Strengthen your security posture: 20 steps your company should take now to combat cyber threats
What’s your worst fear?
Forget the creepy clowns, the hulking beasts, the vicious dogs of your childhood nightmares. That’s all in the past. What matters today is what kept you up last night.
If you’re in a decision-making role in an organization of any size, chances are good that one of the many things keeping you up at night is the ever-evolving cyber threat landscape.
In point of fact, this “thing” is really a constellation of loosely related terrors, all of which have the power to waylay your company, cripple its resiliency, and devastate its reputation.
It’s critical to invest in a comprehensive suite of cyber protection resources, the benefits of which we’ll discuss later on. But top-of-the-line cyber protection only works insofar as it’s buttressed by knowledge and awareness of the threat landscape — not just at the very top of your organization, but all the way down to the most junior users as well. Your organization is only as strong as its weakest link.
With that in mind, let’s talk about how to buttress your company’s security posture at every level of the organization. While there’s no such thing as 100% guaranteed cybersecurity — not in the current threat environment, at least — these 20 tips and tricks will reduce your exposure to common cyber threats to which your peers and competitors fall victim every day.
Live By the Principle of Least Privilege
Your organization must live by the principle of least privilege. Put another way, your users must have the bare minimum permissions necessary to perform within the four corners of their defined roles. There’s no reason to give a junior employee the keys to the kingdom, and even senior- or C-level employees have no business mucking around in areas outside their direct purview.
How should you implement your principle of least privilege? Dynamic user groups based around role-specific permissions are a start; you can swap users in and out of these groups (leveling up and down) as appropriate. Team members collaborating on a particular project should all have the same capabilities with regards to that project, absent any mission-critical or eyes-only information to which the team lead might need sole access.
Strengthen Digital Credentialing and Access Control
Think beyond the password. At minimum, your organization should use across-the-board two-factor authentication for all internal apps, systems, and processes, as well as any sensitive third-party programs (such as cloud-based services) that require gatekeeping. Consider even stronger security measures, like biometrics, for the most sensitive situations.
Strengthen Physical Access Controls to Key Infrastructure
Speaking of biometrics: Your company’s physical access controls should extend well beyond traditional lock-and-key (or keypad) mechanisms. Keycards are old hat, but no less useful for it; consider retinal scans and fingerprint scanners at key chokepoints on your premises, the better to protect against keycard theft and coercion. You’ll also want to invest in a comprehensive network of security cameras and motion detectors; your workforce will get over the creepiness factor sooner than you think.
Be Quick to Revoke Access When It’s No Longer Needed
Anything you give, you must be prepared to take away.
Your team won’t remain as it is indefinitely. Members will come and go, on good terms and bad, and you’ll be left to clean up after them. It’s absolutely crucial that these cleanup efforts include speedy and thorough revocation of employee or contractor permissions and access — no matter how much goodwill the departee retains. You simply can’t risk orphaned credentials; even if the original user never turns them to malicious ends, the malefactor who gains access to their BYOD device just might.
Set a Clear, Transparent BYOD Policy
On the matter of BYOD: It’s probably futile to resist, and may be cheaper than issuing company devices to every Joe and Jane contractor on your team. But that’s not to invite a hands-off BYOD policy that lets anyone do anything with any device they cart in off the street. Your BYOD employees and contractors should know exactly what’s expected of them and their devices. For ideas and a free template, check out this BYOD policy outline from IT Manager Daily.
Manage and Restrict Corporate BYOD Apps Rather Than Entire Devices
One particularly controversial aspect of any BYOD policy is usage prioritization. Should users have more or less free reign over their BYOD machinery, on the principle that these are indeed their own devices? Or should the needs of the user remain subordinate to the greater good of the organization and its priorities?
It’s a thorny question, to be sure, and philosophical besides. But an emerging and persuasive strain of thought posits that BYOD device restrictions should focus primarily on corporate apps, not entire devices. Usage monitoring should follow suit; workers who feel as if their every moves are on display when they’re not on the clock are apt to burn out faster than those satisfied by their work-life balance.
Fully Encrypt All Devices Running Corporate Apps
One aspect of BYOD that shouldn’t be up for debate is encryption: If an employee or contractor insists upon bringing their own device to work (and plugging into your network), that device had better have top-of-the-line encryption. This applies to corporate devices, too; proximity is no excuse for sloppiness.
Use Portable Encryption
Extra protection never hurt anyone. Encrypting all corporate devices is a start, but additional layers of security can make the difference between decent and first-rate protection. Require employees to run virtual private networks on all devices connected to the public Internet, and don’t be afraid to mandate encrypted email suites as well.
Invest in Comprehensive Cloud Backup Solutions
Your organization must have a comprehensive cloud backup solution standing ready to aid your recovery from data loss or interruption. And it must actually use this solution — that is, regularly backing up critical files and programs to the cloud, preferably on a timetable that’s not subject to the whims of individual process owners or decision makers.
Cloud backup is one component of comprehensive cyber protection. Look for a solution that also offers full control over your protection (meaning complete access to your data, file authenticity, storage, and more) and adapts to your changing needs, whatever endpoints you happen to be using at any given time.
Set a Ransomware Policy
Complement your BYOD policy with a more specific, but no less important, set of ground rules around ransomware: specifically, what individual users and teams should do if they fall victim to a ransomware attack. A comprehensive data backup solution should reduce your exposure to actual data loss in the wake of a ransomware attack, but you’ll also need to think about recovery protocols, device disposal, and other logistical considerations.
Understand Esoteric Threats (And More Common Ones, Too)
Remember how your organization is only as strong as its weakest link? Employees and contractors — links — who don’t understand the nature of the cyber threats they’re likely to encounter in the wild are vulnerable to exploitation. Take the time to educate your senior leadership team about the different types of malware and threat vectors, then disseminate top-level conclusions to your rank-and-file. Consider a quarterly report or standing meeting around cybersecurity issues, with forward-looking warnings and takeaways as needed to keep your team in the loop.
Assign an Email Security Lead Within Your Infosec Team
Email security is a big job, not least because email itself is among the most common threat vectors for malware attacks and credential theft. Your information security team should have a dedicated email security lead whose entire role revolves around anticipating, mitigating, and informing the rest of the team about specific email-based threats facing your organization. Among other capabilities, this lead should be capable of clearly and effectively communicating details of email-based threats to your team in plain English; this is not the ideal position for a wonk more comfortable cloaked in layers of code.
Upgrade to a Secure, Feature-Rich Email Suite
Give your email security team a leg up by upgrading to a secure, feature-rich email suite that helps users help themselves avoid email-vectored threats. There’s an argument for using a fully encrypted email suite; while email encryption in itself isn’t a panacea, and won’t necessarily prevent against sophisticated phishing and spearphishing attacks, it does provide peace of mind for decision-makers kept awake by data security worries.
Educate Users on Basic Email Hygiene and Security
Complement your secure email suite with basic education about email hygiene and security. This is where your email security lead can really shine; it’s their job to ensure that your employees and contractors handle external messages and potential insider threats with the caution and care they require.
Apply System Patches As and When They’re Available
Don’t sleep on system patches. Maintenance is no one’s idea of a good time, particularly when it involves system downtime, but the alternative — compulsory, open-ended downtime coupled with potential data loss — is far worse. Read communications from manufacturers and authorized dealers promptly and thoroughly, lest you miss notifications.
Always Watch the Watchers
The insider threat is among the most pernicious and difficult-to-defend vector. The U.S. government defines “insider” as “any person with authorized access to an organization’s resources to include personnel, facilities, information, equipment, networks, or systems,” and an “insider threat” as “the risk an insider will use their authorized access, wittingly or unwittingly, to do harm to their organization. This can include theft of proprietary information and technology; damage to company facilities, systems or equipment; actual or threatened harm to employees; or other actions that would prevent the company from carrying out its normal business practice.”
Needless to say, it’s absolutely crucial that you bar the door against trusted employees and contractors who may wish you ill. Your insider threat mitigation protocols should resemble a panopticon, where no insider can be totally sure that they’re not being watched at all times.
Hold Vendors and Other Third Parties to Rigorous Security Standards
Even if they’re not technically part of your organization, your company’s vendors should adhere to the same rigorous cybersecurity standards as the employees and contractors that do report through your chain of command. Many of the most devastating cyberattacks in recent member originated with insecure third-party vendors, often in esoteric, non-core functions. Remember — you can always find someone else to do the work, and if a vendor isn’t willing to play ball, they’re not worth the trouble.
Always Use Secure Tools for Internal Collaboration
It’s tempting to use unencrypted messaging and email apps for internal collaboration. Unfortunately, it’s also needlessly risky, for all the reasons mentioned above. Invest in secure collaboration tools that keep files and communications hidden from prying eyes, whether they belong to malicious insiders or outsiders.
Keep Your Ear to the Ground
If there’s one certainty in the ever-uncertain world of digital security, it’s this: The threat landscape can change in the blink of an eye.
Indeed, the most urgent cyber threats facing your company today probably won’t be the threats that keep you up at night a year or two hence. The threats over which you fretted and lost sleep two years back are, mercifully, a distant memory.
That’s not to say that history can’t or won’t repeat itself. Although the worms and viruses of today are far more sophisticated than their brethren from decades past, the basic structure and lifecycle of these malicious bits of code haven’t changed much in the intervening years. Nor have the vectors along which they’re transmitted — email remains frustratingly insecure, the bane of many a CISO.
What will the future bring? Will, as prominent cybersecurity wonk Bruce Schneier predicts, AI and machine learning revolutionize digital threat interception, giving defenders a decisive upper hand? Or will the next crop of malicious attackers leverage the awesome power of AI to wreak havoc on even the best-defended systems and machines?
We simply don’t know the answers to these questions. We don’t even know if we’re posing the right queries. Even digital security legends like Schneier don’t know for sure what’s coming around the bend, even if their informed guesses are far better than layfolks’.
Perhaps it’s best for corporate decision-makers to live by the old Scouts adage: Always be prepared. To that, we might offer an addendum for our digital age: …for whatever comes next.