[BreachExchange] 5 things businesses should do for cyber security

Audrey McNeil audrey at riskbasedsecurity.com
Mon Nov 7 18:56:13 EST 2016


http://www.knoxnews.com/story/money/business/journal/2016/
11/07/5-things-businesses-should-do-cyber-security/92054294/

When I talk to CEOs across the country and ask them what keeps them up at
night, inevitably one of the top three responses is related to cyber
security concerns, and no wonder.

With highly publicized data breaches (like Yahoo, Target, LinkedIn and J.P.
Morgan), compliance requirements, and new state-specific laws requiring
expensive disclosure situations, there is much to address.

While most media attention has been focused on larger companies, small- and
medium-sized businesses are frequent targets as well. So what can business
leaders realistically do to protect their organizations?

Although some technical aspects of cyber security are very complex, the
underlying concepts are relatively simple to grasp.

Here are five steps businesses should take for a strong foundation in a
cyber security strategy.

Know Your Sensitive Data

The first thing a business must do to begin a cyber security program is to
identify what data it has. Once you have identified all the sensitive data
that must be protected against unauthorized access, you need to focus on
where it is located. How can you protect something if you don’t know where
it is? These locations can be desktops, laptops, servers, mobile devices
and cloud providers, to name a few.

Put this in the context of things in your home. You have perimeter
protections such as locks and alarm systems for the items in your home.
However, you know the items that are of higher value and may have a safe
hidden somewhere for additional protection in the event of a break-in. Know
what you have, where it is, and then provide additional protections to
safeguard your most valuable data.

Monitor Your Networks

Cyber security is not a nine-to-five type of initiative; it is 24-7-365.
Your adversaries want nothing more than for you to let down your guard. You
need to deploy people, processes, and technologies dedicated to monitoring
your networks and systems around the clock.

If you do not have this capability, outsource this to someone with this
specialty. Many people have security systems that protect their home when
they are away or sleeping. With that protection, they have someone whose
sole responsibility is to monitor that system for issues and alerts. Your
business networks deserve the same type of attention.

Proper Password Management

Passwords remain the most widely used authentication mechanism for a
private computer environment and your sensitive data. If an attacker can
obtain a username/password combination, they have access to everything that
user has access to. Passwords should be more than eight characters, contain
special characters and numbers, and be changed at least every 90 days.

In addition, remote access to your network should require multi-factor
authentication, such as biometric identification or a one-time password
texted to a mobile device. The passwords of your users are the equivalent
to the keys to your home. Just as no lock is un-pickable, no password is
unbreakable with enough time and computing power. Your advantage is that
passwords are easier to change than locks.

Security Awareness Training

Your important security controls in your security program are your users. A
business can deploy every security technology available and it can all be
circumvented by the bad decision of a single user. Attackers know this and
focus on attacking the “weakest link,” Attacks such as “pre-texting,” or
calling users to solicit information, can assist in obtaining valuable
information. Phishing emails with enticing links or attachments, when
opened, can provide the attacker with a backdoor into your network or allow
them to deploy ransomware that will encrypt your data.

We teach our children safety at home on topics such as not answering the
door when adults aren’t at home, keeping the doors locked, enabling the
alarm when they leave, and calling 911 if an emergency occurs. Your users
also need training on safe computing practices.

Test Your Security

Security programs need to be tested. You have spent time deploying secure
systems, working to keep them patched, investing in security technologies,
and developing plans. How do you know if they will work as planned or if
improvements need to be made?

Cyber security program tests come in the form of risk assessments,
penetration testing and incident response exercises. This would be
equivalent to ensuring you have adequate homeowner’s insurance and
conducting periodic alarm system tests, and perform fire drills at home.
These types of tests need to be performed on a periodic basis for continual
improvement.

One last note is that a fundamental component of any successful cyber
security program is to understand that your focus is not protecting
devices; it is the data that you must protect.

The devices are worth relatively little compared with your sensitive
information in the wrong hands.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161107/116f0d53/attachment.html>


More information about the BreachExchange mailing list