With the number of data breaches skyrocketing in recent years, global cybercrime-related damages are expected to surge in the years ahead. In the last two months alone, we have seen a wave of ransomware attacks wreak havoc and another mega breach that impacted more than 100 million individuals whose credit application information was stolen.
The initial impulse at most organizations is to ask for additional funding for new security technology. According to IDC, organizations are expected to spend $134 billion on IT security products and services by 2022 alone. However, are we spending that money in the right places? When conducting post-mortem analysis of data breaches, it becomes apparent that lack of cyber hygiene was often a contributing factor. Given this fact, let’s consider what steps organizations can take to shore up their defenses without breaking the bank.
Strengthening an organization’s cyber security posture is complex, but just tackling the challenge with technology isn’t enough. Instead, the process should start with implementing baseline cyber security practices, also known as “cyber hygiene”. Like personal hygiene, cyber hygiene’s objective is to start with basic actions that are most likely to support good health. Despite the popular belief that cyber hygiene is the IT department’s job, cyber hygiene goes beyond departmental borders and should be etched into the organization’s culture.
Meanwhile, threats go beyond technology and external hackers. Human fallibility is often the root cause of breaches. Cyber-attackers are no longer breaking in—they’re logging in using weak, default, or compromised passwords. Once they compromise security measures, adversaries are able to inflict real damage by moving laterally across the network, seeking privileged access to critical infrastructure and sensitive, potentially valuable data. The IT department alone cannot mitigate identity-based attacks. Ultimately, it’s a responsibility shared by all employees from C-suite to summer interns, as well as partners and contractors.
Cyber hygiene must become engrained in an organization’s daily routine to be effective. For example, this goes beyond enforcing password policies, and requires users implement strong passwords and keep them secret. When applied properly, cyber hygiene can help protect against the most common cyber threats.
Cyber Hygiene 101
Unfortunately, cyber hygiene basic practices are often overlooked. So, what basic steps can organizations take to get back to the cyber hygiene 101? The National Institute of Standards and Technology (NIST) has developed and promotes a standard set of best practices that every organization should apply. These include:
• Know What You Have: An organization should be able to identify all its assets (e.g., servers, network devices, workstations, data, etc.), be it on-premises or in the cloud. In addition, it is important for organizations to classify the data they store. Under new regulations like GDPR, data is no longer an asset, but rather a liability that needs to be identified.
• Educate the Human Element: Implement a cyber security awareness and training program. Because end users are targets, employees and other networks users should be aware of common threats and how they’re delivered.
• Assure Data Integrity: Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it is working. In addition, ensure backups are not connected permanently to the computers and networks they are backing up.
• Limit the Social Element: Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted. Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and Domain Keys Identified Mail (DKIM) to prevent email spoofing.
• Detect and Patch Vulnerabilities: Conduct an annual penetration test and monthly vulnerability assessments. Based on these findings, regularly patch operating systems, software, and firmware on devices.
• Apply Least Privilege: Configure access controls—including file, directory, and network share permissions—with least privilege in mind. If a user only needs to read specific files, the user should not have write-access to those files, directories, or shares. Considering human vulnerability, Gartner identified Privileged Access Management as one of the Top 10 information security projects in 2018 and again for 2019, since it is an area where organizations can achieve the greatest return on IT security investments.
Ultimately, organizations should keep in mind that maintaining cyber hygiene is a business problem, not an IT problem. As such, organizations should implement the recommendations listed above in policies, plans, processes, and procedures. A gradual improvement in cyber hygiene can go a long way toward keeping an organization immune from security infections and minimizing the risk of falling victim to a cyber-attack.