In view of Cyber Security Awareness Month, I thought it might be useful for executives to see an actionable list of topics to ask their techies about. Reasonable answers will build your confidence that your organization’s risk of a cyber security breach is being sensibly addressed.
The recent Equifax breach resulted in the loss of considerable personal data for an astonishing 143 million American citizens. The headlines surrounding this data breach have added cyber security to the agenda of many executives. Equifax reminds us that:
- Excellent hardware and software defenses are not enough.
- Operational vigilance is important but difficult to sustain over time.
Overall, the message from Equifax and prior breaches such as US Federal Office of Personnel Management and Target is that breaches cannot be prevented entirely but the risk can be substantially reduced by a variety of actions working in consort. In view of the overwhelming number of cyber security articles, websites, webinars, vendor software products and vendor services, it’s difficult for executives to sift through even a small portion of that mountain of material. Therefore, I’ve created this summary that executives can use to collaborate with their cyber security staff. The correct answers minimize the risk of a cyber security breach.
1. Manage operating systems
Sadly, many organizations are not even doing the minimum to protect themselves. For example, the basic, primitive WannaCry malware created global ransomware havoc. WannaCry attacks older versions of Microsoft Windows such as Windows XP for which support was discontinued in 2014. WannaCry again illustrated that two basic defenses significantly reduce risk:
- Don’t keep workstations and servers running with older, unsupported versions of operating systems even when it’s tempting because they’re stable and reliable devices.
- Make a reasonable effort to keep current versions of operating systems up to date by applying the available patches.
Act to replace your older machines before they fail. Upgrade the operating system on your newer machines. For additional detail on how to reduce risk by operating a comprehensive patching program, review the Patch Management article of the SANS Institute.
2. Build staff awareness
Many breaches start with a successful phishing attack that dupes one of your employees or contractors into clicking on a link that downloads malware. Raising awareness of employees and contractors reduces the risk of a cyber security breach significantly. This article contains the outline of a good action plan: Wake up your employees: How to reduce cyber security risks with employee training. For additional detail on how to reduce the risk of a phishing attack, review the resources of the Anti-Phishing Working Group (APWG).
3. Confirm firewall effectiveness
Firewalls are the first line of cyber security defense. No organization operates without one in the 21st century. The biggest problem is that firewalls are sometimes viewed as impregnable. This dangerous view leads to cyber security complacency. On the web, there are several websites, such as HackerWatch, that provide basic firewall testing. For more elaborate testing of your firewall, read this article.
4. Maintain anti-virus software
No organization operates without anti-virus software. The biggest problem is that anti-virus software is sometimes viewed as perfect in intercepting viruses. Unfortunately, this exaggerated view leads to cyber security smugness. For additional detail on how to test the adequacy of your anti-virus software, read this article.
5. Protect your network
Most cyber-attacks arrive through your network.
Protect your Wi-Fi or wireless networks by ensuring the WPA2 encryption is turned on. Many organizations find it useful to offer a guest Wi-Fi network to keep visitors from plugging into your wired network. Periodically scan your premises for unauthorized Wi-Fi access points because they are easy for hackers to install on your network.
To reduce risks for your wired Ethernet networks, keep your network map up to date, consider adding VPN, VLAN’s and MAC address filtering.
For additional detail on how to strengthen the security of your networks, read this article.
6. Confirm data backup processes
No organization operates without a data backup process.
Unfortunately, many organizations fail to test their data recovery process to ensure that the data backup process is working as expected. This failure to test can lead to a nasty surprise when the data recovery process can’t successfully recover data in the emergency of a ransomware attack or a natural disaster.
For additional detail on how to test your backup and recovery processes, read this article.
7. Review system access
The negative impact of a cyber security breach often multiplies because too many active accounts with excessive system access privileges exist for hackers to hijack.
Sometimes poorly developed software packages require end-users to have considerable system access privileges to perform their roles. Sometimes the database administrators are lazy and simplify their work by giving themselves god-like access.
Strengthen your system access controls by regularly reviewing and pruning the privileges assigned to all end-users. Delete accounts for employees that are no longer at your organization.
For additional detail on how to best review your system access risks, read this article.
8. Review physical access
A surprising number of security breaches occur due to lapses in physical security. Sometimes doors are left open or are propped open. Too often, long-departed employees are still listed on the active security card list. Sometimes short-term contractors forget to return their security cards and they fall into the hands of intruders. Strengthen your physical access controls by regularly reviewing and updating the active security card list. Review which doors and loading ramps depend on staff intervention and don’t require a security card. For additional detail on how to best review your physical access risks, read this article.
9. Strengthen passwords
Attackers increase their destructive impact by taking over end-user accounts with weak passwords. The top 10 passwords are this ridiculously easy-to-hack list: 123456, Password, 12345, 12345678, qwerty, 123456789, 1234, baseball, dragon, football. Implement strong passwords consisting of letters, numbers and special characters. Expire these passwords at least yearly.
Read this article for additional detail on how to implement strong passwords.
Many websites offer useful help to reduce the risk of a cyber security breach. This one, Secure Computing at MIT, is comprehensive and particularly well written because it avoids techno-speak.
What do you think are cost-effective ways to reduce risk of a cyber security breach at your organization?