Unless you work in the IT security industry, you might not realize just how vulnerable your computer security really is. We all need to shake off a few misconceptions to help every business stay safer.
First, we need to get rid of the analogy between cybersecurity and physical security. Images of locks, bolts, keys and bank vault metal doors – they’re all meaningless when it comes to cybersecurity. You can lock a door and be 100% certain no one could break in. But you can’t be 100% sure with cybersecurity. It’s just not possible. All you can do is reduce the risk.
Second, we need to remind ourselves that security basics are essential. It’s not always about complex security systems. Start with the basics and keep it simple. To reduce the risk of your devices, network and data being compromised, you need basic standards of cybersecurity hygiene, in much the same way we need to wash our hands and wear face masks to combat infectious diseases like COVID-19. It’s the same principle.
1. Keep your software up to date: Put rigid procedures and steps in place to ensure your software is up-to-date. Don’t postpone, don’t wait, don’t hesitate. Some organizations are still running Windows XP, which stopped receiving security updates in April 2014. Windows 7 is no better; it, too, is no longer receiving security updates. One of our jobs here at Avanade is to help companies around the world get to Windows 10 as quickly as possible, and make sure that your computers, servers and applications are brought up to date – and then kept up to date.
2. Go beyond basic email security: Most attacks still come via email, and COVID-19 has only made things worse: spearfishing attacks have increased during lockdown.
3. Make sure your users are aware of potential threats and are fully trained: Because of COVID-19 and lockdown, security professionals are more stressed and overworked than ever before. To support them, it’s vital that everyone in your organization is fully trained in cybersecurity basics. They need the ability to distinguish between a genuine email and a phishing email.
These basics are so important, and it’s shocking to see how many organizations get them wrong or don’t do them at all. It’s a constant fight; it’s never ‘complete’ – always changing, always moving forward.
Advanced Cybersecurity Tips
Let’s take a look at some not-so-basic tips:
4. Get grip on your data and what is being shared: Data leaks don’t always happen on purpose — they can be accidental. It’s all too easy to share a slide containing sensitive data not intended for outside use. Understand the value of your data: who shares data? What do employees want to share, and with whom? What tools are used to share? Which tools are safe? In other words, you need data security governance.
5. Protect and monitor your data and user identities: Working from home has disrupted the traditional IT security perimeter. With endpoints dispersed across geographies and networks, your organization’s data and the digital identities of all your employees are your most important digital assets. Make sure you put tools in place to determine what can be done with your organization’s data, by who, and when.
6. Embrace the security challenges of a fully remote workforce: The unique challenges of working from home and protecting your data are discussed in more detail in an article I’ve co-authored with my Avanade colleagues Bart-Jan Bosch and Rhesa Baar – ‘Secure remote working: From short-term fix to long-term value’. I think it’s well worth reading.
7. Get your threat or disaster response ready: Put runbooks in place for when the worst happens. Everyone in your organization needs to know what to do, the steps they need to take, and the people to speak to.
Some tools are a waste of time. You don’t need an expensive security tool to see that you have vulnerabilities. Instead, invest in tools that protect your endpoints, monitor end user behavior, and add encryption to keep data safe. Monitor the security behavior of your end users to detect abnormal behavior, so that experienced IT teams can investigate and take appropriate action.
One recent story is a lesson to us all. The organization’s software wasn’t patched and lacked the latest updates. Sounds sloppy, right? Well, they had a good excuse; the business postponed the updates to avoid downtime. But this left a known vulnerability wide open to hackers, who soon began an email phishing campaign. It didn’t take long for an employee to take the bait and click on a malicious attachment.
The hacker’s fateful payload did nothing more than make the PC run slower, but this spurred a call to the IT help desk was needed -- and IT logged on to the affected computer using credentials with full access privileges to other computers and servers. The hacker was in.
The CISO’s dilemma
The eternal dilemma for IT leaders is where to set the security control dial? Rigid control over data and software leads to disgruntled users who simply start using their own tools outside of the company’s control. Too little control, and you’ll end up with data leaks and hacks all over the place. There is a third way: understand what your users need the most and make it happen for them in the way they want. Don’t work against them – work with them.
Hackers usually take the path of least resistance. They target the organizations that are least secure. But when they do get into your network or infiltrate a computer (after all, you’re not going to stop every attack), you need to make their life very difficult.