[BreachExchange] 8 cyber preparedness best practices for businesses

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 30 19:30:18 EDT 2017


http://www.propertycasualty360.com/2017/10/24/8-cyber-preparedness-
best-practices-for-businesses?slreturn=1508858556

Cyberattacks may be the greatest threat to organizations in the
21stcentury.

All businesses may be vulnerable, regardless of size or sector, public or
private. Cybercriminals won’t ignore a company with a smaller market cap or
fewer employees. They cast a wide net, and they don’t discriminate.

Your business clients are likely aware of the landscape — cyber
extortion/ransomware attacks like WannaCry and Petya/NotPetya are just a
couple of high-profile cyberattacks. But, awareness may not be enough for a
client that doesn’t truly know how to protect their company’s assets.

Are your business clients absolutely certain they’re protected against a
cyberattack? Will their people, processes and technologies protect their
brand, without exception? If so, read no further.

For all those "imperfect" organizations out there, we have some advice:
They can increase their cyber risk resilience with proper preparation.

Here, then, are eight best practices to help clients truly prepare for and
protect against a cyberattack.

Tip 1: Inventory systems. Do your clients know what software and hardware
is connected to their network? Is anything out of date or out of service
and no longer receiving updates? If found, these systems can be a way in
for cybercriminals; they will likely know exactly what to do, and that
their target can’t fix it. Businesses should regularly take inventory of
every asset, application and piece of software connected to their
infrastructure. Anything out of date or unused should be removed
immediately.

Tip 2: Maintain and manage software. Generally, when a software company
sends out a patch, it means there is a vulnerability in its product — one
that, without the patch, cybercriminals might exploit. Depending on how
many assets a business has, updating and testing can take anywhere from
hours to months; during that time, the system remains vulnerable.
Businesses must define a process, then, to ensure patches are applied
promptly. This is part of limiting software’s attack surface — the areas
where vulnerabilities lie — or "hardening" the business’ systems.

Tip 3: Regularly scan the environment. Cybercriminals constantly scan the
internet to find potential targets, and businesses should do the same. By
scanning their infrastructure, they can identify and eliminate previously
unknown exposures. Large organizations in particular may not be able to
inventory the countless assets that connect to their main infrastructures.
Regular scans can uncover a new web server or different software even at
remote sites.

Tip 4: Implement a user security policy. Employees are, arguably, a
company’s best asset. But they can also be its weakest link. Employees are
the ones, after all, who share passwords over social channels, click on
shady or suspect links and visit unauthorized sites. Their poor choices
will render even multimillion-dollar security technology ineffective. And
criminals know this, targeting employees through phishing and other scams.
To help reduce the vulnerabilities introduced by human error, companies
should manage endpoints like laptops and smartphones, and leverage
antivirus software and a secure configuration policy that eliminates
high-risk actions.

Tip 5: Follow the principle of "least privilege." It’s convenient to
provide access to everything by everyone in an organization, but businesses
can’t do that without exposing themselves to risk. To follow the principle
of least privilege, businesses would grant employees just enough user
rights to do their jobs. To gain more access, employees would be required
to authenticate themselves. Here, an identity and access management system
can help, ensuring that the right individuals have access to the right
resources at the right times and for the right reasons.

Tip 6: Implement network security solutions. Antivirus software is like a
flu shot: It’s not 100 percent effective (not all attack signatures are
known), but something is better than nothing. In addition to antivirus,
businesses should consider monitoring their networks 24/7 and implementing
third-party DDoS protection. Companies should also develop a strategy for
end-to-end data encryption to protect the information within that data.

Tip 7: Properly segment networks. To limit an attack’s damage, businesses
must identify their most critical assets and data, separate them from less
critical assets and implement strict access control. This is akin to a
speed bump: Segmenting an organization’s network may not stop an attack,
but it could slow it down.

Tip 8: Ensure backup-and-recovery capabilities. In the event of a
cyberattack — especially one involving a virus or ransomware — businesses
should have a literal backup plan. System downtime can be expensive — mere
minutes could cost thousands of dollars. It’s essential, then, for
businesses to implement a policy for backing up and recovering data and to
invest in tools that automate regular backups and enable data
recoverability testing.

Bonus tip: Insure your losses. Cyber insurance can play a key role in cyber
preparedness. Generally, this risk transfer approach should be used in
conjunction with all the controls and processes offered here. No protection
is perfect, after all, and should a sophisticated attack render your client
non-operational, they’ll need a way to offset the associated costs. To get
started with a customized insurance policy, a business will need to provide
a complete and truthful picture of its vulnerabilities. Only then can a
carrier properly perform risk quantification and pricing, and the business
can be confident it’s protected itself at every point.

By choosing a carrier with cyber risk underwriting, you’ll be able to offer
clients transparency. Look for a carrier offering innovative loss
prevention tools and cyber consulting.

Vulnerability to breaches and other cyberattacks may be the price of doing
business in the 21stcentury: Successful mitigation and cyber risk
resilience begins when a business acknowledges this fact and does all it
can to prepare for the inevitable. Remember: It’s not if a cyberattack
occurs, it’s when. Businesses that embrace this reality and prepare early
may find themselves a step ahead of the bad guys.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171030/1c65284e/attachment.html>


More information about the BreachExchange mailing list