Staying CyberSmart

Staying CyberSmart

Sue Olsen

Sue Olsen

Six Important Cybersecurity Questions for Your Company

Since October is Cybersecurity Awareness Month, I’d like to share some spooky statistics about cybercrime. According to a recent study

  • 60% of companies have experienced a cyber attack during the pandemic
  • 51% say that malware or exploits got past their defenses
  • 42% of companies report that they have no idea how to defend against attacks aimed at remote workers

The rise in remote workers has brought with it a corresponding weakening in security practices. After all, even the most security-conscious people tend to let their guard down when they’re at home. And because most threat actors are opportunistic, times of change are their happiest: it’s been more like Christmas to them than Halloween. The opportunities (and types of attacks) seem to have multiplied. Social engineering, ransomware, and phishing attacks are getting more sophisticated, even targeting social apps or — particularly despicable — sending COVID-themed emails. And this is to say nothing of the other big attack source: internal threats.

There’s a reason we take a month each year to focus on cybersecurity. So now, in the spirit of this week’s theme, “Do Your Part. Be CyberSmart”, here are some important questions to ask yourself about the cybersecurity practices at your company.

How’s Your Security Posture?

To maintain adequate security, it’s important to take an honest look at your current posture. This is crucial to making real and significant changes to your security program. Try to think like a bad actor and look for areas where you can improve security. 

Remember, bad actors will take the time to perform in-depth reconnaissance. They will identify all the weak points, where most valuable data resides, and what countermeasures appear to be in place. You should do the same. Cybercriminals are more active than ever, as evidenced by several recent high-profile breaches such as Facebook, Instagram, and LinkedIn. To stay ahead, your organization must find security gaps before they do. 

Take these steps to reduce your risk:

  • Implement password management, multi-factor authentication, or Single Sign-On solutions to keep employee credentials safe
  • Integrate endpoint security and identity management solutions
  • Consider role or identity-based access that is time-bound and well monitored to gain control and visibility into the utilization of privileged access

You can also enable identity security through the cloud to keep up with growing corporate applications and services. Scan your cloud environments for security misconfigurations such as users without MFA, misconfigured policies or networks allowing external access.

Do You Know Where Your Data Is?

Data is like money in the bank for bad actors. Unfortunately, too many organizations don’t know what information is stored where — which makes knowing who accesses it even harder. Even organizations that think they know where their data resides can be wrong.

It’s common for employees to make copies, dump portions of a database, or create shadow IT systems to make their daily tasks easier. Shared drives — and even employee workstations — may contain sensitive information. Take the time to identify where your data is, including all of the spots it “shouldn’t be.” Invest in a solution that discovers shadow IT and be sure it integrates with your cloud environments. You can’t secure what you don’t know exists.

Leveraging the cloud is another way in which data can be managed and secured. Shadow IT,  such as database dumps to Excel or other large hand-made data stores, are often created to make internal sharing of information easier. While the reasoning behind it makes sense to the end-user, it is dangerous from a security perspective. Instead, provide  safe (and managed) cloud sources of data that can easily be shared and monitored internally to eliminate the motivation to generate shadow IT. 

Take these steps to reduce your risk:

  • Implement a cloud privileged access management solution that will scan your cloud environments and highlight any misconfigurations that could lead to data exposure.
  • Implement data access governance, which helps discover and manage structured and unstructured data, which should be backed up by robust device inventory scanning to guarantee you know which devices are accessing sensitive data.

Are You Cyber-Aware When You’re Not at Work?

As offices reopen, don’t forget: digital security starts in the physical world. Physical security isn’t limited to office workspaces. It can include anywhere employees work. Ensuring that devices used at coffee shops have screen locks in place, encrypted hardware storage, and never left unattended helps prevent corporate secrets from wandering off. 

While valuable on the resale market for thieves, these devices have an even greater value if they are left unlocked and unattended. Corporate data on these unsecured devices can be easily harvested and sold on dark web marketplaces for far more than the device is worth. 

Take these steps to reduce your risk:

  • Encrypt storage and automatically lock screens to make it far more challenging for bad actors to get at this data. This can make the difference between organizations experiencing a data breach or replacing stolen hardware. 
  • Install mobile device management and device encryption software to wipe misplaced or stolen devices if they fall into the wrong hands.
  • Educate your employees about these threats. It’s easy to forget bad actors aren’t only online. They can be a risk in the physical world as well.

If You Were a Bad Actor, What Would You Do?

Bad actors don’t approach your IT ecosystem attempting to use it as directed. They think of edge cases and look to circumvent normal processes. This is a starting point to find holes in processes, procedures, and security in general. Using the systems in ways you don’t expect can help catch exceptions and identify gaps. This process may involve thinking “what happens if” and testing it. Thinking exposes hidden risks and unexpected application behavior. Knowing is half the battle when improving security.  

Take these steps to reduce your risk:

  • Institute a bug bounty program to offer attackers a bounty for finding and disclosing bugs privately to your organization. Leverage the power of the “hacker community,” which has expertise in finding vulnerabilities without having to direct significant internal resources to find them. 
  • Organizations can also run simulations to proactively measure and fine tune how they can respond to common attacks.

Are There Too Many Superusers in Your Organization?

Internal administrators can feel a lot like Superman. They often come into a problematic IT situation and save the day. On the surface, this power makes them the glue that holds the IT organization together. But what organizations often don’t understand is that this power is a double-edged sword. If it’s subverted that great force for good can become a force for evil. 

This transition can happen when bad actors steal superusers’ credentials or use malware and social engineering to take over accounts and make lateral movements across the IT environment. Sometimes the superuser can even become a bad actor along the way. 

Take these steps to reduce your risk:

  • Build your security perimeter at identity. In particular, reduce always-on privileges, add “right-sized” access for all human and machine identities
  • Use a zero standing privilege model: individuals can get the rights they need to do the job when they need it, with just-in-time privilege elevation and time-bound access. Use pre-built access roles to provide precision access that expires automatically – for all human or machine identities
  • Limit privilege creep and access threats by adopting a Zero Trust approach and use the least privilege model for access control
  • Incorporate contextual identity information (such as average peer usage or requestor’s role permissions) and device information, user behavior, and analytics into access request processes  

Are Your Employees Aware of the Risks?

Employees are either your greatest security risk or your cybersecurity front line. Training makes the difference. Whether your security team creates in-house training or hires an external company like Knowbe4, it’s crucial to arm your workforce with security awareness training. Employees unfamiliar with common phishing, vishing, and social engineering attacks open a gaping hole in your security posture. And bad actors can crawl right through. 

Take these steps to reduce your risk:

  • Train your employees in end-user security basics to equip them to recognize common types of attacks, fend them off, and report suspicious events. 
  • Simulate phishing attacks on your employees to train them not to click/open emails.
  • Remind employees not to let their guard down when working off-site.

Cybersecurity is a discipline. It works best when you treat it as an important part of your company’s culture. The threats are out there and they’re getting more sophisticated every day. Adopting a proactive stance against today’s ever-increasing threat landscape is the most effective way of mitigating cybersecurity risks and protecting your business, your employees, and your bottom line. 

For more information on how you can be CyberSmart, check out these resources:

Schedule a Demo

Ready to see our solution in action?
Sign up for your demo today.