Does Your Security Posture Measure Up?
The National Convergence Technology Center (CTC) recently attended a special virtual “Cybersecurity Is Everyone’s Business” conference hosted by Florida State College at Jacksonville, one of the CTC’s grant partners. Among the presentations delivered was a talk on “Ten Things That Business Can Do to Improve Their Security Posture.” Aaron Weiss, owner of Forensic Recovery LLC, provided practical, real-world lessons for enterprise cybersecurity. Students may find this sort of business-oriented overview useful. In fact, Aaron believes these are the kinds of things new IT workers should keep in mind as they begin their careers. He also provided two figures about security incidents: 27% of malware in 2020 was ransomware (and that percentage is increasing) and 58% of 2020 data breaches included personal data.
1. Multifactor Authentication – Aaron considered this the most important thing a business can do to better protect administrator accounts, email messages, bank accounts, and remote access. It’s important to make these systems easy for the user because so many people still resist using passwords. He also stressed the need to maintain an emergency backup method so everything isn’t left in the hands of the IT technician.
2. Backups – Too many don’t think about regular backups until there’s an incident, but by then it’s too late. Aaron noted three mistakes to avoid: not backing up, not regularly testing the backups, and connecting the backup to an infected system (which will likely infect and ruin the backup data). He also noted the need to make this system automated, rather than relying on an employee to do it every afternoon.
3. Encryption – Aaron noted that this will require the cooperation of both the sender and the receiver, and he acknowledged the pressure that can come from a recipient who’s struggling with his/her end of the encryption and demands the material be sent unencrypted. Encryption is a part of the three “states” of data: at rest, in transit, and in use. Aaron urged businesses to never send the encryption key the same way the file was sent.
4. Endpoints – A company’s security is only as strong as its weakest endpoint. Aaron explained securing the endpoints will include anti-virus protection, patches (including security updates on browsers), encryption strategies, secure access, and strong passwords. He also suggested that kids never use work computers because of their propensity to explore insecure websites and download risky apps.
5. Personal training and awareness – This doesn’t just mean teaching people about security technology, but also explaining social engineering threats. For example, don’t be the person who holds open a door and mistakenly lets a bad actor inside a secure facility. Aaron said sometimes people need to be reminded that it’s okay to sometimes not be helpful and nice. He also talked about the need for employee phishing tests both before and after awareness training to examine metrics of whether the lessons were learned. It’s also important to encourage self-reporting. Employees can’t be afraid of reprisals if they admit an accidental security breach.
6. Processes – Have an incident plan worked out in advance. Those first 48 hours after an incident will be hectic enough as it is; don’t add to the stress by not knowing what to do or who to call.
7. Assessment – Whether it’s an annual in-depth assessment or a monthly assessment of individual IT functions, a company cannot protect what it doesn’t know about. Aaron noted that it’s important that these assessments, which will be looking for vulnerabilities and possible threats, take into account the overall business process of the company. Context is important. Don’t bring in a third-party IT specialist who runs tests without ever asking about how the business functions.
8. Logging – Aaron said this will be the first thing an incident response technician will ask about. Things to consider when it comes to logging: what logging is required by the law, what role logging will play in any incident response, the scope of the logging (what to log, how to long, and how long to keep the logs) and the cost of the logging (some logging is free, but even the free logging must be configured).
9. Cyberinsurance and lawyers – Aside from niche insurers and attorneys that specialize in cybersecurity and data privacy, there are also “all in one” firms that offer hotlines, attorneys, and incident responders all under one roof, so a company only has to make one call. Again, it’s important to work all of the details out in advance. Don’t wait until there is a real problem.
10. “Next level” – This is a scenario in which the business is booming (expansion, IPOs, a new large-scale vendor) and the level of security may need to be ramped up. Hard questions about the current security posture will be asked. Extra security help with additional tools and processes, like penetration tests or tabletop exercises, could be needed.