Every year in October, the Department of Homeland Security (DHS) promotes National Cybersecurity Awareness Month – a time when organizations are asked to take stock of the state of their network security. However, as we head into the holiday season, with Cyber Monday and other online sales and promotions abound – cybersecurity for both businesses and consumers is an issue everyone should pay attention to year-round.
The fact is, businesses are struggling with data breaches and slow downs due to hackers and malware entering the network. In many cases, employee error is to blame. People accidentally accept malicious emails or click on phony links, unwittingly allowing malware into the network. According to a recent article in Dark Reading, “If organizations are going to mitigate the human factor among their general user base, they need to create a culture of security.”
Afterall, the DHS, writes, “Cybersecurity is our shared responsibility and we all must work together to improve our Nation’s cybersecurity – from the average smartphone user to a corporate CEO.”
1. The Continuous Training Approach
Training employees on how to recognize malware and malicious links is a strategic and preventative approach to mitigate security breaches. However, as more awareness around cybersecurity has proliferated and employees have been on the look-out for spam and malware, so to have hackers improved their tactics.
eSecurity Planet writes that many hackers have moved beyond Trojans, viruses and other malware to phishing and spear phishing, targeting those with administrative rights with the goal of distributing executable files containing malware or to obtain credentials or sensitive personal or corporate data.
Therefore, training must be a continuous process of updating employees and making sure everyone in your organization is well equipped with facts about network security. Training can come from a variety of sources, from internal IT teams to hiring an IT security firm or MSP (managed service provider).
According to a recent study by IRONSCALES, three in four organizations say they train their employees to spot phishing emails, however less than half of those organizations report drops in phishing click rates as a result of that training. This means your training may be ineffective, and we see that often when companies try to DIY their own cybersecurity awareness training.
2. Developing a Holistic Cybersecurity and Risk Management Plan
According to eSecurity Planet, “…organizations (need to) have fully documented and implemented procedures for all activities that may create cybersecurity risks…Before setting up a cybersecurity risk management system, the enterprise needs to determine what assets it needs to protect and place a priority on.”
As such, experts recommend using new technologies that can find and map data across the organization. Once data is mapped, organizations can make better decisions on how that data is governed.
Deloitte also recommends doing a risk/reward calculation, then prioritizing those network security enhancements that will provide the greatest improvements at the lowest cost.
Among the cybersecurity precautions to consider:
- Installing Network Access Controls
- Limiting the number of people with administrator credentials and the control rights for each administrator
- Deploying automated patches for operating systems
- Have limits for older operating systems (i.e., devices running Windows XP or older OS no longer supported)
- Deploy Next Generation Firewalls
- Installing anti-virus programs and endpoint security with breach detection
- Requiring two-factor authentication to gain access to certain files and system
3. Testing Your Cybersecurity:
Does your organization know how well their cybersecurity tactics and practices are working? According to eSecurity Planet, in the past, organizations had very few defenses against security. However, today there are tools such as vulnerability assessments for penetration testing.
Tools can be run to simulate attacks to measure the effectiveness of a company’s prevention, detection and mitigation capabilities. For example, simulate a phishing attack on a company’s email systems.
Security experts agree that today encryption must be implemented in a more strategic and systematic way to protect company data from cyber threats. “This includes granular role-based access, standards-based cryptography, advanced key management, granular separation of duties, and state-of-art algorithms that drastically decrease exposure,” reports eSecurity Planet.
That said, encryption cannot protect an organization from internal threats such as employees with access to sensitive information, stealing the information through a thumb drive or other means.
5. Resources for Developing/Testing Cyber-Security in Your Organization:
It’s one thing to want a good cybersecurity and risk management program but another to implement one that is productive. Therefore, these resources can help:
- Department of Homeland Security: Developing a Cybersecurity Framework
- DiamondIT: Cybersecurity Handbook
- CSO Online: 4 steps to creating a winning cybersecurity strategy in 2018
- CSO Online: Building a cybersecurity strategic plan
It is important to be vigilant in developing plans and guideline to secure your organization. Contact DiamondIT at 877-716-8324 to learn more about security training, assessment and implementation services to build out your lines of defense and prevent cybercrime.