closer look at where you stand.
CTaccess, Inc. now offers complete Cybersecurity and Vulnerability Assessments using our three-step process to Assess your vulnerability, Remediate the problems, and keep you secure. This new offering includes an advanced security dashboard, an actionable remediation plan, systematic security awareness training, and even policy development. Please help us spread the word!