Since the beginning of the pandemic, ransomware and other cyber attacks have spiked. Meanwhile, millions of people have shifted from working in offices to working remotely. Organizations are increasingly relying on video conferencing, virtual private networks (VPNs) and remote desktop protocol admin tools.
Many employers believe that, to cut down on these risks, they should invest in new and bigger solutions. However, it’s also important that they review common best practices like password policies, least privilege access, patching and more.
Let’s look at some of those best practices you can use to assess and control today’s risks.
Adopt the Zero Trust Model
It’s time to change the way you think about and approach emerging cybersecurity issues. Many people believe their defenses are so strong that they can overlook small issues and focus only on major holes that could be easy targets for attackers. But today, this mindset will keep you one step behind the attackers. Instead, change the approach by adding the zero trust security model.
Rather than assuming everything is safe behind the corporate firewall, the zero trust model assumes breaches happen and verifies every request as if it came from an unsafe network. The zero trust attitude is ‘never trust, always verify.’
Under the zero trust model, you can authenticate and authorize every access request. It also makes it easier for you to detect and respond to any odd behavior or attacks, blocking them before granting access to the network. On top of this, apply the principle of least privileged access to reduce the risks.
The Insider Threat
The biggest cyber threat to any group is its employees. An IBM report found that insiders were behind 60% of cyber attacks, whether on purpose or by accident. Lots of people make simple mistakes: visiting malicious websites, using compromised USB drives or other personal devices at work or sharing sensitive information and credentials with another person. Then there are malicious insiders who intend to do damage.
Here are a few measures that you can implement to cut down on the risk from insider threats:
- Set up a policy of least privilege: Limit employees’ access to only the resources they need. Don’t allow people to access the crown jewels data off-network or from a personal device with only user credentials. Provide appropriate identity access and assurance to enable remote access if it is needed, but also put strong authentication in place to grant access to the critical data.
- Unsecured device policy: In the pandemic, a mobile workforce makes a lot of sense, but security is the main concern here. There are many ways attackers can breach unsecured devices, like losing the devices or having them stolen. Employees might fail to adhere to the company BYOD policies or use guidelines, or use an unsecured Wi-Fi network. A strong device policy is vital to ensure proper security, such as application installation control, updating the antivirus software, proper maintenance/updates of patches, data wipe procedures and encryption of data at rest and in transit.
- Providing cybersecurity risk training to employees: Everyone can pitch in to promote digital safety, and training helps in reducing the threat from potential scams and phishing attacks. Regular trainings can do a lot to prevent employees from falling for scams.
Third-Party Risk Management
Third-party vendors have access to their clients’ critical systems and sensitive data. But many vendors do not match the level of cybersecurity measures and precautions that large organizations implement. This is a major reason malicious attackers have shifted their focus to third-party service providers: they use them as a ladder to climb to bigger targets.
There are few common threats from third-party vendors:
- Misuse of privileges: Third-party vendors may misuse their access privileges. They may be able to access data they are not supposed to access. To counter this, use proper access control while providing access to vendors.
- Data theft: There’s a huge risk of data theft by third parties. If there is no proper third-party management policy in place, there’s a chance critical business data might be stolen.
- Human error: Alongside intentional data leakage, employees of third parties may make mistakes, like sharing or deleting important business information or misconfiguring systems. These common mistakes may lead to losses, both in terms of money and your company’s good name.
Limit Third-Party Risks
A proper third-party risk management strategy can help reduce the threats coming from third parties. For example:
- Establish cybersecurity policies: Set clear rules for both third-party vendors and the first-party employees dealing with them. Both parties should sign a service level agreement (SLA) detailing the controls third parties need to have.
- Limit access to information: Put a privileged access management system in place to make sure only authorized users have access to the resources they require to do their jobs. To add an extra layer of defense, add two-factor authentication. Use VPNs and one-time passwords, which will help prevent breaches from third-party attacks.
- Perform regular audits and ongoing monitoring: Audit vendors often to make sure they match the agreed-upon requirements and policies. Monitor and audit them to keep an eye on potential weaknesses and flaws in their approaches.
- Plan third-party incident response: A dedicated incident response solution must be in place to ensure timely detection of suspicious and malicious incidents. Real-time threat intelligence is required that can cue up due diligence when needed.
Missing Security Patches
Missing or delayed patches seem like a small issue, but they are important. Patches are published to protect assets from known attacks. Delays in installing these patches may put data and systems at risk.
While people are working at home, patching VPNs, antivirus software, endpoint protection systems and operating systems should be a high priority. Any out-of-date software should be updated to the latest version to minimize the risk of a data breach.
You can scale up multi-factor authentication (MFA), too. MFA should be required to access sensitive data. If applying patches or new solutions to your network, it is important to apply them to the entire potential attack surface. If any one asset present in the network is not protected, it could become the attack vector for the whole network.
Awareness Training for Employees
Cybersecurity training and awareness, creating ‘human firewalls,’ are critical for employees. Security awareness programs should include an ongoing process of training employees to combat threats.
The main point of these programs is to teach them how to respond when they face a problem. Some employees do not understand data privacy best practices or that cybersecurity is part of their job.
When an attack comes, security is everyone’s job. Awareness programs and training help keep everyone on the same page. Employees shouldn’t be the weakest link in the chain. In reality, they can be the greatest resource.
Real-Time Incident Management and Response
All of this comes together under the umbrella of incident management, the ongoing process of recognizing, recording and hunting down threats in real-time. It gives a comprehensive view of threats and incidents. With a combination of software and human work, your employees can recognize and neutralize threats. ISO/IEC Standard 27035 provides a five-step process for managing security incidents:
- Prepare for handling threats and incidents.
- Identify potential incidents and risks. Report all incidents for further analysis.
- Assess the known threats and incidents to determine the right next steps to mitigate the risk.
- Start responding to the incident by containing, researching and resolving it (based on outcome of step 3).
- Learn and document key takeaways from incidents and use them as case studies for tackling any future problems.
These best practices will help you implement the incident management process.
To start with, develop an incident response team with defined roles and responsibilities. From there, conduct a comprehensive training program for every role and responsibility. If an incident does happen, run a post-incident analysis to learn from the successes and failures, then make adjustments in the program.
To reduce the damage and recovery costs, you need a strong incident management process. That means choosing the right tools for the job. As attackers find new ways to exploit loopholes and vulnerabilities, the good guys need to adapt these methods to be one step ahead.
Senior Security Consultant, IBM
Abhishek Sengar is an experienced Information Security professional with 7 years of demonstrated history of working in the Information Technology and Service...