[BreachExchange] Be proactive, not reactive: 5 steps to a cyber security prevention plan

Destry Winant destry at riskbasedsecurity.com
Tue Dec 11 08:52:08 EST 2018


https://www.information-age.com/proactive-reactive-cyber-prevention-123477275/

Cyber security news, such as the Marriott hack in November, is
dominating headlines, and becoming a serious headache for business
leaders.

This article offers CTOs, businesses and tech leaders the advice and
actionable information they need to implement a solid cyber prevention
plan. And, make sure that their business is not tomorrow’s headline.

A new report has found that nearly two-thirds of respondents lack
confidence in their organisations’ ability to prevent serious damage
from a cyber attack.

As technology grows more sophisticated, so to do hackers as they
constantly work on new threats and software. Only this month, hotel
giant Marriott was found to have suffered one of the world’s biggest
hacks ever reported following a string of security breaches, leading
to the theft of data from its 500-million customer database.

Hackers are using valid credentials and connections to make it
substantially more difficult for businesses to detect them. But at a
time when we are increasingly relying on connected devices which store
and utilise vast pools of valuable information, organisations must
take the time to develop a sound security strategy to prevent their
data from falling into the wrong hands.

Over 70% of all data breaches in SMEs are due to internal
vulnerabilities, such as failure to follow policies and procedures and
lack of expertise — 36% of these breaches are caused by misuse of data
by employees. There has to be more done, and there must be a
prevention plan in place, not a hasty reactive motion when an attack
hits which may get rid of the current problem, but not prevent other,
more advanced attacks. Prevention is better than cure — you take steps
to prevent viruses and infections from your body, so why not your
network?

James Healey, Managing Director at Air IT, explains the five main
steps that a company should take to prevent serious damage from a
cyber attack. Here are his cyber security recommendations:

1.  Assess your current cyber hygiene

The UK Government backs an innovative scheme called Cyber
Essentialswhich is designed to help all companies improve their cyber
hygiene. It’s an essential requirement for any business bidding on
government contracts, but it’s beneficial for any company, as it’s
believed to reduce the risk of an attack by up to 80%. It results in a
certification which demonstrates a commitment to protecting business
and stakeholder data from threats – crucial for building customer
trust. The scheme covers all essential controls such as firewalls,
malware prevention and up-to-date software.

Businesses can self-assess, or go through a Cyber Essentials or Cyber
Essentials Plus certifying body, which can manage the whole process
from initial audit to actions needed, right through to completing your
assessment and issuing your certificate. This gives the business a
practical framework to measure itself against, and reassures customers
that it takes security seriously as well as proving your commitment to
good cyber security practices.

2. Good housekeeping

There’s no replacement for the basics. Updates and patching should be
performed regularly — WannaCry, the ransomware that caused chaos
across the world, exploited unpatched Windows systems to spread
malware. Businesses should steer away from legacy systems like Windows
XP, as these no longer receive updates and are especially vulnerable
to attack.

Get in the habit of conducting regular routine maintenance and audits,
and seek a service provider if necessary, which can use specialist
software to block ransomware strains.

Other admin that businesses can do is limiting user privileges for
employees, by making sure they only have access to the servers and
drives that they need to complete work. For example, most staff do not
need access to any HR files. Along with being a possible breach of
GDPR standards, the more people that have access to personal
information, the less chance you have of preventing the spread of an
attack if you’re compromised.

3. Raise awareness, stay vigilant

Awareness should always underpin your prevention plan. SMEs are often
targeted as the way in for financial attacks through phishing or
impersonation with the aim to extract financial data or currency. This
is often due to it being easier to take advantage of human behaviour
to target specific individuals who may not have had the right
training. Whether it’s lack of awareness or just lazy decisions, they
need to be properly trained on the risks and repercussions, along with
potential hacking tricks as the majority of malware still requires a
human action to initiate it.

Build on their education, raise their awareness of cybercrime, and
make sure that they stay vigilant. Signs like grammatical errors and
email addresses that don’t match the sender are common signs of a
malicious email, for example. Also, implement a mandatory strong
password rule, and ensure that all employees have access to the
incident response policy. No defence strategy is watertight, but with
the right prevention methods in place, you can reduce the risk of the
human factor.

4. Layered prevention approach

Proactive technology must be in place to help you to identify and
mitigate threats. Managed security packages and dark web monitoring
solutions can proactively monitor for threats and compromised user
credentials so you can stop an attack before it happens or minimise
the damage. By using human and artificial threat intelligence,
monitoring services can find your vulnerabilities and any compromised
or exposed credentials.

There are also business-grade security solutions that can help protect
the network and users from would be attacks such as anti-virus,
anti-spam and business grade firewalls. Businesses should always
invest in a layered defence strategy, as the more comprehensive the
set up is, the less chance an attack will succeed as it has to pass
through the various layers.

Avoid free products and solutions which claim that they can keep
malware off your PC. Windows Defender, for instance, doesn’t stop
adware or Potentially Unwanted Programs (PUP) and doesn’t possess the
accuracy and effectiveness that more sophisticated prevention tools
do.

Paid-for prevention tools are a small price to pay for the reassurance
of digital safety. The cost of a hack to a business would be much more
than the cost of the prevention technology.

5. Better safe than sorry

While it’s important to be proactive, businesses need a recovery plan
in place in the event of a disaster or any downtime. A staggering 60%
of businesses that encounter an attack go out of business in their
first year, because of attacks to their network and users. While the
big dogs like the NHS, Sony and Equifax dominate the headlines when
they suffer attacks, it’s the SMEs that are secretly suffering the
worst due to factors such as the human element and not prioritising
investments, as mentioned above.

Under GDPR legislation, you must have a plan in place to be able to
restore data, whether it’s a cyber attack, file corruption or simple
data loss, otherwise you risk non-compliance. IT continuity is the
bread and butter of so many businesses, and you must make sure that
you have a backup and business continuity plan to prepare, should the
worst happen. Seek Disaster Recovery as a Service (DRaaS) to protect
critical business data and get operational again after a disaster.

While there is not a simple, singular solution to combat hack attacks
and deter criminals, a layered prevention plan is crucial. Follow
these steps, and data misuse and abuse can be minimised, while still
enabling your business to take advantage of the growing opportunities
the internet can harness.


More information about the BreachExchange mailing list