For any business that handles sensitive data, keeping your IT systems functioning properly can be a matter of life or death. Just as a surgeon wouldn’t operate without clean hands and equipment, businesses shouldn’t collect, process, or store data if they’re not practicing proper cyber hygiene.
Consider the following scenarios:
- The personal information of millions of Americans is exposed when an employee at an organization in custody of sensitive data does not implement standard software fixes;
- Tens of millions of records, including Social Security numbers, fingerprints, personnel information, and security-clearance files are stolen from an agency because the agency’s operations staff lacked visibility into the security fitness and state of information systems; and
- The data of over one million patients are stolen from a public health system, in part, because employees lacked adequate cybersecurity awareness and training to properly respond to cyber attacks.
A cyberattack that causes a data breach places your company’s intellectual property and your users’ personally identifiable information (PII) at risk of theft. While the reasons for the data theft may seem different in each case (lack of systems patching, poor visibility and inadequate cybersecurity awareness training), they have one major thing in common; they were all caused by insufficient cyber hygiene being practiced by the organizations attacked.
For some reason, there is a general perception that only global corporations are at risk of a breach. As a result, thousands of attacks against smaller businesses largely are unreported. On the bright side, most successful attacks leverage well-known security problems, so if you’re practicing good cyber hygiene, you should be able to sleep a little better at night.
Assess your cybersecurity
What is Cyber Hygiene?
It is said that Internet pioneer Vint Cerf coined the term “cyber hygiene” while thinking about teeth brushing. He saw the parallels between preventive oral care and preventive cybersecurity. Whether the story is true or not, oral care (which includes teeth brushing) is a good metaphor for cyber hygiene. Regular teeth brushing, flossing, gum stimulation, professional cleanings and x-rays can mitigate the root (pun intended) causes for many medical maladies. While it’s sometimes a hassle, we know that we’ll be sorry if we don’t take care of our teeth. The same is true of cyber hygiene.
So what is cyber hygiene? Cyber hygiene is a set of practices for managing the most common and pervasive data security risks faced by organizations. The goal is to mitigate the common root causes responsible for many cybersecurity incidents, including data breaches and malware infections.
While the practices are relatively simple, they can also be resource-intensive and of a thankless nature. But practicing cyber hygiene is worth it, making it much harder for attackers to succeed and reducing the damage they can cause. Once cyber hygiene best practices are integrated into your organization, all you need are daily routines, good behavior from your employees and occasional check-ups to make sure your organization’s information systems health is in optimum condition.
How to Practice Good Cyber Hygiene
The objective for all organizations should be to protect the enterprise with good cyber hygiene and basic lines of defense and also to optimize the response with more advanced tools and strategies. Remember that cybersecurity serves to protect your organization but it must not become an obstacle to innovation and change.
Studies suggest that a significant percentage of organizations (some say over 75%) are still operating with only limited cybersecurity infrastructure. More worrisome, many organizations can’t readily define what their most critical information and assets are and where they can be found. It’s pretty hard to safeguard something under those circumstances. Let’s talk about how you can practice good cyber hygiene and protect your organization’s assets.
If you follow this set of best practices, you will be ahead of the game and on your way to thwarting the most common cybersecurity risks faced by organizations today.
1. Identify and prioritize your organization’s “crown jewels”
Your organization’s most important activities and assets are your crown jewels. You need to be able to recognize and hierarchize key organizational services, products, and their supporting assets. Focus on the critical few; find out what is most important to your organization, figure out where it lives, and build the cybersecurity risk management strategy around it.
You should also examine the importance of cybersecurity to the strategy of the organization and determine if enough is being invested in this area. According to some surveys, more than half of organizations don’t make protecting the organization part of their strategy and execution plans.
2. Determine the key cyber risks you face, potential impact and response strategies
It is crucial that you identify and assess the risks to your organization’s operations, assets, and individuals. Responses to identified risks include acceptance, mitigation, and monitoring to reduce the likelihood of an event and/or minimizing the impact of an incident.
You probably won’t be surprised to learn that organizations most value their customer information, financial information, intellectual property, and strategic plans and prioritize protecting those first. Customer passwords and board member information are also considered priorities to protect. Studies show that supplier information is considered less valuable, which means the idea of collectively protecting the entire supply chain has some way to go before it is a mainstream best practice.
3. Create and follow an incident response plan
Every organization needs a plan for responding to significant digital and physical disruptions.
An incident response plan should include procedures for escalation, personnel roles and responsibilities, and external-partner coordination for handling disruptions. There are three main components to an incident response plan: technical, legal, and managerial.
Before you make an incident response plan, you must identify what’s at risk (points 1 and 2 above). As part of your plan, designate those staff members who are best positioned to cover those functions.
Develop a playbook to address the most likely incidents. Various types of incidents might require different kinds of responses, depending on which systems are affected and to what extent. Each response should include these elements: whom to notify in the organization, what information to collect, when and how to contact law enforcement, how to preserve evidence, when and how to inform customers, and which facts a decision-maker will use to decide how to treat affected systems.
Your plan should cover these basic steps:
- Assess the attack and potential damage;
- Contain the attack to prevent additional damage;
- Collect information about the attack to inform decision-makers, law enforcement, and other victims; and
- Notify your internal command chain and outside partners to address all aspects of the attack, especially to remediate any damage.
Get buy-in for the plan from key stakeholders (legal, technical, and management experts) and make sure your response team regularly reviews and practices the plan.
You can stay a step ahead of attackers by anticipating how you will respond to their attacks. Your prep work should minimize the damage from a successful attack.
4. Emphasize cybersecurity education and awareness
Ensure that your employees, senior leaders, and partners have adequate cybersecurity skills and awareness. Train new hires in best practices and make sure personnel and partners receive at least annual training. As we saw at the beginning of this article, the lack of employee cybersecurity awareness exacerbated the effects of a data breach.
Good sense dictates ensuring that your training addresses the biggest threats. Most successful cyber breaches start with phishing and/or malware.
Some studies estimate that one-third of cybersecurity breaches involve phishing, which is the fraudulent practice of sending an email, which appears to come from a reputable source, to lure someone to reveal personal information or click on a link.
It is critical that your personnel are made aware of this scheme and are taught to be careful with opening email attachments and clicking on links. practice two simple techniques to guard against these attacks.
5. Implement best-practice network design and monitoring principles
You must ensure that your organization’s communications network has adequate protection and monitoring.
When configuring perimeter and internal network segments, utilize best-practice network design principles, and ensure that all network devices are configured consistently and appropriately. Be vigilant about filtering all traffic at the network perimeter so you can limit traffic to what is required to support the organization, and monitor traffic for unusual or malicious incoming and outgoing activity, which could indicate an exposure, attack, or attempted attack. Conduct regular testing of the network for potential exposures and vulnerabilities.
6. Minimize risks with access control
Practice the principle of least privilege and limit the access rights of users to only what they need to perform their job functions. Maintain and update user access accounts as personnel join and leave your organization and as their roles change.
As you consider access, consider the classification level (e.g., confidential, secret, public) of information in documents or data stored on servers. Be certain that you store sensitive information in secure areas and on systems that limit access to only individuals who need it.
7. Stay current on technology changes and implement standardized secure configurations
Change control and configuration management procedures should be utilized consistently. Ensure that these processes are in place and are being managed. Establish standard secure configurations for operating systems, software applications and hardware. These configurations should be regularly refreshed and updated in light of current threats, vulnerabilities, and attack vectors.
Experts suggest that over half of data breaches were directly caused by unpatched vulnerabilities. Patching is the installation of software updates on computers, routers, and other devices, such as wireless printers, cameras, and even thermostats. Patching is a vital step in cyber hygiene. It is critical that you apply patches issued by the manufacturer to fix known vulnerabilities quickly. The longer you delay applying a patch, the longer attackers have to threaten your operations.
You can install patches manually via a regularly scheduled task or you can configure your systems to automatically install released patches.
Because implementing a patch can open new vulnerabilities in your systems, you need to monitor patching activity. Ideally, you would take an image of your servers before you install the patches and have a good rollback plan in case you find significant issues with the patch deployment. Patch systems at all levels – web applications, backend database applications, operating systems, and hypervisors.
8. Implement controls to protect and recover data
Every organization needs cybersecurity controls and recovery solutions that have been both implemented and tested. It’s imperative that an organization’s risk strategy outlines how data should be managed to protect the availability, integrity, and confidentiality of information. For example, systems should be backed up automatically at least once per week. This should happen more frequently for systems storing sensitive information. An assessment of data should be performed to identify what you consider sensitive and what will need encryption and integrity controls. In addition, you should strive to regularly test that the controls, backups and continuity procedures are functioning as intended.
9. Prevent and monitor malware exposures
Malware is a huge risk to organizations so every effort should be made to establish processes to prevent malware and manage those risks.
The main tools recommended to continuously monitor workstations, servers and mobile devices are anti-virus software, anti-spyware software, personal firewalls, and intrusion-protection functionality. In addition, all malware detection events should be sent to enterprise and event log servers for analysis.
While they are not perfect, anti-virus programs are good at identifying and quarantining known malware.
Good cyber hygiene warrants setting up your anti-virus software to update automatically to defend against the most recent malware. Network-monitoring technology installed at your router level is also recommended. This will monitor all traffic on your network and can identify potential malware and threats that anti-virus software sometimes misses.
Firewalls are also a key component in cyber hygiene. Firewalls block or allow connections to your environment, thereby shielding your computers and network from malicious or unnecessary network traffic. You can configure your firewall to block data from certain locations or applications while still allowing the relevant and necessary traffic to pass through. Be aware, though, that firewalls primarily help protect against malicious traffic, not against malicious programs, and will not protect your systems if you accidentally install malware on a computer. Make sure you perform regular firewall-rules reviews and firmware updates.
Regularly patching your software (point 7 above), using anti-virus software and implementing a firewall provides multiple layers of protection. This doesn’t mean your organization’s computers will be safe from every type of threat, but it is a solid starting point in enhancing your organization’s cybersecurity.
10. Manage cyber risks associated with suppliers and external dependencies
Third parties can be vital to helping an organization succeed. But along with suppliers and vendors come unique cyber risks. These need to be identified, prioritized and managed.
You should strive to establish processes to manage threats, vulnerabilities, and incidents that may result from third parties and suppliers throughout the life of those relationships. Ideally, collaborative cybersecurity risk management processes (e.g., information sharing and controls testing) should be implemented.
11. Perform cyber threat and vulnerability monitoring and remediation
Cybersecurity is not static; new threats and vulnerabilities are introduced into the world on a regular basis. It is vital that you keep up to date on these. One of the best ways is through information-sharing forums and sources.
Based on your research, rate the riskiness of threats and vulnerabilities based on their probability, exploitability and potential impact. Start by mitigating the highest risk threats and vulnerabilities using leading practice controls. Based on these risk ratings, establish controls implementation and patching timelines.
In general, what are the riskiest vulnerabilities? As noted above, when you involve third parties, your organization becomes more vulnerable. And, unfortunately, studies show that only a small percentage of organizations have taken basic steps to protect against threats coming through third parties. However, the vulnerabilities with the most increased risk exposure are careless/unaware employees and outdated security controls.
Closing Thoughts
We have seen that insufficient cyber hygiene is a leading cause for organizations being attacked and that global corporations and smaller businesses alike are at risk of being breached. And while, like personal hygiene, cyber hygiene can be tedious, it’s a lot better, and ultimately less painful, to put in the work upfront instead of dealing with the consequences of a breach. We hope this has inspired you to get on board with cyber hygiene. And maybe we’ve even motivated you to floss a little more regularly. Contact RSI Security to get started today.
Sources
https://enterprise.verizon.com/resources/reports/dbir/