Analyzing Your Cybersecurity Plan
It’s October which means it’s Cybersecurity Awareness Month! That may not be the first thing you associate with October, but it’s something we get excited about here at VC3.
Cybersecurity Awareness Month was created by the Department of Homeland Security and the National Cyber Security Alliance to promote cybersecurity education and help Americans stay safe online. As sobering cyber-attacks surface in the news with alarming regularity, now is a great time for you and your organization to spend time analyzing your cybersecurity preparedness for the first time or the 100th time.
This year’s Cybersecurity Awareness Month theme focuses on three areas: Own IT. Secure IT. Protect IT.
Let’s break these three pieces down in reverse order as we think through prioritizing your cybersecurity investment.
- Protect IT - The Basics of Prevention
- Secure IT – Building on a Strong Foundation
- Own IT – The Importance of Employee Cybersecurity Awareness Training
Protect IT - The Basics of Prevention
For many organizations, cybersecurity is a new investment. As a result, many organizations struggle to identify a workable, cost-effective solution. How can you prioritize investment in cybersecurity and come up with a plan that meets your organization’s needs?
The basics are a good place to start. At a minimum, it’s a good idea to do the following:
- Run endpoint detection and response (EDR) software;
- Practice good user controls and avoid giving all users full administrative access to their workstations;
- Apply security patches regularly;
- Run firewalls at all locations with an Internet connection; and
- Leverage some form of anti-spam technology.
Does this sound familiar? I hope so. If not make it a priority to talk to your IT department or IT provider. These are foundational items to your security practice.
Secure IT – Building on a Strong Foundation
A cybersecurity plan without the practices mentioned above is a lot like building a house without a front door. No matter what other security measures you put in place, you have a pretty significant vulnerability. But, once the foundation is set, where do we go from here?
This is a big question, so we’ll focus on three activities that yield big returns.
Organizations with properly configured backups enjoy huge benefits when recovering from any disaster, including a cyberattack. Your data backups must be properly configured. Check to make sure all the important data is being backed up and that the backup data is stored in a remote location. Backups should also be regularly monitored and reviewed.
If this is a new term for you, then you’re not alone. This strategy is becoming increasingly common because it layers on additional protection beyond a password. As a result, it will often prevent an attacker from gaining entrance into a critical system even if a username and password have become compromised. Microsoft has even reported that multi-factor authentication stopped 99.9% of automated attacks.
Policies and Procedures Review
This one is interesting because it’s not inherently technology related. You must ensure your organizational policies and procedures are in alignment with cybersecurity best practices. A recent example that highlights the need for policy and procedure review is an attack that focuses on redirecting an employee’s direct deposit. It starts with an email to Human Resources that looks like it’s from an employee requesting an account change for his or her direct deposit. If you don’t have a proper procedure in place, then this malicious activity would succeed. And this example is particularly scary because it not only impacts the organization but also an employee’s wallet.
These are a good place to start. However, it’s important to understand that there are many more technologies and processes to consider. Some examples include cyber liability insurance, an incidence response plan, penetration tests, and regular security scans.
Own IT – The Importance of Employee Cybersecurity Awareness Training
It may be a surprise, but a strong cybersecurity plan requires more than your IT department or IT provider. Most successful attacks in the past year started with an email to an employee. These emails often trick employees into sharing their credentials, initiating fraudulent wire transfers, and unwittingly launching ransomware attacks. You must protect your employees in addition to your hardware and systems.
Your employees are often the first line of defense in preventing cyber incidents. Regular training is critical, and they need to become capable of spotting fraudulent email messages. Here are two examples of good, low-cost ways to support and train your employees.
Identifying an email message as coming from outside your organization is a simple way to raise awareness and increase caution. A note from a coworker asking for sensitive information with a banner across the top identifying it as coming from an external source should immediately raise a red flag. Almost every email system can support this feature at no additional cost.
Phishing Simulation Platforms
These tools allow you to identify employees that click on suspicious links and provide targeted training to those individuals. When used repetitively, these training platforms shift the culture of the organization to caution. Employees stop clicking on every link and replying to every message. They start questioning the request in the email. We like to say employees should become “Click Cautious” instead of “Click Curious”.
Let's Talk Cybersecurity
If you’d like to continue this cybersecurity conversation or ask us any additional questions, we’d love to connect with you. Fill out the form below and we’ll schedule a 30-minute call with you to discuss your cybersecurity goals and how you can make sure your organization is prepared.