[BreachExchange] 5 tips to protect your business from cybersecurity threats

Destry Winant destry at riskbasedsecurity.com
Mon Oct 22 23:39:33 EDT 2018


While a decade ago most businesses would not give much thought to
cyber security, in our current times, it has become a crucial
necessity. Last year, in 2017, the number of cyber attacks doubled,
making it the worst year ever, with just under 160,000 cyber incidents
targeting businesses, according to the Online Trust Alliance.

Some trends for 2018, according to CSO, include an increase in
cryptomining which means to silently use your computer to mine
bitcoin, email attachments as a vector for the majority of malware,
and of use of fileless malware. About the only upnote was less
ransomware attacks, but that was only due to less extortion for
Bitcoin being replaced by cryptomining that is considered easier to
pull off.

It is sobering to see these constant, and increasing threats to
business. However, your business does not need to sit idly and wait to
become a victim of the latest attack du jour.

Rather, become proactive, get out ahead of this rising problem, and
check out our tips to protect your business, before the cybersecurity
threat is knocking at your company’s door.

Data backup

Businesses have all types of data, from customer information, to
employee records and important financial records. It pretty much goes
without saying that it would paralyze any business to not have access
to this information, affecting operations for day-to-day in the short
term, and have long reaching consequences if this data were to be
hacked by malware.

Therefore, your business needs to backup all of its data, and take
this seriously. This will insure against loss of data, whether from a
ransomware attack, or a good ol’ fashioned mechanical hard drive
failure. When it comes to backing up data, a good rule is the ‘3-2-1
backup rule,’ that suggests to maintain three copies of the data,
storing them on two different types of media, with at least one copy
of it stored offsite to protect from all types of catastrophic events.

While years ago a business would make tape copies of important data,
and have rotating employees bring them home or to a safety deposit box
at the local bank, these days, an excellent option is to use a cloud
provider for data backup, which backups the data continuously to an
offsite location. Cloud data backup, when combined with an in-house
NAS, and local storage on employee’s desktop hard drive then fulfills
the recommendations of the 3-2-1 backup rule.

Strong passwords

At home, many users hardly take password security seriously, using
simple dictionary words, or taking the lazy way out with such popular
choices as ‘123456,’ ‘password,’ or the still too simple variation

None are considered secure, and passwords should be long with at least
12 characters, with a combination of uppercase and lowercase letters,
numbers and special characters to be considered strong. They should
also not be from a dictionary, but rather a random combination of
characters that protects from a brute force attack.

Businesses have far more at stake than most individual users, and
therefore need an even higher level of security. They need to make
sure that their employees change their passwords at regular intervals,
such as every 60 to 120 days being common, which can be facilitated in
user interfaces, which informs users that their password is expired,
and then prompts them to change it.

Another business password issue are administrative passwords. These
should be restricted to only top level users that truly need access to
the higher level security functions to perform their jobs to limit
access as much as possible. These administrative passwords should also
conform to the strong password rules as outlined above, and should be
changed even more frequently than the regular user passwords, for
maximal protection of the business.

Security patches

Security patches are routinely issued from a variety of sources,
including Microsoft Windows, other pieces of software such as
Microsoft Office, online browsers, smartphone devices, and hardware.
They fix stability issues, and also patch known security holes as they
appear. Therefore, these patches need to be installed, and in a timely

Have a plan to keep all the devices that your business uses patched
and up to date, whether this will be done by dedicated IT staff, or
outsourced. After all, there really is no excuse for your business to
get hacked via a known security hole, that has a patch to fix it that
was simply not applied.

Encrypt the data

Another key piece of the security puzzle is data encryption, otherwise
data on a hard drive is quite simple for a hacker to cut and paste and
haul away by the gigabyte. With the data encrypted, this locks it away
from prying eyes, and protects it from all sorts of malicious attacks.

This goes doubly so for devices that leave the company property, such
as a laptop with a hard drive. A dramatic example of this type of
issue is when West Virginia’s Coplin Health Systems had a laptop
stolen from an employee’s car, with the information of 43,000 patients
on it.

The incident hit the news, as the laptop was password protected, but
the hard drive was not encrypted, a simple but crucial step. Before
this happens to your business, be sure to check out our
recommendations for the best encryption software.

Look into cyber insurance

Despite taking reasonable precautions as outlined above, sometimes the
malware gets beyond the company firewall, and the business does get
hacked. It is important to have a plan in place to deal with such an
event, that unfortunately is increasingly common.

Just like for other unpredictable catastrophic events, such as a flood
or fire, businesses buy insurance policies. The same applies here, and
there are cyber insurance policies available, more properly known as
cyber liability insurance coverage, or CLIC. These policies offer
assistance in dealing with post hacking investigations, data breaches,
extortion attempts, lawsuits and privacy violations.

It is estimated that about one-third of US companies have such
policies, with significant growth as it is predicted to be a $7.5
billion (£5.74 billion) industry by 2020.

More information about the BreachExchange mailing list