Practicing the Basics Makes You Safer and More Secure
Every Cybersecurity Awareness Month, discussion turns to the most cutting edge tools, tactics and response strategies (as they should). But this annual ritual should also be used to shore up the most basic of defenses. Major cyber attacks often happen in the most mundane ways: The Colonial Pipeline ransomware attack came through an inactive account that didn’t use multifactor authentication; the attack on Kaseya in July came through a software vulnerability; and a recent attack on a Texas epilepsy foundation was due to a phishing email. They happened because somewhere along the way, a real person – not a technology – didn’t follow cybersecurity best practices. According to the latest Verizon Data Breach Investigations Report, about 85% of all attacks involve human error. An employee who innocently clicks on a phishing link or a third-party vendor using unpatched software can cause an attack that disables your entire network in a matter of minutes.
Over the past 12 months, we’ve seen widespread cyber attacks affecting critical infrastructure, retail, sports teams, farm cooperatives and our critical infrastructure, to name a few. If these attacks are not a wake-up call – particularly for C-Suite executives – they will soon be. NSA Director Paul Nakasone predicts the rate of ransomware attacks will skyrocket, with the U.S. experiencing an attack “every single day” in five years.
With these rising threats, cybersecurity spending is expected to exceed $150 billion this year, an increase of 12.4% over last year, according to Gartner. Much of that investment is warranted – without technologies that block malware and other viruses, businesses will potentially find themselves battling a never-ending stream of cyber breaches. But it often feels that in our rush to get equipped with the most cutting-edge technology we are overlooking our ability to perform basic steps that provide us with our initial lines of defense.
Businesses need to improve their cyber hygiene and maintenance by closing a few security gaps. This first starts by doing a thorough and accurate inventory of your assets and data, and asking yourself questions like, ‘What are my most important assets and how are they being protected?’ and ‘Where am I most vulnerable?’ A risk management strategy is critical, especially if you are working with legacy technology, as older systems are naturally more vulnerable. You need to identify the weakest link in your system and prioritize getting it upgraded or replaced.
That’s why many companies are now leaning towards a zero-trust framework, which centers on the idea that no device – whether inside or outside the perimeters of the company – should be trusted. Any person or entity wanting to connect to a company’s network must first be verified before they can get access. In this era of constant cyber attacks, it’s a smart company policy.
Consistent and regular employee awareness training, which is now offered by virtually all cybersecurity companies, should also be mandatory. Similarly, requiring your entire company to utilize two-step verification (or multi-factor authentication) is essential to boosting your defenses, as passwords no longer provide the strong protection they once did. This is especially important for high-profile CEOs and other executives, who are at high-risk for cyber attacks. These individuals should utilize Google’s Advanced Protection Program, which provides advanced security innovations like strong authentication and security keys to protect these individuals from targeted online attacks.
Finally, if businesses don’t want to become the next big headline, they must learn how to monitor and detect cyber breaches before they become a major incident. Implementing a strong network security monitoring service will not only help you detect incidents but will also give you an idea of the effectiveness of your protective measures.
As companies look to ramp up their defenses, there is increased collaboration happening between government and business to detect and defend against new threats. The need to advance cyber intelligence recently brought together technology leaders and experts at the White House, including Google, which pledged $10 billion to focus on mission critical areas like expanding zero-trust programs, securing open source and building a cyber savvy workforce. Cybersecurity Awareness Month is an annual reminder of the importance of collaboration among the public and private sector and the need for stronger defenses. Implementing a strong security-minded culture with some fundamental best practices is one of the most important steps business leaders can take in protecting themselves.