Sadly, there’s no such thing as a completely watertight IT infrastructure. And even more regretfully, there’s no such thing as an empirically correct or complete list of actions that a company can carry out to avoid being hacked.
But, as we’ve said before – in cyber security, forewarned is forearmed. So, check out these 5 steps below to improve your cyber-preparedness today, developed in conjunction with our pals at Just Firewalls.
1: Know Your Internal Risks
Every single organisation out there has a completely different risk profile – even organisations that are remarkably similar. So, before we look around us at the risks out there in the world, we need to look inward first.
We’d advise any organisation to adopt good IT Asset Management (ITAM) – taking stock of what tech they have and use. However, there is much more to understanding internal risks than a simple list of hardware and software.
Investigate and eradicate your shadow IT
Shadow IT can be a cyber security “silent killer”. In short, shadow IT is any hardware or software that sits within your tech infrastructure that hasn’t been vetted by your management or IT teams.
This can be as innocent as a team member logging into work emails on a personal device or using a free SaaS tool to fill a functional void within your approved IT stack. Yet shadow IT can also be used to cause intentional harm, like keylogging malware or a secret access point that provides backdoor access into your network.
Needless to say, both benign-seeming and malicious shadow IT can leave you vulnerable. Using non-vetted hardware or software may solve an issue in the short term, but what happens if that tool suffers a breach? Employee-owned devices can really run the gamut in terms of security, and you as the employer have no real input into the security measures used.
Our colleagues at Just Firewalls discussed shadow IT in depth over on their blog and even explained how investigating your own shadow IT can help you to make your network better and stronger.
Talk to – and test – your team
However, the tech is only part of your internal risk equation. Your broadest and most vulnerable attack surface is by far your team themselves. With phishing and social engineering attacks conning individuals out of sensitive passwords and information every single day, your team need to know how to spot phony requests.
Cyber-awareness training is essential, but before you call everyone in for a day-long training session, you could test their existing cyber-acumen. How? With phishing testing and training platforms like PhishAware. PhishAware lets you send completely safe phishing-style emails to your team and it gauges their response. You can see who took the bait, who simply ignored the message, and who reported or escalated the message according to protocol.
Armed with this information, you can send training materials to those who fail the test or flag them for in-person training.
2: Know your third-party risks
Take the most recent attack on that list, Okta. The hackers gained access to a device used by an employee of Sitel, one of Okta’s subcontractors, who appeared to suffer a breach of their own back in January.
When you contract with a supplier, new or old, be aware that you aren’t just contracting with them directly – you’re vicariously contracting with all of their suppliers and subcontractors too. This is unavoidable. However, some smaller suppliers may be willing to discuss their security measures with you, especially if you already have a good relationship with them.
If you’re on particularly good terms, they may even be open to your speaking to their suppliers as well. As long as you have the time and resources, you can never chase down enough of these threads, so try to map your “upstream” supply chain as best you can.
Larger organisations may only be accessible through their support teams, but even they can sometimes be surprisingly helpful. The buck tends to stop when you reach the big dogs like AWS or Microsoft though, so draw what you can from their publicly available privacy policies and the like.
But how else can you get a handle on your level of third-party risk?
- Take Stock of All Third-Party Access to Your Systems – Whether it’s your contractors, virtual assistants, temporary workers, technicians, even your MSP – maintain an awareness of all third parties who dial in to your systems, no matter how seemingly secure or low-level they may appear.
- Apply Stringent “Principle of Least Privilege” Rules – Once you know who has access to what, when, and why, check that these suppliers aren’t being given god-like access credentials to carry out simple, minor tasks. Give them juuuust enough access that they need to do their job. Similarly, you should disable or remove third party access credentials when they’re not going to be used.
- Carry Out Regular Vendor Assessments – Properly audit all third parties who have access to your tech. Take the time to digest and investigate their security practices, and document the risks you are likely exposed to in working with them. Have a plan to regularly check in with each supplier’s security documentation so you’re working with the latest info.
- Enforce Robust Authentication Practices – Phishing attacks have proven that simple “email and password” credentials are no longer enough. Enforce strong authentication across your entire IT estate (including third parties) such as MFA, passwordless authentication, and timed auto-logouts.
- Enact Stringent Third-Party Exit Policies – Revoke access credentials from outgoing suppliers as soon as your time together is done.
3: Protect those passwords
Access credentials, eh? Can’t live with ‘em, can’t live without them – not completely, not just yet. Hackers are always on the lookout for new, evil ways to compromise passwords, perhaps most notably through phishing and social engineering.
Here are 8 of our most useful tips to keep your passwords out of the hands of cyber rapscallions:
- Enforce Regular Password Changes – We know forced password changes are a pain, especially when you’re in a rush, but they’re an essential way to protect your IT. Prompt all users to provide a new password for each of their logins every 4-8 weeks. If possible, see if you can stagger prompts for different services so your team aren’t renewing all of their passwords in a single day – that may tempt them to simply copy and paste the same one! Password reuse is a major no-no!
- Don’t Allow Weak Passwords – Did you know that “password” and “123456” are among the most popular passwords on the internet? Any password protected systems should not only prompt users to renew their passwords every so often, but they should demand highly secure passwords too. If you have passwords that are little more than a word and a number, then change them immediately! By the way, here’s some great advice about creating strong, memorable passwords.
- Use Password Management Tools – Or don’t worry about remembering passwords at all! Leave it to password managers like 1Password or Dashlane to do the remembering for you. They can even generate totally randomised, nigh on unguessable passwords and store them safely; the only password you have to remember is your master account password (which should still be changed periodically).
- Use Multi Factor and Passwordless Authentication – Multi-factor authentication helps to ensure that the person logging in is truly who they claim to be. MFA uses an extra factor of authentication to guarantee that person’s identity and it can be instrumental in scuppering credential-harvesting phishing attacks. Passwordless authentication sidesteps the problem of password theft altogether, though the Okta incident proves that authentication providers are still third-party suppliers with their own levels of risk you’ll have to consider.
- Invest in Phishing Awareness Training – Phishing and vishing scams are getting ever more believable and ever more devastating. Invest in cyber-awareness training for your entire team, even those who don’t use IT; in fact, especially for those who aren’t as au fait with traditional IT!
- Enforce Conditional Access – Do your team only need to log in to certain tools at certain times and from certain locations? Great! For extra security, some accounts will let you limit logins to a set physical location (i.e., an IP address or range of addresses) and/or only permit access during set hours. For example, if you normally log in to a system between 9am and 5pm from a set IP address in Bradford, conditional access would automatically refuse access to anyone attempting to log in from anywhere else in the world or at any other time.
- Set Up Employee IT Exit Policies – This is a crucial step in credential security. If someone has left your organisation, destroy their access credentials immediately. Disgruntled outgoing team members or subcontractors may feel they have nothing to lose and may destroy or steal valuable data on their way out, so work with your HR department to come up with exit policies that are fair but protective.
4: Follow the cyber security news
Most business owners and operators are au fait with business-related news relating to the economy, taxation, and any legislation that is relevant to their industry. However, regardless of what it is they do, we feel that they should follow the cyber security news cycle too.
Just like those other factors, not having the right information, at the right time, and implementing it in the right way, can have a devastating impact on any organisation.
If you’re totally new to cyber news, it’s a good idea to familiarise yourself with the kinds of threats doing the rounds at any given time. Like fashions, threat trends come and go, and our colleagues at Just Firewalls have covered the top 5 threat trends to watch this year, as well as providing some insightful cybersecurity predictions too.
There are countless resources available online with up to the minute cyber security reporting, but we personally approve of these resources:
- Threatpost – an independent source of IT and business security news.
- The Hacker News – an excellent source of computer security info and cyber attack news.
- Infosecurity Magazine – A magazine dedicated to information security (hence the name).
- CSO Online – This publication shares the info enterprise security decision-makers need to stay ahead.
- The Register’s Security News – Sometimes snarky, always enlightening.
- Krebs on Security – News and Insights from the mind of renowned security investigator Brian Krebs.
- Graham Cluley – Reporting from the independent cyber security analyst and public speaker.
- Seytonic YouTube Channel – Great for digestible snippets of cyber security news.
There’s also countless quality cyber security reporting going on over social platforms like LinkedIn and Twitter.
5: Have a plan for disaster
With all of this information, you should have a very clear idea of your potential risk factors. Your next task is to put together a plan of action should each eventuality transpire.
Alas, risk and disaster planning isn’t something we can give you a blow-by-blow “how to” about because different companies use IT in myriad different ways. However, there are a few general things that we can advise.
Firstly, there’s no time like the present to establish a good backup strategy. We personally swear by the 3, 2, 1 backup strategy: keep three copies of all business-critical data; using two different methods or kinds of storage media; one of which is kept offline – and preferably off-site – when not in use.
Think of all of the software you use on a daily basis and keep an alternative tool in the wings, just in case one of them becomes compromised. Ideally, it needs to be an alternative that you have documented and tested ahead of time, so you’re not left scrambling to set everything up from scratch should the worst happen!
Just as you likely have contingency plans for property, assets, and other areas of your business, create a documented contingency plan for every possible IT emergency you can imagine happening to your biz.
Remember that not all cyber security is fully cyber – physical security plays an essential role in digital security, so check out our guide about how physical security and cyber security interact.
You can even have a “Break Glass”, “In Case of Emergency (ICE)” sheet kept in your safe – with relevant phone numbers, emergency passwords, tested alternative tools, lockdown procedures, and so on.
Need cyber security experts on speed-dial? Why not add another phone number to that emergency sheet? Whenever you have a cyber-quandary, the Just Cyber Security team are here to help on 0161 5183341 . Want help planning for the worst? Book a discovery session with our management team today!