You’d think that in 2016 no one would need to be told how serious of a threat cybercrime is, yet we still hear about major data breaches on a regular basis, from Target to eBay to LinkedIn. Are you sure that your cybersecurity and data protection policies are where they need to be to prevent the easiest exploits?
The areas below are the most important to focus on for your first line of defense. For 99 percent of organizations, these general IT security areas are all they may be able to strengthen with their existing resources, so optimizing all of them is absolutely crucial.
In many ways, passwords are the weakest security method to protect sensitive data and accounts. It’s not enough to just require a password, because users will just choose the easiest ones to remember, like “123456” or “password.” Password policies that reflect the importance of strong passwords must be in place for any organization and should require:
- Complexity: Passwords should include numbers, capital letters, special characters, etc.
- Regular updates: A new, unique password should be required (at minimum) every quarter.
- Secure storage: If passwords are stored, they must be properly secured by hashing, salting or encryption so that they will be of no use to attackers who may obtain them.
Finally, while this is a difficult requirement to enforce, you should emphasize to your team that their passwords should be unique from those that they use for any other account. A strong password that is fiercely protected on your end will do no good if a hacker obtains it from a user’s Facebook account, for example, then uses it to access your systems.
2. Updates and Patches
Another simple first line of defense is to ensure that all the systems and applications you use are up to date. Software patches are frequently released to provide not just performance and application improvements, but also fixes for the latest identified security vulnerabilities. This includes updates for:
- Computer operating systems (OS)
- Applications installed on the OS
- Antivirus software
Firewalls are another basic but crucial line of cybersecurity defense. By implementing a firewall and establishing proper inbound/outbound rules, you can automatically prevent a great deal of unauthorized traffic. Firewalls come in two different (but equally important) forms:
- Hardware: Usually part of your main router/gateway/access point for the network
- Software: Usually already installed on your computer (e.g. Windows Firewall)
Encryption isn’t just for data at rest; full disk encryption and on-the-fly encryption are both important to a comprehensive encryption plan. Strong and up-to-date encryption methodology should be applied to the following:
- Entire computers
- Removable devices
- Websites/data in transit (check for HTTPS when accessing sensitive sites or submitting sensitive information)
If your people don’t understand what malware is and how to respond appropriately, it’s really just a matter of time until a data breach. An effective security training program for all employees should include:
- Commonly exploited attack vectors
- What malware does and doesn’t look like
- How to recognize a phishing attack
- How to handle a suspecting malware intrusion
Above and Beyond
The remaining 1 percent (major enterprises) has more serious security needs and usually hires a team of professional penetration testers (or “pen testers”) to audit their systems/networks in a real-world hacking “simulation.” While this is not a malicious attack, these experts are actually hacking into business systems. These essential services can be divided into two groups:
1. Vulnerability Scanning
This is a more passive approach that only checks your network and systems against security issues that are publicly documented. A vulnerability team will try to hack their way in and gain more and more access to see what is actually possible in a real-world scenario, but will not actually develop new hacks. This will protect you from automated hacking attempts that use existing exploits and automatically target systems they detect as vulnerable, but it offers no protection against a targeted code attack. Vulnerability scanning may also be provided in the form of scanning software that does not involve an intelligent human team auditing your security. Frankly, this kind of service is useless at best, as without actual people behind the wheel it can give the misleading notion that security is stronger than it actually is.
2. Active Pen Testing
This is a more aggressive approach in which a team coordinates and collaborates to systematically hack into your network and systems. They will hack everything they can find, gain as much access as possible, actively evade detection by your security systems, and provide you with a full report which should contain action items and recommendations for guarding against each identified attack vector. In addition to passive scanning explained above, this type of team will try to develop new exploits and will tailor their tactics to your organization, which helps to protect against threats that have not yet been discovered or publicly disclosed, as well as those that may be very specific to your industry or the technology you use.