With so many data breaches and cyberattacks to-date this year, damages resulting from those attacks are skyrocketing to unforeseen amounts. In the past few weeks alone, there have been a wide array of attacks wreaking havoc on organizations large and small, impacting over 100 million individuals in one of these instances.
Will investing in more security technology solve the problem?
Probably since I’m asking this question, you’re already thinking ‘no!’. What we have seen is that there are actually a lot of organizations investing in quite a bit of IT security products and services. The question not being asked is whether that money is being invested in the right places.
With tightening budgets elsewhere in your organization, I’m sure that investing additional money in security technology is something that you and your leadership are not entirely sold on. Much of the time there is no visible return on this investment and it’s hard to tell whether your spending money on the right tools to keep your organization secure long term.
Rather than ask if investing in technology will help solve our collective security problems now and in the future, is to ask am I spending money on security in the right places within the organization.
When we’ve evaluated post-mortem data breach incidents and ransomware attacks, what’s clear is most of the organizations we work with and have analyzed have poor cyber hygiene that falls well below investing any additional money on expensive solutions.
Because of this and because what many of the defenders and network penetrators at one of the biggest cybersecurity conferences of the year (which happened a couple of weeks ago) have been pointing out for some time, I want to provide some clear steps every organization can take to shore up your network defenses before spending good money after bad on security solutions.
Please note that make your organization more cyber secure is not a simple task, but most of the challenge isn’t really just with technology.
To start, consider making sure you have a baseline of cyber security practices (or hygiene). Just as you probably have personal hygiene standards you take relatively seriously (as in you don’t want to be singled out for bad breath, body odor, or wrinkled or torn clothing), you might want to consider having some hygiene in how you and your staff work in a connected world.
The objective of cyber hygiene essentially is to keep your organization healthy, as personal hygiene would keep your individual self so. And while many people in your organization might simply point the finger at IT as the responsible party to cyber hygiene, in a world that is connected today, we all have too much leverage in sharing or unknowingly doing something that actually could cause harm in the workplace.
Cyber hygiene—if used correctly—spans beyond departmental borders and is etched into our organization’s cultural beliefs.
So, what are some of the basics of cyber hygiene to focus your teams on?
Cyber Hygiene 101
Some of the most basic cyber security hygiene basic practices often go overlooked until it’s too late. The basic steps to get your team on track will likely depend on some frameworks instituted by the National Institute of Standards and Technology (also known as NIST). Here are some of the basics your office should aspire to:
Know What’s Out There: your organization should be able to identify what is on your network. That might include servers, network devices, printers, data, IoT devices (and many more). Your assets may be physically present at your facility or in the cloud. Make sure to take stock in what you have on your network, and classify what types of data each stores.
Educate Your Human Side: cyber security awareness goes a long way in keeping your office safe if executed correctly. We all may learn a bit differently, but one thing is certain—if we don’t practice, we’re not going to be very good at detecting a real threat. Since threats today change at a relatively rapid pace, it might be a good idea to encourage your team to refresh themselves with trainings—or even more valuable, experience-based learning, alerts and storytelling throughout the year rather than conducting an annual power point presentation. Social engineering and phishing were both major ways hackers have been successful in getting into networks over the past year.
Make Sure Your Data Is Really All There: backup your data regularly. Make sure that those backups are really working and that you are able to restore from a backup in the event of failure. Additionally, make sure your backups are NOT connected to your primary network (most hackers nowadays will search your network for backups and over 70% of the time are successful in completely erasing them).
Detect and Patch Vulnerabilities: make sure your vulnerabilities are getting found. Regularly patch your operating systems, software and device firmware.
Ultimately, keeping cyber hygiene a priority is a business problem, not just an IT problem. Having sound policies, procedures, plans and processes to address current cybersecurity threats will go a long way to keep your business resilient to changing threats. Having a strategy focused on gradual improvement will go a long way towards immunity from recent infections and can help minimize your future risk of falling victim to attacks.
