Just as you can't just show up to the dentist one time in your life and expect to prevent cavities forever, the same is true for cybersecurity. It should be a continuous process, not a one-time gap assessment or penetration test. Because new threats are emerging every day, businesses must continually hone their defences while maintaining best practices.
For example, ransomware is a prevalent threat and could result in an irretrievable loss of important data. But with the right “cyber hygiene” — in this case, daily data backups — its harm can be greatly mitigated. By implementing the right defence, businesses can stave off the most easily preventable attacks, allowing them to focus on developing more sophisticated measures to protect against the cleverest new threats.
Six cybersecurity hygiene steps to keep systems safe
Of course, cybersecurity hygiene goes far beyond just backing up one’s data. There are a number of key approaches every business should implement. Let’s take a look at six of the best ones to have in place right away to ensure your best chance at preventing a breach.
1. Establish and communicate your cybersecurity standards.
When we think of cybersecurity, we tend to imagine high-tech solutions. But all security must start with good governance. Even the most sophisticated system cannot be fine-tuned for maximum protection until its use is made consistent. The only way to accomplish that is to use robust methodologies, ones that are clearly communicated to relevant team members.
To illustrate this point, imagine a dev-ops engineer deploys changes through the trusted integration pipeline. However, another company group found a “back door” to manage changes. Without a clear set of procedures in place, it's difficult for a company to resolve discrepancies. One could rely on “tribal knowledge,” but that is prone to misapplication — a problem that only worsens if scaled to a large, complex enterprise.
Whether a company is a tiny startup or Fortune 100 behemoth, the need for sensible cybersecurity policies and procedures is the same. These should be carefully documented and revised regularly to reflect current cybersecurity best practices. It’s also critical to inculcate these standards into the culture as part of a training program because they are worthless if they are not communicated or understood.
2. Define accountability and executive buy-in for cybersecurity ownership.
Given that cybersecurity starts with culture — not technical controls — if leadership doesn't buy in, the mission to protect the company is greatly compromised. Buy-in means not only tacit support, but also active designation of point people to oversee cybersecurity. They also shoulder responsibility for compliance with standards and proper responses to cybercrime events.
Despite the importance of this role, companies make the mistake too often of performing gap assessments over security but then failing to assign ownership or provide necessary budget and resources. In fact, a PwC survey found that many companies lack the role of chief security officer or the equivalent. Even when companies have this role, the person is often not provided with what he or she needs to carry out the role effectively.
But holding this person accountable without providing the authority to do his or her job is a recipe for failure. And given that the survey also reported that 51 per cent of data breaches are due to the action of insiders, that authority must include the ability to assess threats and “bad actors” from within the company.
3. Use multifactor identity management.
Once your team and leadership are on board, it’s important to pick the low-hanging fruit. The first issue you should address is identity management for logins.
It turns out that 81 per cent of hacking-related breaches were the result of stolen or weak passwords, according to the 2017 "Verizon Data Breach Investigations Report." This is exacerbated by the effectiveness of phishing approaches to acquiring login credentials, in which hackers send fake emails or websites to entice unsuspecting users into providing usernames and passwords. Verizon reported that 4 per cent of users will fall for phishing attempts.
The solution is multifactor authentication. This prevents hackers from breaching your system by requiring a password and a one-time code that's sent to the user’s device (or another means of identifying legitimate users). If your system is in a cloud environment with access from the public internet, MFA should be mandatory.
If MFA is so effective, why isn’t it employed more commonly? Some fear that users will be annoyed by the extra hassle at logins, but that can be mitigated by enabling the system to remember the computer so the additional login step is only required occasionally.
4. Keep systems patched and up-to-date.
Essentially all software is shipped with vulnerabilities — and it’s just a matter of time before they get exploited. That applies to operating systems, browsers, and specialised software, which become increasingly easier to exploit as cyberattacks become more complex and the software becomes out of date with those threats. Despite this reality, a survey conducted by Macro 4 revealed that 87 per cent of IT chiefs found that their systems were vulnerable because they were old and had out-of-date protections.
Fortunately, there is a simple and effective solution: automating patching and upgrades as much as possible. If you can't patch systems, establish a mechanism to review unpatched environments and work to segment your network so a vulnerability in one system does not infect the rest of your environment.
5. Schedule regular penetration testing and vulnerability assessments.
Maintaining good cybersecurity practices from day to day is fine, but it is the equivalent of merely brushing your teeth and never visiting a dentist. It’s not sufficient. Vulnerabilities can creep in during production and over time; these need to be rooted out by a friendly hacker hired for the purpose.
This kind of testing can and should be conducted as part of a general practice of sharing information between development and security teams. SmartBear reported in 2018 that code review was praised by 73 per cent of respondents as promoting this kind of sharing across teams.
6. Encryption, encryption, encryption.
One of the cheapest and simplest cyber hygiene practices is encrypting your data. Once out of reach of many companies, today encryption is inexpensive and readily done — often at merely the click of a button. There is no excuse to leave it out of your workflows. Data itself is a pricey commodity these days, so encrypting it is a tiny insurance premium that protects a key asset.
Another benefit of encryption is regulatory protection. For example, for healthcare industries, a HIPAA breach of patient records might be mitigated by proving that stolen data was rendered unreadable through strong encryption safeguards. Similarly, new standards for protecting personal information, such as the EU’s General Data Protection Regulation, are being designed, legislated, and enforced all the time. Encrypting data could save you money in fines while protecting your brand's reputation.
These six basic steps go a long way in protecting your business and brand from the growing threat of cybercrime. Don’t wait until your business needs a “root canal” from a devastating attack to begin implementing them. Start today, and soon you will be up to standards, allowing your operations to focus on revenue and innovation.
Brad Thies, founder and president, BARR Advisory, P.A.
Image source: Shutterstock/Sergey Nivens