Cybersecurity is important, but it’s not always easy to find more room in the budget. That’s why we’ve broken down the top security to-dos, so you can keep your organization safe without breaking the bank.
1. Educate your staff. Education is one of the most important pieces to the cybersecurity puzzle, and knowledge can be a better asset than any tool on the market. You’ll need to make sure your employees understand what MFA is, why it’s important and how to use it. But MFA isn’t the only thing you’ll need to provide education on. Since 95% of cyberattacks are due to human error, your employees need to know what they’re watching out for. The burden isn’t all on your shoulders; it’s not possible to implement technical solutions that can catch every potential threat.
Formal cybersecurity training should be conducted yearly at a minimum. We recommend conducting quarterly trainings as well as additional training for new hires. We often say that security is a journey, not a destination, but there are things you can do to make that journey a smooth one. Good education includes:
Despite your best efforts, incidents will happen. And while this is obviously frustrating, staff need to feel that it’s a positive interaction, because if they’re reprimanded, they and others will be less likely to report future issues. When someone reports an incident, thank them for the information, reassure them that they aren’t in trouble, and work together to gather all the information surrounding the incident. Disciplining employees for clicking a phishing link or being fooled by a social engineering scheme will do a lot more harm than good.
Cybersecurity is everybody’s business.
2. Invest in a cyber insurance policy. Cybersecurity threats are inevitable, and cyber insurance can help you better position your business to mitigate the financial impacts of an incident. But don’t just buy a cyber insurance policy and file it away; make sure to come back to it yearly to examine and review.
3. Tighten up your configurations. Cybersecurity isn’t just about buying the right software, hardware and protection plans. Tightening up your configurations to eliminate unnecessary access is a simple yet often overlooked way to reduce your organization’s vulnerability.
Harden your system and reduce the potential for compromise by periodically:
Cybersecurity professionals can also conduct penetration testing exercises to give you a full picture of any gaps that may be subject to exploitation. This testing can highlight weaknesses in your network configurations that could allow unauthorized and/or unsuspected access. While this may seem like an extra step, the benefit remains clear: would you rather have an expert find and flag these vulnerabilities or realize too late that a cybercriminal has exploited them?
4. Enable MFA. Multi Factor Authentication should be a standard these days, but if you haven’t enabled MFA for email, intranet and other business logins, you’re missing a crucial security step. According to Microsoft engineers, 99.9% of account compromise attacks could have been prevented with MFA.
MFA is classified as something you have, something you know and something you are (e.g. a biometric like a fingerprint or facial recognition) that creates a second factor to another trusted source. When MFA is enabled, if (and when) a user’s password is stolen, the password alone is not enough; there's still that other authentication method needed.
While it can seem inconvenient for users to have to provide their fingerprint or type in the six-digit text code that never seems to arrive quickly enough, the difficult truth is that passwords alone just don’t cut it anymore. MFA adds that necessary second layer that a threat actor can’t know ahead of time, and it is a simple step that can go a long way.
If you’ve tried to find a middle ground by enabling MFA for certain privileged users, we’ll have to burst your bubble: that’s not enough, either. MFA should be enabled for all employees, not just admin users. Business email compromise is the second most common threat behind ransomware, and there’s a lot of tempting personal information in people’s inboxes, so your best bet is MFA for all.
What else could you be missing?
5. Practice, practice, practice. A good incident response plan isn’t just a “one-and-done” kind of thing. Good plans are built, practiced, reviewed and improved on an ongoing basis. Practicing your organization’s plan can help you account for things that may be missed on paper.
In tabletop exercises, cybersecurity professionals meet with business leaders, attorneys, IT professionals and others in the organization to ask “what if” questions. It’s also incredibly helpful to include your insurance policy details and team in these exercises, so you can shed light on what’s covered and what’s not, and so you know the specifics of contacting them when an incident occurs.
Typically, the process of a tabletop exercise involves identifying a scenario, walking through how it could play out and examining any questions or curveballs that may arise. These exercises can help identify gaps and inform recommendations to strengthen your plan against future threats. Just make sure that plan is stored somewhere separate and secure — not just on a hard drive — so it isn’t lost if your systems are compromised.
Your practice exercises should also include testing your backups. Think about incident response like running a marathon. You won’t be able to wake up one morning and run 26 miles; you need to train. Tabletop exercises are one way to work on that training, but you also need to make sure that your backups, like good running shoes, are in good shape. Failing to test your backups before an incident is like never taking your shoes out of the box before the marathon: you’ll have no idea if they fit, and it’s probably going to end up being really painful.
Backup issues are one of the main reasons businesses end up paying when hit with ransomware. They may think that their backups are safe, complete and ready to use, but that may not be the case when it comes time to reinstate them. It’s also important to understand how long it takes to reinstate your backups: it could be weeks or even months before your systems are ready to use again. Many businesses just don’t have that kind of time, which makes paying the ransom all that more enticing.
If Ransomware Happens, Should We Pay the Ransom?
The short answer is: no. But when it comes down to it, each organization has to decide what is best for them moving forward. And paying the ransom doesn't always mean recovery; it’s rarely that simple. That’s why it’s important to work with law enforcement and cybersecurity professionals who deal with these incidents every day, because they know which threat actors will actually keep their word and pay and which ones aren’t likely to.
If you can quickly implement your well-practiced plan and utilize your backups, you may be able to recover effectively without paying the ransom. Unfortunately, there are a lot of factors to consider in each specific situation, so there isn’t a one or a zero answer. That said, there are certain entities you absolutely should not pay: certain countries and organizations are illegal to pay due to terrorism connections or conflicts with the United States. Partnering with a trusted advisor as soon as possible will help prevent you from making any wrong moves.
If (and when) an incident does occur, it’s important to have a PR person, not an IT person, in charge of the communication piece. Incident communication is a delicate dance; you want to be honest and not hide anything, but you don’t want to overcommunicate, either. Many organizations communicate too much too early and have to go back to try and clarify inaccuracies. Unfortunately, you can’t put the toothpaste back in the tube, so to speak — once information is out there, reputational damage is hard to undo. Having an advisor on your side can help you pause and know what needs to be communicated and when.
We often hear clients say: “I’m just a small business, I’m not big enough for cybercriminals to go after.” Unfortunately, this isn’t true. Cybercriminals aren’t looking at business sizes or locations, they’re looking at opportunities and scanning any computer that they can see. To them, you’re just an IP address. They don’t see whether you’re a Fortune 500 company or a mom-and-pop business; if the vulnerability is there, they’re going to exploit it to steal your sensitive data. If anything, smaller businesses should care more, because they likely don’t have the cashflow to survive a serious incident, and the results can be business-ending.
Remember: Threat actors often try to make an incident as inconvenient as possible. That means, statistically speaking, their favorite time to strike is when most people are gone — for example, on a holiday or in the middle of the night. Make sure you’re prepared for anything! And when disaster strikes, our 24/7 Data Breach Hotline is always open.
It may seem impossible to keep up with new technology and new threats, but cybersecurity incidents are often crimes of opportunity. The more you work to prevent those opportunities, the better off you’ll be. A trusted advisor can help you cover the gaps and take the burden off your team.
At Eide Bailly, we have three sections that make up cybersecurity programs: advising, integration and threat management. This holistic approach is paired with our incident recovery and remediation teams to help clients determine where they are in their current states of cybersecurity and get to a target state of strategizing a greater security posture
Advising: Understanding where you are and where you want to be from a cybersecurity perspective. This first step involves taking in what data streams you have, how your data sits, your access management, etc. and then aligning it with frameworks and best practices in the cybersecurity industry. This helps drive a strategy for improvement in your cybersecurity program.
Integration: Acting upon the advised plan. Integration involves examining what we identified from our assessments of your cybersecurity program and determining how to implement them. This includes examining secure configurations, determining whether you need firewalls or next-gen antivirus, considering potential policies, procedures and plans, identifying the gaps and determining how to cover those gaps.
Threat Management: Ensuring visibility into your network. Threat management includes managed services such as penetration testing, application security consulting, and other tactics to dive deeper into the technical assessments. This can also include tabletop exercises like those mentioned above to help you determine what to do when facing an incident.
For more information or to schedule an assessment on your environment, reach out here.
Start building a culture of cybersecurity today with our in-depth guide.