Make these cybersecurity New Year’s Resolutions
Welcome to Cyber Security Today. It’s Monday January 4th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
Happy New Year to all of you!
As always my first podcast of the year deals with New Year Resolutions. Now’s the time to think ahead about cybersecurity when the year is still fresh.
I’ll break this up into resolutions individuals should make, and ones for organizations.
Individuals should resolve to make sure all their Internet-connected devices have the latest security updates. First, make a list of what you have — smartphones, modems, tablets, laptops, desktop computers, outside video cameras, doorbells and whatever else. Updating phones and computers is relatively easy. Their operating systems can be set for auto-updates. Still, regularly check that patches have been installed. Don’t risk data theft by keeping an old phone or laptop. If your device can’t get updates because the operating system is too old it’s not worth keeping. Modems and routers are harder to update because usually fixes have to added manually. Check the instruction manual on how to do it.
Second, resolve to take a hard look at your passwords. Make sure they aren’t easy to guess. Don’t use the same password for more than one application or website. Make sure you don’t use the default password that came with the device or software. Don’t ever think no one would every try to hack you.
Download a password manager so you don’t have to remember them all. There may already be a password manager if you have an anti-virus or anti-malware suite. Otherwise, check sites like PC Magazine, Tom’s Guide, Wired or Consumer Reports for advice on picking one.
Resolve to put a PIN number on your cellphone account. That way an attacker can’t call up your carrier with a sob story and fake ID and switch your phone to one they control.
If you have children, make sure the computers, tablets and smartphones they use have security features turned on, and have security patches installed regularly. Keep an eye where kids go online. And teach them to be safe – remind them the Internet is a public space and everything they write on social media sites can be seen by many people.
Finally, resolve to use two-factor authentication to protect logins where it’s offered. Two-factor authentication means that in addition to a username and password you have to type in a six-digit number. You get that number from an app like Google Authenticator, Microsoft Authenticator or Authy, or you have the service phone you with the number. It’s one of the best security moves you can make.
For organizations, cybersecurity is about risk management. You can’t manage risk if you don’t have a plan based on a cybersecurity framework. Briefly, list what applications and data you have, list the security weaknesses and plan for fixing them. The goal is to create a detailed strategy for the IT staff to follow, and an easier to follow quarterly report for senior management ranking issues in seriousness by numbers — say, 1 to 5 — or by colours — say red, yellow and green. Understand that rarely will everything be green. Cyber risks regularly change. But this will give management a better idea of what’s going on.
If you’re a small or medium-sized Canadian firm the federal government suggests using the Canadian Centre for Cyber Security’s Baseline Cyber Security Controls framework. Start by making an inventory of all the hardware, software and data the organization uses. Consider regulatory requirements for data security, including privacy laws. Create a risk assessment: How likely is data to be exposed by an attack? What impact will that have? Then set goals.
Determine how to best secure applications, data and websites through defences like firewalls, anti-malware software, virtual private networks, user behavior monitoring software and the like. Create application security settings that become the corporate standard. Create an application patching strategy. Create an employee data access policy with the principle of only giving employees access to the data they need for their jobs. Pay close attention to protecting administrative accounts with multifactor authentication. Create a policy for protecting data — what data needs to be segregated, what needs to be encrypted. Create an implementation plan for those policies.
Create a data backup policy — does data need to be backed up hourly, daily, weekly. Test that backup plan. Create an incident response plan for cyber attacks. Create a disaster recovery plan. Test those plans.
There is no plan if all management says to the IT department is, “Here’s your budget. Security is up to you.” As I said, cybersecurity is risk management, and that’s the executive’s job.
That’s a simplified version of what to do. There’s lots of resources on the Internet. Some cybersecurity companies you deal with have free advice on how to create a strategy.
Remember even companies that spend a lot of money on cybersecurity still get attacked successfully. Usually it’s because they haven’t been rigorous enough in applying their cybersecurity policies. If you’re not rigorous that increases the odds of you being a victim.
That’s it for now. If you need a reminder of this advice see the text version of this podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at cybersecurity professionals.
Cyber Security Today can be heard Mondays, Wednesdays and twice on Fridays on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon.