Daunting, isn’t it?
You read all these headlines about the latest data breaches, and you worry your organization could be next.
After all, if TalkTalk, Target, and Equifax can’t keep their data safe, what chance do you have?
Well, thankfully, most organizations aren’t quite as high profile as those household names, and probably don’t receive quite so much attention from cybercriminals. At the same time, though, no organization is so small or insignificant that it can afford to neglect to take sensible security measures.
If you’re just starting to take cybersecurity seriously, here are five steps you can take to secure your organization more effectively than 99 percent of your competitors.
1. Don’t be Reactive
First things first, if you’re serious about securing your organization, it’s vital that you avoid becoming distracted but the latest industry buzzwords marketing hype.
And that can be difficult to do. Go to any high profile security conference and at every stand you’ll hear about how you can’t possibly go on without the latest cutting edge technologies. If you’re not careful, you’ll walk away thinking you absolutely need to invest in a next-generation firewall, a threat intelligence capability, and an outsourced security operations center right this minute.
In reality, though, trying to run before you can walk is a surefire way to get yourself into trouble.
2. Start with the Basics
So if not with the latest marketing hype, where should you start?
No matter what industry you’re in, there are some basic measures that are an essential starting point for any security-conscious organization. And right at the top of that list is good vulnerability management.
Did you know, for instance, that the vast majority of technical cyber attacks exploit vulnerabilities that could easily have been patched? In fact, in most historic cases where an organization has been breached, the relevant patch had been available for months prior to the attack taking place.
And the sad thing is, for the average small-to-medium sized organization, vulnerability management is a very simple process. With a reputable vulnerability scanner (e.g., Qualys or Rapid7) and a solid monthly patching process, you can dramatically reduce your chances of being affected by typical low-level cyber attacks.
And here’s another simple measure you can take: Spam and content filters.
Did you know that, as of March 2018, spam accounts for over 48 percent of all email volume worldwide? And naturally, a small but highly significant proportion of spam emails contain malicious content. As a result, every single organization in the world receives a huge volume of potentially dangerous emails each day.
Now to be clear, no filter is powerful enough to block all of this malicious email content. But by putting high-quality filters in place you can block at least 90 percent of that malicious content, which is a huge step forward.
Other important aspects of basic cybersecurity include:
- Having strong, well-written security policies in place
- Controlling user access levels tightly, and deactivating accounts promptly when employees leave
- Implementing sensible authentication protocols, e.g., setting strong password requirements
3. Gauge Cyber Risk
Once you have the basics in place, it’s time to consider your organization’s specific threat profile. And how do you do that? By taking a risk-based approach to cybersecurity.
You should start by trying to identify the most significant cyber risks to your organization. For example, which threat vectors are most commonly used in your industry? How do most data breaches occur? Do you really need to worry about hacktivists and state-sponsored hackers… or are you more likely to be targeted by petty cybercriminals?
Each industry and geographic location has its own specific set of threats, and it’s important to understand where your threats lie so that you can maximize the return on your security investments.
This type of information is quite easily (and freely) available online, so take some time to find out where and how you’re most likely to be attacked before you start allocating your resources.
4. Apply Technical Solutions Where Possible
When you start doing your research, you’ll discover something very early on: People are responsible for nearly all data breaches in one way or another.
People lose their work laptops and mobiles. They set bad passwords, and write them down on sticky notes attached to their monitors. They send confidential emails to the wrong recipients. They click on malicious links in emails, fall for obvious scams, and generally make life difficult for security professionals.
The natural response to this knowledge is to try to make it impossible for your users to compromise the organization. And, to some extent, that’s a good idea.
Once you understand where your threats lie, it makes perfect sense to try to plug those gaps with technical solutions. For example, since lost and stolen devices are a common cause of data breach, it’s sensible to encrypt all business laptops and devices. That way, if they are ever lost or stolen, the confidential information held on those devices will remain secure.
And there are plenty of cases where this type of preventative action can make sense. For example:
- Locking down account privileges so users can’t install software without IT support
- Controlling access to non-business-related websites
- Proactively blocking browser-based ad content
5. Take User Training (Very) Seriously
Ultimately, though, no matter how hard you try, you can’t completely protect your users from the dangers of cyberattacks. Whether it’s by email, phone, SMS message, or social media, your users will be targeted directly, and there’s nothing you can do it stop it.
“But wait,” you might be thinking, “What about my spam filter? Won’t that prevent phishing emails from reaching my users?”
Think again. Even the very best spam filters available cannot prevent 100 percent of incoming phishing attacks. In fact, a typical mid-sized organization can expect one or more malicious phishing emails to reach user inboxes every single day. And that doesn’t even take into consideration social engineering attacks that come via phone, SMS message, or social media.
To put it simply, phishing and social engineering attacks are the #1 threat to modern businesses. Don’t believe that? Well, maybe you’ll believe Verizon when they say that, according to their research, almost half of all data breaches worldwide contain a phishing or social engineering component.
And that’s why, no matter what else you do, you must take end user security training seriously. Your users will be targeted, and if they aren’t ready, your organization will fall prey to cyber attacks.
Here’s a final piece of advice for you: No matter where your security currently stands, don’t rest on your laurels.
Cyberattack volume is at an all-time high, and even very small organizations are at significant risk of being targeted by common threats such as ransomware, malware, and targeted social engineering attacks.
The measures suggested above, while simple, will be sufficient to mitigate the vast majority of possible attacks… but only if you complete them before an attack takes place.
So whatever you do, don’t wait.
About the Author
This article was submitted to us by a third-party writer. The views and opinions expressed in this article are those of the author and do not reflect the views and opinions of ThisHosting.Rocks. If you want to write for ThisHosting.Rocks, go here.