Today's cybersecurity threat landscape is becoming increasingly complex, and more and more organizations are falling prey to cybercrime. With data theft on the rise globally, hardly a day goes by without yet another headline about data leakage, credit card fraud, hacking and security breaches. Organizations processing or storing the most significant amounts of critical data, such as financial institutions and governmental entities, are often the biggest data theft victims.
The COVID-19 pandemic has driven an increase in remote working and home network usage as a medium to connect to corporate networks, whether held on-premises or in the cloud. This change in work behaviour has provided threat actors with more opportunities to find easy victims among remote workers. As a result, today's threat landscape must now include personal computing assets as high-risk and high-value targets due to sensitive data access outside of the traditional protection of corporate networks.
As organizations try to come to terms with the ever-changing threat landscape, the basics – though often overlooked – still apply. Here are ten (10) effective and essential security habits you can employ to help protect your organization:
1. Focus on the right threats: the average company faces malware threats, human adversaries, corporate hackers, hacktivists, governments, and even trusted insiders. To ensure security, installing hundreds of patches each year to operating systems, applications, hardware, firmware, computers, tablets, mobile devices, and phones is necessary – yet we can still be hacked. Great companies realize that most security threats are noise that doesn't matter. Take the time to identify your company's top threats, rank those threats, and concentrate the bulk of your efforts on the threats at the top of the list.
2. Know what you have: establish an extensive, accurate inventory of your organization's systems, software, data, and devices. Most companies have little clue as to what is running in their environments. How can you even begin to secure what you don't know? The best companies have strict control over what runs where.
3. Remove, then secure: an unneeded program is an unnecessary risk. The most secure companies pore over their IT inventory, removing what they don't need, then reduce the risk of what's left, which applies not only to every bit of software and hardware but to data as well. Eliminate unneeded data first, then secure the rest. Intentional deletion is the most potent data security strategy. Make every new data collector define how long their data needs to be kept. Put an expiration date on it. When the time comes, check with the owner to see whether some data can be deleted.
4. Run the latest versions: every big corporation has old hardware and software hanging around. Still, most of their inventory comprises the latest versions of the latest previous version (called N-1 in the industry). The newest software and hardware come with the latest security features built-in, often turned on by default. The biggest threat to the last version was most likely fixed for the current version, leaving older versions that much juicier for hackers looking to make use of known exploits.
5. Patch quickly! This advice is so common it has become a cliché: Patch all critical vulnerabilities within a week of the vendor's patch release. If your company takes longer than a week to patch, it's at increased risk of compromise – not only because you've left the door open but because your most secure competitors will have already locked theirs. Officially, you should test patches before applying as they may have a substantial negative impact on production.
6.Educate your users! Education is paramount. Unfortunately, most companies view user education as a great place to cut costs. If they educate, their training is woefully out of date, filled with scenarios that no longer apply or are focused on rare attacks. Effective user education focuses on the threats the company is currently facing or is most likely to encounter. It should be led by professionals and must involve the employees themselves. Security staff also needs up-to-date security training each year to stay informed about the latest threats to corporate security.
7. Keep the configurations consistent: the most secure organizations have consistent configurations with a slight deviation between computers of the same role. Most hackers are more persistent than competent. They probe and probe, looking for that one hole in thousands of servers that you forgot to fix. By doing the same thing, the same way, every time, you can establish configuration baselines and rigorous change and configuration control. Admins and users should be taught that nothing gets installed or reconfigured without prior documented approval. Find the right mix of power and flexibility to avoid committee paralysis. Make sure any change, once ratified, is consistent across computers.
8.Use least-privilege access control: "least privilege" is a security maxim that means giving the bare minimum permissions to those who need them to do an essential task. Most security domains and access control lists are full of overly available permissions and very little auditing. The most secure companies have automated processes that ask the resource's owner to re-verify permissions and access rights periodically.
9.Institute intelligent monitoring practices and timely response: the majority of hacking is captured on event logs that no one looks at until after the fact, if ever. The most secure companies monitor aggressively and pervasively for specific anomalies, setting up alerts and responding to them. Suitable monitoring environments don't generate too many alerts. In most environments, event logging, when enabled, generates hundreds of thousands to billions of events a day. Indeed, not every event is an alert, but an improperly defined environment will create thousands of potential alerts – so many that they end up becoming noise everyone ignores. Some of the past few years' biggest hacks involved missed alerts, the sign of a poorly designed monitoring environment. The most secure companies create a comparison matrix of all the logging sources they have and what they alert on, then compare this matrix to their threat list. Then they tweak their event logging to close as many gaps as possible. More importantly, when an alert is generated, they respond.
10. Seek help from a trusted and reputable security provider: no one performs heart surgery on themselves or attempts to remove an aneurysm at the dinner table. Similarly, companies should recognize where their strengths lie and reach out to a trusted and reputable security provider to assist them with their security issues.-- this is an area where almost all companies are the weakest!
The decision of buying, implementing, and maintaining solutions against cybercrime can be pretty challenging, and those responsible are often overwhelmed with the sheer variety of security solutions. Although there are hundreds of ways to become more secure, there are no quick fixes, no magical solutions to prevent cyberattacks – regardless of your organization's geographic location.
Data security risk is inevitable regardless of the size of your organization. If you have, keep, collect, or store data, your company, will become a hacker's target. However, suppose you adopt security best practices to secure your data, meet compliance requirements and get advice from a trusted security service provider when needed. In that case, you are already on the way to improving your security posture.