[BreachExchange] Strengthen Your Cybersecurity Posture: 20 Steps To Take In 2020

Audrey McNeil audrey at riskbasedsecurity.com
Tue Dec 31 20:42:15 EST 2019


Thecyber threat landscape has never been more fragmented.

In a competitive context, fragmentation is usually good news. You prefer
your competitors to be disorganized, overmatched, clawing for crumbs of the
wholes you snatch for yourself.

In the context of cybersecurity, however, things are very different.
“Fragmentation” really means “a greater number and diversity of threats
that collectively strain future victims’ capacity to respond.”

It sounds much scarier that way, doesn’t it?

Fortunately, you’re not powerless in the face of the relentless
fragmentation of the cybersecurity threat landscape. You can take any
number of steps to harden your defensive posture in the new decade —
recognizing that the totality of digital threats is only going to grow as
time goes on.

Here’s what to do as we move into the 2020s.

1. Invest in a Comprehensive Business Data Backup Solution

First, and perhaps most importantly, invest in a comprehensive business
data backup solution at your earliest convenience.

Your company already faces a multitude of cyber threats, many of which
you’re only dimly aware (and many more of which you’re not at all
cognizant). Those threats will continue to multiply in 2020. And you know
full well that every minute you’re without access to your company’s most
sensitive data is a minute that could change the course of your company’s
history for the worse.

2. Execute All Operating System Patches As Soon As Possible

Don’t put off operating system patches until they’re convenient. You know
as well as anyone that there’s no optimal time to upgrade the basic
plumbing upon which your corporate computing network relies. If it helps,
set and enforce an update schedule that applies across your entire network.

3. Don’t Defer Browser Updates (And Continue to Evaluate Your Secure
Browsing Options)

Don’t defer browser updates, either. Your company is more likely to be
victimized by a browser-vectored malware attack than an OS-vectored attack
(such as a zero-day exploit, a scary-sounding type of threat that must be
taken seriously but actually isn’t all that common).

As soon as you’re made aware that your browser is due for an update,
execute that update. And should concerns arise about the integrity of your
preferred browser, consider making the switch. Using a secure web browsers
eliminates a lot of cybersecurity headaches.

4. Use a High-Quality Virtual Private Network (Paid)

Another easy way to guard against garden-variety cybersecurity threats:
using a virtual private network, or VPN, to encrypt your browser traffic.

For a VPN to serve as an effective safeguard against cyber threats, it
needs to be in widespread use at your company. Even the occasional data
leak is useful to malicious actors who might be lurking in the shadows,
patiently waiting to catch whatever digital crumbs you allow to fall their

VPN quality is also important. Free VPNs abound, but they’re not always
built in the end-user’s best interest, and a few may be actively harmful.
Take third-party reviews seriously; don’t use products that aren’t
well-liked by the experts.

5. Use a Comprehensive Anti-Malware Suite

This probably goes without saying in the year 2020. If you’ve made it this
far without an anti-malware suite, congratulations — you’re either a genius
or just incredibly lucky.

As with VPNs, anti-malware software quality matters. Don’t use a product
around which there’s even a whiff of controversy, as is the case with
once-popular products like Kaspersky and McAfee. Your company’s data is too
important to entrust to corporate actors who have no qualms about putting
you in a compromising position.

6. Run Regular Anti-Malware Scans (Don’t Wait For Automated Runs)

Anti-malware suites typically run automatic whole-system scans at
frequencies chosen by the user. But you shouldn’t wait for yours to
complete its regularly scheduled system check. The more often you probe for
hidden threats, the likelier you are to catch a potentially serious problem
before it causes a massive headache for your company.

7. Devote One Hour Per Week to Threat Research

You might not be a subject matter expert in all things cybersecurity, but
you are — last time you checked, anyway — your organization’s ultimate
decision-maker. It’s incumbent upon you, as the person to whom all the
subject matter experts do answer, to understand the threats most likely to
affect your industry, your company, your employees.

And that means you need to stay informed. To start, set a realistic goal:
one hour per week devoted to researching the latest cyber threats. Any
longer than that and you may detract from other priorities; any less and
you’ll struggle to follow your CISO’s briefings.

8. Attend At Least One Cybersecurity Conference This Year

This is another key prong of your self-education efforts. To be clear: Yes,
you, the ultimate decision-maker at your organization, should absolutely
attend at least one cybersecurity conference each year.

If you’re based out of a major metropolitan area, it’s unlikely to present
a major imposition. Non-experts are routinely floored to learn just how
many cybersecurity conferences take place in the United States each year.
There are a lot, and it’s almost certain that one is slated to happen in
your neck of the woods within the next 12 months.

Your annual cybersecurity conference routine shouldn’t replace your
in-house IT team’s continuing education obligations, of course. They should
be fixtures at relevant conferences around your region and beyond, at far
greater frequencies than once every fourth quarter. Nevertheless, their
immersion is no substitute for your own firsthand experience.

9. Hire a Best-in-Class CISO (Or Keep a Trusted Partner on Retainer)

Don’t wait for your organization to grow to the point that you think it
needs a Chief Information Security Officer. That point comes much sooner
than you realize.

Indeed, it’s arguable that you should hire a full-time CISO before you hire
a full-time CMO. Keeping your marketing function at the director level for
an extra year or two probably won’t constitute an existential threat, but
spending the next 12 or 24 months steadfastly denying that your company
faces catastrophic risk from a host of known and unknown cyber threats well

10. Educate Your Staff About Email Hygiene

“Email hygiene” has something of a dual meaning. It’s often used in the
context of maintaining a “squeaky clean” email list — that is, a marketing
or contact list that’s totally up to date and devoid of outdated addresses.

But email hygiene has a deeper and frankly more important meaning, at least
outside the marketing department. That is: the set of practices that
prevent your team from falling victim to any of the myriad email-vectored

The list of such threats is long and ever-changing. Hiring a best-in-class
CISO and sending your security team to at least one cybersecurity
conference each year will certainly help burnish your email hygiene, but by
themselves they’re not enough. It’s on you, as the ultimate decision-maker,
to roll up your sleeves and lead by example.

11. Maintain Strict Data Security Protocols for BYODs

Born of relentless cost-cutting and Gordian logistical challenges, “bring
your own device” (BYOD) is here to stay. Most small and midsize companies
not steeped in digital security (or practicing it as a core service)
enforce BYOD policies in one form or another.

Is the BYOD “cure” — outsourcing the purchasing and maintenance of
employees’ computing devices to employees themselves — worse than the
disease it’s designed to cure (namely, corporate device bloat and the
inevitable costs that come with)? That depends on the quality of your BYOD
data security protocols.

If you don’t yet have a data security policy for your BYOD network, task
your CISO with drawing one up. It’s crucial that your entire team is on the
same page with regards to BYOD maintenance, protection, and crisis
mitigation. You can’t afford to wing a breach; by the time one of your
employees’ devices is hacked, it’s too late to implement an orderly mop-up

12. Require Two-Factor Authentication for All BYODs and Corporate Cloud

Articulating a comprehensive BYOD data security policy is beyond the scope
of this article, but one measure does deserve special mention: two-factor
authentication. Any corporate account accessible from your employees’
take-home devices must enforce two-factor authentication for all log-in
attempts, with no exceptions.

The same goes for corporate cloud accounts accessed from company-owned
hardware, of course, and/or within company networks. But it’s especially
important that you don’t leave employee-owned devices vulnerable when
they’re not on the premises.

Likewise, all BYODs must be lockable, preferably with biometric
credentials. An unlocked BYOD in the wild is a ticking time bomb, and PINs
are easy enough to guess or steal.

13. Maintain a Strict “Need to Know” Basis for All Operational Security

Your sales team doesn’t need to know the ins and outs of your company’s
financial plumbing. Why should your line employees know every defensive
move your IT team makes?

You know how crucial it is to silo proprietary information off from those
who don’t need to know it. This is all the more important in cybersecurity,
not least because the threat vector with the greatest potential to do your
organization harm is the one you may have overlooked up until now: the
malicious insider.

Guard your secrets well, friend. Guard them well.

14. Maintain a Strict “Minimum Required Permissions” Policy for Employees

For the same reasons it’s so important to maintain “need to know” status
for all cybersecurity operations, it’s vital that you maintain a strict
“minimum required permissions” policy across the board. In other words,
each of your employees — no matter how senior — should have only those
permissions which he or she needs to perform his or her job function, and
no more. Allowing employees into accounts or permission levels where they
don’t belong inevitably weakens those domains, even when the employees mean

15. Tighten Third-Party Data Security Standards

Hold all of your vendors, no matter how minor or tangential to your core
business functions, to the same rigorous compliance standards to which you
hold your own team. In certain industries, such as finance, this is par for
the course; you simply won’t work with vendors that don’t take appropriate
precautions. “Soft” industries are vulnerable as well; retailers present an
irresistible target for hackers thirsty for fresh payment card information.

16. Redouble Physical Security Wherever Practical

In the old days, corporate “crown jewels” lived in locked filing cabinets
and fireproof safes. Today, they’re just as likely to be found on computer
towers or — worse — the cloud itself. If your organization houses its own
servers, harden the building(s) and room(s) in which they’re kept.

Otherwise, work with a cloud provider and/or colocation service that takes
physical security seriously. It’s not just theft and vandalism you need to
guard against; it’s also fire, severe weather, earthquakes, and other “acts
of God” that can’t fairly be attributed to malicious human activity.

17. Avoid Common Password Storage Mistakes

Two-factor authentication is table stakes in 2020. Unfortunately, it’s not
yet time to kiss the trusty old password goodbye for good. For the
foreseeable future, you and your employees will need to use alphanumeric
access credentials, which means you’ll need to store said credentials

A digital password locker may be an acceptable solution, provided it’s
suitably secure. Check with your CISO if you have any qualms. Otherwise,
consider a dispersed storage method that leaves no digital trace, such as a
simple code committed to pen and paper only.

18. Consider Cyber Insurance, But Don’t Use It As an Excuse Not to Innovate

Cyber insurance is the next hot thing in the once-staid insurance industry.
Is it a moral hazard?

Not if you’re absolutely sure you won’t allow it as an excuse not to take
the sorts of preventive measures described above. Think of cyber insurance,
instead, as a last resort that exists solely to ensure your organization
isn’t ruined by a single breach. It’s a financial remedy, not a license to
cut corners.

Are You Ready for a New Decade’s Threats?

A new decade is dawning. With it comes a multitude of digital threats —
some new and unimaginable, others old and familiar, if not quite welcome.

As this treatise should make clear, anticipating and parrying the most
potent of these threats is no easy feat. Maintaining a perfect record amid
the sheer multitude of bad actors out there is no easy feat; few
organizations are able to achieve one.

But that mustn’t stop you from trying. Your customers, employees,
shareholders, and vendors depend on you to do your utmost to maintain a
safe digital domain — today, tomorrow, and ten years from now.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20191231/792067c7/attachment.html>

More information about the BreachExchange mailing list