Is your sensitive data secure? Best cyber security practices and ways to protect data are becoming the focus of discussion among companies in 2017.
It takes only one look on the current headlines to understand why many companies are so concerned with IT security. Constant reports on state sponsored hacking attacks, denial of service attacks, ransomware and leaks by malicious insiders reflect the amount of cyber security threats that government organizations, as well as education and healthcare institutions, financial firms, banks, law firms, retail, non-profits, and many other companies are facing every-day.
However, the number of successful high profile attacks and data breaches are also indicative of the security weaknesses that many companies and organizations have. It is no wonder that in our age of quickly evolving threats and ever changing compliance regulations, companies struggle to keep their data protected at all times. Information security is all about hard work and persistency – you need to make sure that your security has a solid foundation, but also adapt to new challenges well.
The question then is – what can I as a business owner do to protect my data in 2017?
While there are some basic network security measures that everybody is aware off, such as physically protecting your infrastructure, using firewalls and anti-viruses, etc., there are also very effective policy and procedures that not every company employs.
So, without further ado, here is our list of 12 best cyber security best practices for 2017:
1. Employ risk-based approach to security
Here is the fact: the right approach is the key to effective cyber security. Unfortunately, many companies put too much focus on compliance, thinking that as long as they meet all regulations, their sensitive data is thoroughly protected. Such companies often take the approach of simply going down the checklist, crossing off requirements one at a time as soon as they are met, without putting too much thought into the risks that company faces and how they affect the bottom line.
A much better approach is to form your data security strategy by prioritizing certain measure by how much they will affect your bottom line. In order to do this, your best tool is a thorough risk-assessment.
Here’s what risk assessment allows you to do:
- Identify all valuable assets, including those you was not aware off
- Identify the current state of cyber security in your company
- Identify the most pressing threats your data faces and how they may affect your bottom line
Things like fines for failing to meet compliance, remediation costs for potential leaks and breaches, as well as costs of missing or inefficient processes are all heavily factor in the final results of your risk assessment. Taking all of this into account will allow you to correctly prioritize your security and make sure that your security strategy serves corporate bottom line the best way possible.
There is a great example of risk assessment worksheet and assessment report on Compliance Forge website. Take a look if you need more information on how to conduct risk assessment in your company.
2. Form a hierarchical cyber security policy
Why written cyber security policy is important? There are several reasons to that:
First, it serves as a centralized formal guide on all best practices for cybersecurity, as well as security measures used in your company. It also allows you to make sure that your security specialists and employees are on the same page and gives you a way to enforce rules that protect your data. However, workflow of each department can be very unique and it can easily be affected by needless cyber security measures.
This is why, while centralized security policy can be very effective as a base guideline for the whole company, it shouldn’t cover every process in every department. Instead, allow your departments to create their own security policies, all based on the central one.
There are many benefits - by staking your security policies in such a hierarchical manner, you’re making sure that needs of every department are accounted for and that their workflow, and your bottom line, will not be compromised in the name of security.
Illinois government website provides a great cyber security policy template that you can download here, and use it as a base for the hierarchical approach, discussed above.
3. Update your software
Cyber security updates – an old and tired topic that cyber security experts keep repeating year after year. However, despite the fact that people are already sick of hearing about it, 2017 with its rise of malware and zero day exploits seems like a particularly good year to reiterate it.
So why are software updates so important? The main reason is because the majority of malware out there doesn’t exactly target the new and unknown security vulnerabilities. Instead, it goes for the well-known exploits already fixed in the latest version in hopes that companies do not update.
So what keeps companies using the old software? There are several reasons:
- Removed or changed functionality may force staff to relearn or readjust certain established processes
- Update process may be too complex, and may disrupt existing workflow.
- Sometimes, updates may be too costly, and sometimes they aren’t even available, forcing a company to switch to more recent solution
There are no easy solution for these issues, particularly for legacy software. However, its worth noting that software vendors are also aware of this and these problems are mostly absent in newest solutions, available on the market.
What’s more important is that despite all the pain updating is usually well worth it in terms of bottom line, as it allows to prevent very costly breaches and leaks and helps keep your sensitive data protected.
If you still aren’t convinced, check out this memo on software updates from University of Illinois.
4. Backup your data
Data backup is another fairly basic security measure that gained increased relevance in latest years. With the advent of ransomware, malicious software designed to encrypt all your data, blocking your access to it until you pay a hefty sum for a decryption key, having a full current backup of all your data can prove to be a lifesaver.
How do you best handle backups? You need to make sure that your backups are thoroughly protected and encrypted, and that they are very frequently updated. It is also best to divide backup duty between several people in order to avoid insider threats.
United States Computer Emergency Readiness Team (US-CERT) website provides a great document detailing different data backup options. There is also a great write up on ransomware from FBI that you should read if you want more info on it.
5. Use principle of the least privilege
Be aware: having too much privileged users accessing your data is extremely dangerous.
Many companies, particularly smaller ones, tend to grant new employees all privileges by default. This allows them to access sensitive data even if they are not necessarily need to. Such an approach not only poses additional risk in terms of insider threats, but also allows external hackers to get access to sensitive data as soon as any of your employee accounts is compromised.
A much better solution is to use a principle of least privilege, i.e., to assign each new account with the least privileges possible and to escalate them if necessary. At the same time, when access to sensitive data is no longer necessary, all corresponding privileges should be immediately revoked.
We realize - constant privilege management can be hard and time consuming, particularly for large companies, but there are a lot of access management solutions on the market that can make it easier. Particularly, one-time password functionality can prove a life saver when it is necessary to grant additional privileges to a regular user.
You can find much more details on the principle of least privilege on the US-CERT website.
6. Use two-factor authentication
Want to know the best way to protect accounts of your employees in 2017? We got three words for you – two-factor authentication.
Two-factor authentication is an important security standard when it comes to account protection. It employs additional physical devise, such as a security token or a mobile device to confirm the identity of the person behind the screen. This authentication method provides a very reliable login procedure security, as long as the secondary device doesn’t get lost or stolen. As an added benefit, it also allows to clearly distinguish between users of shared accounts, making access control easier.
Two-factor authentication is so effective that FBI even promoted it as a part of National Cyber Security Awareness Month. The only problem with two-factor authentication solutions is that they are often quite expensive. However, as with all things security out there – there are affordable high quality alternatives available out there, as long as you look for them.
7. Handle passwords in a secure manner
While secondary authentication provides a great safety net in case a password gets compromised, it’s still not an excuse to not follow best practices regarding password handling.
The first thing you need to know is that password needs to be long, complex and fully unique.
Here are the main bullet points regarding password handling:
- It is better to use a longer easy-to-remember phrase as a password, than a short string of random characters.
- Each password needs to be fully unique – make sure to prohibit your employees from using their passwords on other accounts.
- Prohibit your employees from sharing credentials with each other. While it may be more convenient for them, it is extremely unsafe.
All passwords should also periodically be switched. Since you may not even know whether your password was compromised or not, it is very dangerous to keep using one for a long time. The best way to go about changing passwords is to automate it for the whole company, requiring employees to enter a new password after a set period of time.
US-CERT website has a great article on choosing and protecting passwords that you can find here.
8. Change default passwords for your IoT devices
This year continues the trend of 2016 – IoT devices keep gaining popularity.
While gains in convenience and productivity are undeniable, sadly, it’s not all well and good when it comes to security.
Many internet-enabled devices come with a set of default credentials hard-coded inside. Such credentials are usually freely available on the internet and widely known to perpetrators. Most malware targeting IoT devices looks for devices that keep using their default credentials in order to hijack them and add them to its army of bots, ready to conduct massive denial of service attacks at the push of the button.
What can you do about it? The only way to make sure that your devices are protected from being infected is to change all default credentials as soon as possible. Make sure that your new password is fully unique and complex. It is also a good practice to periodically change this password, although it is best to fully automate this process.
9. Keep an eye on privileged users
Here’s the problem - users with privileged accounts enjoy increased level of trust and are often considered to be one the biggest assets the company has. However, at the same time they are also pose the biggest threat to data security among all employees. Privilege users have all the means necessary to steal your sensitive data and go unnoticed, and no matter how much you trust your employees with privileged accounts, anything can happen.
The best way to minimize the risks of insider attack by privilege users is to limit their numbers. This is where the principle of least privilege comes in. You also need to makes sure that any privileged accounts immediately get disabled whenever a person using them is terminated. More often than not, disgruntled employee retains their access upon termination, allowing them to exact revenge for perceived wrongdoing.
However, if privilege user is already stealing your data, it can be very hard to detect it, considering that such malicious actions may be indistinguishable from their everyday work. In this case, your best weapon is user action monitoring solutions. At the same time, default logging capabilities of most business software and operating systems have their limitations, particularly when it comes to users with high level of privilege.
The simpler and better way to detect malicious actions by privileged users is to employ user action monitoring solutions that are specifically designed to record any actions taken by such employees. Provided recording allows you to quickly see all the actions taken by the user in its original context and thus determine whether they were malicious or not.
You can check out this great research report by Ponemon Intsitute to find out more on the role of privilege users in general insider threats landscape.
10. Keep an eye on third parties accessing your data
Nowadays, almost every company has a network of third parties working with it remotely. Remote employees, sub-contractors, business partners, suppliers, and vendors – this is only a short list of people and companies that may access your data remotely. This not only provides a greater risk of insider attack, but also opens the way to malware and malicious hackers into your system.
The best way to protect your sensitive data from any breaches via third-party access is to use temporary password. It allows to limit the scope of access that third-party user has and allows to make sure that you know who exactly connects to your network and why. User action monitoring should also be used in conjunction with one-time password in order to provide a full logging of all user actions, allowing you to detect malicious activity and conduct investigations when necessary.
11. Be wary of phishing
It’s worth noting that insider threats does not end with malicious employees. More often than not, regular well-meaning employees inadvertently help perpetrators by providing them with a way to get into your system. Perpetrators use phishing techniques, such as spam e-mails or phone calls in order to find out information about employee, receive credentials from them or infect your system with malware. Phishing received somewhat a resurgence in later years and today companies drowning in spam e-mails containing malicious links.
So, here’s what you need to do – get a properly configured spam filter and make sure that the most obvious spam is always blocked. Moreover, your employees need to be educated on the most popular phishing techniques and the best ways to deal with them, in order to better protect themselves and your company data.
You can find more information on phishing, including a form to report it at US-CERT website.
12. Raise employee awareness
It’s hard to believe, but the key to the protection of your data lies with your employees just as much as with your defenses.
Even if you have the best cyber security policies and procedures in place, your employees will ignore them in the name of convenience and productivity. Strict rule enforcement may make the situation better, but it doesn’t guarantee results, while at the same time stressing out your employees and costing you additional money.
The best way to deal with negligence and security mistakes by your employees is to educate them on why security matters. Raise their awareness about cyber threats your company faces and how they affect the bottom line.
Make sure your employees know why certain measure are in place and why they are important. Recruit them as part of your defenses, and you will see that the instances of negligence and mistakes will become less frequent. It is much better to get your employees the proper training then to deal with a data breach, caused by accidental actions.
How Ekran System can help you implement these practices
Cyber security practices, mentioned above, help you protect your data. However, implementing them is another challenge altogether.
We have a solution for you – an affordable user action monitoring system that covers many thing, mentioned above.
Ekran System is a user action monitoring solution targeted at both large companies and small enterprises. The main focus of Ekran System is insider threat detection and prevention, as well as compliance. However, with a broad functionality that includes extensive monitoring capabilities, response tools, and access control tools, Ekran System can help you company with many of the best practices for cyber security mentioned the list above.
Here is how Ekran System can help you:
- Privilege user monitoring – Ekran System monitors all user actions regardless of the level of privilege users have or application they use. It employs monitoring agent protected by a custom driver, which makes it impossible to pause or stop monitoring even for privileged user. Additional authentication functionality also allows Ekran System to clearly distinguish between users of share accounts, such as admin account.
- Third-party monitoring – Ekran System can monitor remote user sessions, making it a great tool to check on actions of third party providers. It is completely agnostic to applications and network protocols used. In addition to producing a full video recording of user desktop, Ekran System also records additional meta-data, such as keystrokes, opened applications, visited websites, and entered Linux commands.
- One-time password – Enterprise version of Ekran System provides an easy way to give users temporary access to sensitive data. It adds a special request form to regular Windows login screen, allowing users to request a one-time password, that needs to be manually approved by security personnel of system administrator. This guarantees that you will always know who has access to your sensitive data and why and that users will not retain their access after they no longer need it.
- Two-factor authentication – Ekran System also provides additional two-factor authentication solution using a secondary mobile device to generate additional password, which then needs to be entered on login. This essential security feature is also additionally available for free.
- Customized alerts and session blocking – Ekran System comes with a set of pre-defined alerts, designed to cover most common insider threat and data misuse use cases, as well as an ability to create your own alerts, tailored to particular needs of your organization. Upon receiving the notification about an alert, security personnel can connect to the ongoing session in question, watch it live, and block the user if malicious actions are taking place.
- Centralized reporting – Ekran System allows to generate a large variety of reports, giving you a detailed look at various data and user statistics. Such reports provide a great way to simplify compliance audit, proving that all user action logging capabilities are in place.
- Easy deployment and updates – Ekran System is an agent-based solution, thus providing an easy deployment that does not require any changes to your existing network infrastructure. It also features automatic agent updates, making installing new version very quick and completely hassle-free.
So, here you go – these are some simple ways in which Ekran System can help your company implement many best business practices in 2017. And the best part is that this solution is really affordable and cost-effective for SMB and large enterprises alike.
All you need to do is download the free trial version below, and you will be able to find out for yourself how useful Ekran System can be.