The number of cyberattacks and data breaches continue to increase each year. According to recent data, 2019 saw over 1,470 data breaches in the US, with over 164.68 million sensitive records exposed. And in the first half of 2020 alone, the US recorded over 540 data breaches.
October is Cybersecurity Awareness Month. Each year, we celebrate by sharing practical business-focused security tips for organizations to consider. Good security practices harden business systems against the ongoing threat of data breaches and cyberattacks, and never go out of style. Let’s use this month to take a look at your enterprise’s security policies and get hip to trends that keep coming back in style again and again — like your favorite nostalgic 80’s movie reboot.
Here are six cybersecurity tips to help keep your organization secure.
Take a Selfie
One of the most important steps to maintaining adequate security is to take a step back and evaluate your current posture. This is crucial anytime you make real and significant changes to your security program. The goal is to try and think like a bad actor and look for areas where you can improve security.
Remember, bad actors will take the time to perform in-depth reconnaissance. They will identify where all the weak points are, where the most valuable data might be, and what countermeasures appear to be in place. You should do the same. Cybercriminals are more active than ever, as evidenced by several recent high-profile breaches at Twitter, Shopify, and UHS. To stay ahead, your organization must find security gaps before they do.
Keep Track of Your Data
Data is money in the bank for bad actors. Unfortunately, too many organizations don’t know what information is stored where — which makes knowing who accesses it even harder. Even organizations that think they know where their data resides can be wrong.
It’s common for employees to make copies, dump portions of a database, or create shadow IT systems to make their daily tasks easier. Shared drives — and even employee workstations — may contain sensitive information. Take the time to identify where your data is, including all of the spots it “shouldn’t be.” Invest in a solution that discovers shadow IT and be sure it integrates with your cloud environments. You can’t secure what you don’t know exists.
Leveraging the cloud is another way that data can be managed and secured. Shadow IT, such as database dumps to Excel or other large hand-made data stores, often come about to ease the sharing of information internally. While the reasoning behind it makes sense to the end-user, it is dangerous from a security perspective. Instead, consider providing safe and managed cloud sources of data that can easily be shared and monitored internally. This way, your organization can help mitigate any motivations for creating shadow IT.
As the world begins to reopen and staff members migrate back to the physical workspace, don’t forget digital security starts in the physical world. Physical security isn’t limited to office workspaces but can include anywhere employees work. Ensure that any devices used outside the office have screen locks in place, encrypted hard storage, and are never left unattended to prevent corporate secrets from wandering off.
While valuable for thieves on the resale market, company devices have an even greater value if left unlocked and unattended. Corporate data on these unsecured devices can easily be harvested and sold on dark web marketplaces for far more than the device is worth. By encrypting storage and automatically locking the screens, it is far more challenging for bad actors to access this data — which can make the difference between your organization experiencing a data breach or replacing stolen hardware.
Think Like a Bad Guy
Bad actors don’t approach your IT ecosystem attempting to use it as directed. They think of edge cases and look to circumvent normal behavior. This is a starting point to find holes in processes, procedures, and security in general. Using the systems in unexpected ways can help catch exceptions and identify gaps. This process may involve thinking “what happens if” and testing it. Thinking this way exposes hidden risks and unexpected application behavior.
In the last few years, many organizations have initiated bug bounty programs to expose these gaps. These programs offer attackers a bounty for finding and disclosing bugs privately to your organization. This allows security teams to leverage the power of the “hacker community,” which has expertise in finding vulnerabilities without having to direct significant internal resources to find more obscure vulnerabilities. Not only does it help companies improve their security posture, but bug bounty programs are also considered a positive way to engage with the security community. They signal that your organization is serious about security and willing to crowdsource expertise to achieve it.
A Superuser is Not Superman
Reading comics growing up, we saw Superman as the guy who could do absolutely everything to stop bad guys. He was strong, fast, and always saved the day thanks to nearly unlimited power. Internal administrators can feel a lot like Superman. They can do anything across every system in your IT environment. On the surface, this power makes them the glue that holds the IT organization together. Admins can swoop in at a moment’s notice and fix what’s wrong. But what some organizations don’t understand is that this power is truly a double-edged sword — and if it is subverted — that great force for good can quickly become a force for evil.
This transition can happen when bad actors steal credentials or use malware and social engineering to take over accounts. Sometimes the superuser can even become a bad actor along the way. To combat this type of threat, move to a Zero-Trust security model, where there are no superusers. Combine zero standing privilege with Just-In-Time(JIT) provisioning that allows individuals to get the rights they need exactly when they need them. Permissions then automatically disappear once a job is complete. This way, there is never a superuser to be subverted.
Arm Your Staff
Employees are either your greatest security risk or your cybersecurity front line. Training makes all the difference. Whether your security team creates an in-house training, or you hire an external company like SANS, arming your staff with security awareness training is crucial. Employees unfamiliar with common phishing, vishing, and social engineering attacks open a gaping hole in your security posture, which bad actors can crawl right through. Training employees in end-user security basics equips them to recognize common types of attacks, fend them off, and report suspicious events. Don’t let bad actors weaponize your employees' good intentions.
Protecting your organization from a security event can be a daunting task — and Cybersecurity Awareness Month is a great reminder to brush up on new security protocols. However, if you keep these tips top-of-mind, your organization can remain protected all year long.
MJ Kaufmann is a Cyber Security Specialist at Saviynt.