Is your sensitive data secure? Cyber security best practices and ways to protect data are becoming the focus of discussion within companies in 2017.
It takes only one look at the current headlines to understand why companies are so concerned with IT security. Constant reports of state-sponsored hacking attacks, denial of service attacks, ransomware, and leaks by malicious insiders reflect the cyber security threats that government organizations, education and healthcare institutions, financial firms, banks, law firms, retailers, nonprofits, and many other organizations are facing everyday.
The number of successful high-profile attacks and data breaches are also indicative of the security weaknesses that many companies and organizations have. It’s no wonder that in our age of quickly evolving threats and ever-changing regulations, companies struggle to keep their data protected at all times. Information security is all about hard work and persistence – you need to make sure that your security has a solid foundation, but also adapt well to new challenges.
The question, then, is the following – What can I do as a business owner to protect my data in 2017?
While there are some basic network security measures that everybody is aware of, such as physically protecting your infrastructure, using firewalls and antivirus software, and so on, there are also very effective policies and procedures that not every company employs.
Here’s our list of the twelve cyber security best practices for 2017:
1. Employ a risk-based approach to security
The right approach is the key to effective cyber security. Unfortunately, many companies put too much focus on compliance, thinking that as long as they meet all regulations their sensitive data will be thoroughly protected. Such companies often take the approach of simply going down a checklist, crossing off requirements as soon as they’re met, and not putting too much thought into the risks that the company faces and how they affect the bottom line.
A much better approach is to form your data security strategy by prioritizing measures based on how much they will affect your bottom line. In order to do this, your best tool is a thorough risk assessment.
Here’s what a risk assessment allows you to do:
- Identify all valuable assets, including those you were not aware off
- Identify the current state of cyber security in your company
- Identify the most pressing threats your data faces and how those threats may affect your bottom line
Things like fines for failing to comply with regulations, remediation costs for potential leaks and breaches, and the costs of missing or inefficient processes will all factor heavily into the final results of your risk assessment. Taking all of this into account will allow you to correctly prioritize your security and make sure that your security strategy serves the corporate bottom line in the best way possible.
TYou can find a great example of a risk assessment worksheet and assessment report on the Compliance Forge website. Take a look at it if you need more information on how to conduct a risk assessment in your company.
2. Form a hierarchical cyber security policy
Why is a written cyber security policy important?
First, a written policy serves as a centralized, formal guide to all best practices for cybersecurity as well as all security measures used in your company. It also allows you to make sure that your security specialists and employees are on the same page, and gives you a way to enforce rules that protect your data. However, the workflow of each department can be unique and can easily be affected by needless cyber security measures.
This is why, while a centralized security policy can be very effective as a basic guideline for the whole company, it shouldn’t cover every process in every department. Instead, allow your departments to create their own security policies based on the central policy.
There are many benefits to staking out your security policies in such a hierarchical manner. By doing so, you make sure that the needs of every department are accounted for and that their workflows, and your bottom line, will not be compromised in the name of security.
The Illinois state government website provides a great cyber security policy template that you can download here and use as a base for your hierarchical approach.
3. Update your software
Cyber security updates – an old and tired topic that cyber security experts keep repeating year after year. However, despite the fact that people are already sick of hearing about it, 2017 with its rise of malware and zero day exploits seems like a particularly good year to reiterate it.
Cyber security updates are an old and tired topic that cyber security experts keep repeating year after year. Although people are already sick of hearing about it, however, 2017, with its rise of malware and zero-day exploits, seems like a particularly good year to reiterate this message.
Why are software updates so important? The main reason is because the majority of malware out there doesn’t exactly target new and unknown security vulnerabilities. Instead, it goes for well-known exploits that have already been fixed in the latest versions in the hopes that companies haven’t updated.
So what keeps companies using old software? There are several reasons:
- Removed or altered functionality in newer versions may force staff to relearn or readjust established processes.
- Update processes may be too complex and may disrupt existing workflows.
- Updates may be too costly or even unavailable, forcing a company to switch to a more modern solution.
There are no easy solutions to these issues, particularly for legacy software. However, it's worth noting that software vendors are also aware of this and that these problems are mostly absent in the newest software available on the market.
What’s more important is that despite all the pain, updating is usually well worth it in terms of your bottom line, as it allows you to prevent very costly breaches and leaks and helps keep your sensitive data protected.
If you still aren’t convinced, check out this memo on software updates from the University of Illinois.
4. Backup your data
Data backup is another fairly basic security measure that has gained increased relevance in recent years. With the advent of ransomware – malicious software designed to encrypt all your data and block access to it until you pay a hefty sum for a decryption key – having a full current backup of all your data can be a lifesaver.
How can you best handle backups? You need to make sure that your backups are thoroughly protected and encrypted and that they are very frequently updated. It’s also best to divide backup duty among several people in order to avoid insider threats.
The United States Computer Emergency Readiness Team (US-CERT) website provides a great document detailing different data backup options. There’s also a great write-up from the FBI on ransomware that you should read if you want more information on this topic.
5. Use the principle of least privilege
Beware: having too many privileged users accessing your data is extremely dangerous.
Many companies, particularly smaller ones, tend to grant new employees all privileges by default. This allows employees to access sensitive data even if they don’t necessarily need to. Such an approach not only poses an additional risk in terms of insider threats, but also allows external hackers to get access to sensitive data as soon as any of your employee accounts is compromised.
A much better solution is to use the principle of least privilege, in other words to assign each new account the fewest privileges possible and to escalate privileges as necessary. At the same time, when access to sensitive data is no longer needed, all corresponding privileges should be immediately revoked.
We realize that constant privilege management can be difficult and time-consuming, particularly for large companies, but there are a lot of access management solutions on the market that can make it easier. Particularly, one-time password functionality can prove a lifesaver when it’s necessary to grant additional privileges to a regular user.
You can find many more details on the principle of least privilege on the US-CERT website.
6. Use two-factor authentication
Want to know the best way to protect your employees’ accounts in 2017? We have three words for you: two-factor authentication.
Two-factor authentication is an important security standard when it comes to account protection. It employs an additional physical device, such as a security token or a mobile device, to confirm the identity of the person behind the screen. This authentication method provides a very reliable login procedure as long as the secondary device doesn’t get lost or stolen. As an added benefit, it also allows you to clearly distinguish among users of shared accounts, making access control easier.
Two-factor authentication is so effective that the FBI even promoted it as part of National Cyber Security Awareness Month. The only problem with two-factor authentication solutions is that they’re often quite expensive. However, as with all things security, there are affordable high-quality alternatives available if you look for them.
7. Handle passwords securely
While two-factor authentication provides a great safety net in case a password is compromised, it’s still not an excuse to not follow best practices regarding password handling.
The first thing you need to know is that passwords need to be long, complex, and fully unique.
Here are the main things you should consider regarding password handling:
- It’s better to use a longer, easy-to-remember phrase as a password than a short string of random characters.
- Each password needs to be fully unique – make sure to prohibit your employees from using their passwords on other accounts.
- Prohibit your employees from sharing credentials with each other. While it may be more convenient for them, it is extremely unsafe.
All passwords should also periodically be changed. Since you may not even know if your password has been compromised, it’s very dangerous to keep using the same one for a long time. The best way to go about changing passwords is to automate password changes for the whole company, requiring employees to enter a new password after a set period of time.
The US-CERT website has a great article on choosing and protecting passwords, which you can find here.
8. Change default passwords for your IoT devices
This year continues 2016’s trend – IoT devices keep gaining popularity.
While gains in convenience and productivity are undeniable, sadly, it’s not all well and good when it comes to security.
Many internet-enabled devices come with a set of default credentials hard-coded inside. Such credentials are usually freely available on the internet and widely known to perpetrators. Most malware targeting IoT devices looks for devices that keep using their default credentials in order to hijack them and add them to an army of bots that are ready to conduct massive denial of service attacks at the push of the button.
What can you do about this? The only way to make sure that your devices are protected from being infected is to change all default credentials as soon as possible. Make sure that your new passwords are fully unique and complex. It’s also a good practice to periodically change the passwords for IoT devices, although it’s best to fully automate this process.
9. Keep an eye on privileged users
Here’s the problem – users with privileged accounts enjoy an increased level of trust and are often considered one the biggest assets a company has. At the same time they also pose the biggest threat to data security among all employees. Privileged users have all the means necessary to steal your sensitive data and go unnoticed, and no matter how much you trust your employees with privileged accounts, anything can happen.
The best way to minimize the risks of an insider attack by privileged users is to limit their numbers. This is where the principle of least privilege comes in. You also need to make sure that any privileged accounts immediately get disabled whenever a person using them is terminated. More often than not, disgruntled employees retain access upon termination, allowing them to exact revenge for perceived wrongdoing.
If a privileged user is already stealing your data, however, it can be very hard to detect, considering that such malicious actions may be indistinguishable from everyday work. In this case, your best weapon is user action monitoring solutions. At the same time, the default logging capabilities of most business software and operating systems have their limitations, particularly when it comes to users with a high level of privileges.
The simpler and better way to detect malicious actions by privileged users is to employ user action monitoring solutions that are specifically designed to record any actions taken by such employees. Recordings allow you to quickly see all actions taken by a user in the original context, and thus determine whether these actions were malicious.
You can check out this great research report by Ponemon Intsitute to find out more about the role of privileged users in the general insider threats landscape.
10. Keep an eye on third parties accessing your data
Nowadays, almost every company has a network of third parties working with it remotely. Remote employees, subcontractors, business partners, suppliers, and vendors – this is only a short list of people and companies that may access your data remotely. Third-party access not only provides a greater risk of insider attacks, but also opens the way for malware and malicious hackers to enter your system.
The best way to protect your sensitive data from any breaches via third-party access is to use temporary passwords. Temporary passwords allow you to limit the scope of access that third-party users have and allow you to make sure that you know who exactly connects to your network and why. User action monitoring should also be used in conjunction with one-time passwords in order to provide full logging of all user actions, allowing you to detect malicious activity and conduct investigations when necessary.
11. Be wary of phishing
It’s worth noting that insider threats don’t end with malicious employees. More often than not, well-meaning employees inadvertently help perpetrators by providing them with a way to get into your system. Perpetrators use phishing techniques such as spam emails and phone calls in order to find out information about employees, receive credentials from them, or infect systems with malware. Phishing has seen somewhat of a resurgence in recent years, and today companies are drowning in spam emails containing malicious links.
So here’s what you need to do: get a properly configured spam filter and make sure that the most obvious spam is always blocked. Moreover, your employees need to be educated on the most popular phishing techniques and the best ways to deal with them in order to better protect themselves and your company’s data.
You can find more information on phishing, including a form to report it, on the US-CERT website.
12. Raise employee awareness
It’s hard to believe, but the key to protecting your data lies with your employees just as much as with your defenses.
Even if you have the best cyber security policies and procedures in place, your employees will ignore them in the name of convenience and productivity. Strict rule enforcement may make the situation better, but it doesn’t guarantee results and may even stress out your employees, costing you additional money.
The best way to deal with negligence and security mistakes by your employees is to educate them on why security matters. Raise awareness about cyber threats your company faces and how they affect the bottom line.
Make sure your employees know why certain measure are in place and why they’re important. Recruit them as part of your defenses, and you will see that the instances of negligence and mistakes will become less frequent. It’s much better to get your employees the proper training than to deal with a data breach caused by accidental actions.
How Ekran System can help you implement cyber security best practices
The cyber security practices mentioned above help you protect your data. However, implementing them is another challenge altogether.
We have a solution for you – an affordable security monitoring and protection solutions that covers many of the things mentioned above.
Ekran System is a user action monitoring solution targeted at both large companies and small enterprises. The main focuses of Ekran System are insider threat detection and prevention as well as compliance. However, with a broad functionality that includes extensive monitoring capabilities, response tools, and access control tools, Ekran System can help your company with many of the cyber security best practices mentioned above.
Here is how Ekran System can help you:
- Privileged user monitoring
- Third-party contractor monitoring
- One-time passwords
- Two-factor authentication (free module available)
- Customized alerts and session blocking
- Centralized reporting
So, there you go – these are some simple ways in which Ekran System can help your company implement many of the best business practices in 2017. And the best part is that this solution is truly affordable and cost-effective for small and medium-sized businesses as well as large enterprises alike.