30 cybersecurity tips in 30 days

Protect your assets and your business

Tip #1: Protect personal devices from cyberattacks

Incidents of malware and other cyberattacks have exploded in recent years, preventing businesses from accessing their data. Organizations that allow employees to use personal devices for work face an even higher risk of a breach. Indeed, some 87% of businesses are dependent on their employees being able to access business apps from their devices. More than 60% of data breaches are attributable to a lost or stolen device. A single missing device containing sensitive data is enough to jeopardize an entire business. While all users should protect devices with multifactor authentication to create obstacles for potential criminals, a mobile device management solution is critical in BYOD security so that administrators have the ability to lock or wipe a device in case the device is lost or stolen.

Organizations must balance the cost-saving advantages of not issuing phones and tablets to employees, as well as the convenience of employees being able to use their own devices for work, against the added vulnerabilities.

A user who does not understand their company’s bring-your-own-device (BYOD) security policy creates exposure for themselves and the business. Because less than half of U.S. companies have established a policy, the potential for problems is high. Employees may not adhere to the same security standards they would when using a company-owned device.

More than 60% of data breaches are attributable to a lost or stolen device. A single missing device containing sensitive data is enough to jeopardize an entire business. While all users should protect devices with multifactor authentication to create obstacles for potential criminals, a mobile device management solution is critical in BYOD security so that administrators have the ability to lock or wipe a device in case the device is lost or stolen.

Next steps

• Develop a BYOD security policy that is reasonable for employees while protecting your interests: It should spell out their rights and responsibilities and specify what the business will access and what it won’t access. The policy should also define measures for when a device goes missing or when an employee leaves the company.
• Look into a mobile application management system: You can customize controls based on how apps are used, the type of user, the application, the network or the time of day. You can also specify which apps are approved and which ones are banned.
• Consider an organization-wide mobile content management system: It keeps you in control of secure company data while user information on personal devices remains private.

Tip #2: Make the most of multifactor authentication

When it comes to effective cybersecurity risk management, continuous improvement is what it’s all about. Remote and hybrid work, plus multiple access points to your business network or cloud services and applications, have made multifactor authentication (MFA) an indispensable security practice.

MFA protects against attacks that use easily guessed or stolen passwords.

MFA is also increasingly required by regulations (e.g., HIPAA, CMMC, FFIEC) and cyber insurance providers, which are making it a condition of policy renewal and underwriting.

These critical defense layers make it harder for attackers to infiltrate your systems. Most are familiar with one-time codes and facial recognition in addition to passwords. But biometric verification using a wider array of traits is gaining ground. It includes everything from retina and iris scanning to earlobe and hand geometry to fingerprint scanning, digital signature scanning and voice authentication. Biometric device components include a reader, a database and software to convert the scanned/biometric data into a standardized digital format and compare match points of the observed data with stored data.

Next steps

• Inventory all platforms: Identify all platforms where employees have access to remote company data and resources, including email, VPN, remote desktop platforms, cloud solutions and collaboration software.
• Implement MFA solutions: For any of your identified remote access and internal admin accounts, you’ll need to implement MFA solutions. Note: Some organizations require more than one solution, as deploying MFA on internal admin accounts can be technically more challenging and requires specialized solutions.
• Review vendor account logins: Your vendors should also enable MFA, further increasing the level of security throughout your organization.
• Engage third-party expertise: A third party can audit and implement MFA solutions around your organization, from online collaboration platforms to security systems to line-of-business software.

 

Tip #3: Defend against AI-generated cyberattacks

Once attackers have identified a piece of infrastructure to go after, they can use generative AI to shape and execute attacks wherever they choose. They can generate social engineering campaigns or use AI to generate scripts that will be used as part of an attack.

From a defensive standpoint, you can employ machine learning to look at huge quantities of data about attacks to identify patterns of what suspicious activity looks like and start monitoring in real time for those suspicious activities that have been indicators of compromise elsewhere.

Because AI will help increase the quality of phishing schemes against individuals to trick them into divulging information, organizations and employees need to be cognizant of what those social engineering attempts look like to identify them and function as a kind of human firewall to avoid falling victim. AI-generated messages may be more specific and better crafted toward their target compared to human-generated attacks. They’ll include language inflections and terminology that will mimic a real person much more closely than before.

Deepfake attacks are another AI development. These generate media, such as videos or images, to impersonate specific real people and carry out fraud or disinformation campaigns. In the workplace, actual audio could be fed into an AI model, which can synthesize speech, saying whatever the attacker instructs it to and that sounds just like a known individual.

Next steps

• Increase your level of scrutiny: The tell-tale signs of email or text-based phishing attempts may disappear with AI-generated campaigns. These better-crafted messages won’t include the kinds of spelling, grammar and other language issues that often raise red flags about malicious intent. So, in the absence of the usual tipoffs, ask yourself if this person is someone who would normally contact you or have any reason to contact you. Would it make sense to engage with them? Checking the “from” field will still be a useful way to help verify the sender’s authenticity.
• Check with an actual sender or caller: If you receive email or voice messages that give you pause about their authenticity, get in touch with the person through an out-of-band channel (don’t reply to the email or call the number provided) to verify the request is real. Any outreach that seems like a scam should be reported to your cybersecurity team.
• Be aware of the risks with tools like PentestGPT:This ChatGPT-powered penetration testing tool can help penetration testers automate their penetration testing operations. But the hackers can get their hands on this, too, as the app uses an API interface that doesn’t have security protections built in in the way that ChatGPT does, which is programmed to “do no evil.”
• Look into AI-driven anti-malware tools: AI used in malicious software can avoid detection and adapt to changing environments, which makes it harder to identify as malware. Anti-malware tools look at what's running in memory and other processes and identifies malicious activity that may be very deep in the system. Look into hiring cybersecurity specialists who are on top of these issues. The cost for risk reduction will be far less than the consequences of a ransomware attack, which can threaten an entire business.

 

Tip #4: Strengthen your email security

Email has always been a chief attack vector favored by cybercriminals. Its exposure to the internet along with historically weak security makes gaining unauthorized access to email accounts relatively easy.

Common ways to recognize BEC — business email compromise — scams include highlighting time urgency and positioning the sender as authoritative (impersonating a CEO, CFO or another C-suite executive). The threat actor may make an unusual-sounding request seem legitimate by providing a plausible reason for it and clear instructions on how and when to meet the request, which may involve transferring a specific sum of money.

For all the vulnerabilities, there have also been many improvements in email security. Here’s how to make it harder for attackers to exploit your email system.

Next steps

• Use a cloud-based email system: Legacy, on-premises email systems require maintenance and security patching — something many organizations struggle to do promptly. If you’re still using an on-prem email system that you need to maintain, it’s time to move to a cloud-based, SaaS enterprise email system such as Microsoft 365. The cloud provider takes care of the platform and handles security patching, so you don’t have to.
• Use multifactor authentication (MFA):We can’t reiterate strongly enough how important MFA is. It’s critical to enforce MFA to combat credential attacks that let attackers take control of your email account.
• Implement email authentication: Three technologies — Sender Policy Framework (SPF); Domain-based Message Authentication, Reporting and Conformance (DMARC); and DomainKeys Identified Mail (DKIM) — all work together to help make it harder to deliver fraudulent emails to potential victims. If you’re not familiar with these technologies, work with your email provider or an experienced administrator to enable them in your environment.
• Enable external email warnings: Email systems should be configured to alert message readers that emails originated outside of the organization. This is critical to helping users identify when a cybercriminal is impersonating the CFO and the instruction to wire $75,000 to an escrow account is a scam. It’s especially important to enable these on mobile email platforms where the apps just display the sender’s name and don’t show you the full email address by default.
• Consider higher-level security monitoring: Systems such as Microsoft 365 contain behavioral analytics tools that enable your team to identify indicators of compromise in a timely manner. You should be able to see when hackers are getting into employee email though alerts about “impossible travel” by your employees. If a U.S. user’s login suddenly appears to be coming from Romania, it would be flagged as a compromised email. An additional layer includes “security information and event management” that combs through the log activity of every device. AI helps do automated threat hunting based on all the collected log data. Tools can also verify that links and attachments are safe before a user is allowed to access them.
• Train your users to detect and question phishing attempts: Security awareness training should be mandatory for all and ongoing. Repeat your reminders for how to detect suspicious messages — and how to respond. Whether it’s forwarding to IT or verifying the request with out-of-band authentication, employees are more likely to take appropriate action if your organization creates a culture of professional skepticism when reacting to phishing emails.

 

Tip #5: Resist multifactor authentication bypass attacks

While multifactor authentication (MFA) is increasingly available and gaining acceptance as a method to reduce cyber risks, the fact is the criminals seeking to thwart it are also getting better. MFA is necessary, but it is hardly a golden ticket in assuring the security of your accounts and systems. Attackers are working on new approaches to thwart MFA as quickly as users are adapting it.

Their techniques include:

• MFA bombing attacks: These happen when a criminal has already breached a user’s password and attempts to log in, triggering the MFA system to send push notifications to the victim to approve the access attempt. Attackers will often trigger these push notifications repeatedly to tire out the victim and get them to approve the request just to get the notifications to stop. These kinds of attacks may result in the delivery of ransomware, which holds data hostage until a ransom is paid.
• Web traffic interception: Attackers are also putting together sophisticated attacks that use phishing and fake websites that look just like your normal, remote-access login portals. Here they can proxy the web traffic between the victim and legitimate login portal, allowing the victim to input their username and password, which is logged on the proxy and sent to the legitimate login portal. Once the legitimate login server validates the username and password, it will prompt the proxy for MFA, which the proxy, in turn, presents to the victim. Once the MFA process in completed, the proxy will log the victim’s session tokens, allowing the attacker to use the session token to access the victim’s data.

Next steps

• Make sure legacy authentication portals are disabled: Early-stage portals don’t support MFA, so turn them off.
• Enforce MFA on every available external login portal possible: If there is a username and password on your website or for your employees to log in, it absolutely has to have MFA on it.
• Remove options for users to fulfill MFA requirements with push notifications: Having users input a number from the authenticator app is a much more secure route than bypassing MFA by clicking on a push notification.
• Review and tighten your conditional access policies: Many companies will say if you’re logging into Microsoft with their username and a password from the company’s IP address or if you're on a mobile device, you don't need to do MFA. If you’re allowing single-factor authentication, check carefully for vulnerabilities in your process.

 

Tip #6: Stay on top of password best practices

Weak, easily guessed or reused passwords are the cause of the majority of data breaches worldwide. Previous data breaches, hacker forums and the simple guessing of weak passwords in a “password spray” attack are just some of the ways passwords can be exploited by a bad actor.

A Verizon study of hacking-related breaches found that 80% of breaches were linked to passwords. The most common methods for compromising accounts are lost or stolen credentials and password guessing.

Even if breached passwords are hashed (i.e., encrypted) by your system, this is little protection as hardware specifically dedicated to cracking passwords is becoming more powerful, efficient and cheaper every year. Wipfli’s own in-house hardware used in penetration testing is capable of many billions of guesses per second.

Smart businesses are shifting away from relying solely on passwords as an access tool, both because of security weaknesses and out of a recognition that users are frustrated with frequent reset requirements. Having MFA requirements in place that may still include a password is a sound approach to enabling access and protecting your systems and data. The passwordless Windows Hello authentication system that relies instead on PINs is also gaining significant traction.

Take measures to help ensure that the rules around password use are strong and enforced. Preventing the use of weak or reused passwords at your organization is vitally important.

Next steps

• Implement password filtering: You should implement password filtering regardless of whether you use a password or a passphrase but note that it’s especially important if passwords are the de facto standard. Password filters prevent users from setting a password that contains easily guessed strings, such as months, seasons, years, sports teams, etc., which is the primary way that bad actors guess user passwords.
• Encourage the use of passphrases rather than passwords: Passphrases are comprised of several memorable words in random order, perhaps combined with a few character replacements. This produces a string that is much harder to guess or crack than those based on a single word with modifications or additions.
• Increase your minimum password length: If passphrases are adopted as a standard, the minimum password length can be extended to 16, 20, 24 or even 30 characters without undue burden on users. Conversely, increasing the minimum password length may have the alternate effect of encouraging passphrases use over passwords.
• Use multifactor authentication (MFA): Regardless of the strength of a user’s password, there is always the possibility it will be compromised in some manner. MFA provides a second, distinct verification of the user’s identity.

 

Tip #7: Install a trustworthy data backup system

Businesses depend on their valuable data gathered and stored for years. It can all be lost in an instant as a result of external and internal threats.

Whether it’s a ransomware attack or data lost to thieves or natural disasters, your proprietary information and customer database are at risk of being stolen and sold off without the right protections in place.

Your clients are relying on you to ensure their confidential and even nonconfidential data is safe and recoverable. They trust that you will protect and back up the data regardless of any incident that may damage the primary copy of that data. If your organization isn’t able to recover their data, it may result in loss of confidence in your organization and loss of business.

Even if your data is outsourced to a third-party provider, you are responsible for ensuring that the safety and recoverability of the data meets your organization’s needs, no matter if the data is in multiple locations or in multiple formats.

Being able to recover from different types of incidents means first identifying the type of data that is critical, how it is backed up and how it will be recovered. For example, copies of the data that are air gapped from the primary data help protect your organization from cyberattacks such as ransomware. Without being able to recover data quickly, precious time and money are lost, and you have to spend dollars on recovery versus spending time on new development and new sales.

Data backups offer versatility, reliability and peace of mind. Without a system you can rely on, you put your reputation and your entire business at risk in the event of data loss due to a breach or any threat.

Next steps

• Designate a backup administrator: Assigning a single person ensures accountability for setup, maintenance and periodic testing.
• Select a backup tool: Choose a backup tool that allows for easy recovery and recovery testing. The reason you are backing up is for the reassurance that you can recover if/when it is necessary.
• Choose multiple tools, if necessary: Choosing multiple tools can help ensure multiple backups that are on-site or off-site, and those that are air gapped, are safe from a malware intrusion. Keep an eye out for immutable backups, a newer feature that prevents backup data from being modified or encrypted.
• Ensure the backup allows for full recovery, not just file recovery: If the primary data center needs to be recovered at an alternate location, it may be necessary to recover to new hardware. Recoveries should be tested to the alternate data center.
• Define backup frequency: The policy should be monitored and enforced with extra attention on the systems and files that are most critical.

Tip #8: Don’t skip the basics

You surely know that keeping information secure is neither an ad hoc nor on-the-fly endeavor. The keys to ensuring resiliency in the face of threats from cybercriminals and natural disasters require a plan based around structure, documentation, monitoring and accountability.

Your organization may focus on some aspects of information security more than others, so it makes sense to take stock of efforts on a regular basis. Does your business adequately address the core components of an effective information security program? You need an effective, holistic program to keep your data and systems as safe as possible.

Next steps

• Shore up your program management: Be sure this includes a formalized risk assessment cycle, which involves identifying your risks, implementing mitigation strategies, training the relevant people about them, reassessing them once they are complete — and repeating the cycle from the top.
• Secure your network: Stay on top of your application inventory and track everything you have. That inventory should include third-party connections and APIs, as they are extensions of your environment. Understand every entity that connects to your network so you can keep it secure. Annual due diligence should assess the security controls of your third-party vendors, either by examining their audit review or sending them a security questionnaire about their practices. Questions should cover 1) patch management, 2) offboarding procedures at the end of relationships with third parties or employees (be sure people who shouldn’t have access don’t have access to your information), 3) where third parties store your data encryption practices so it isn’t accessible to outsiders and 4) practices around the data you’ve shared with third parties when the relationships end (return it or delete it?).
• Protect business and client data: Your data loss prevention strategies should include prohibiting USB drives; providing approved cloud storage so people don’t use personal, less-protected storage; auditing printing, where you use tools that can check what high-profile, exiting employees might be printing shortly before their departure; prohibiting downloads on unapproved devices; and securing phones.
• Implement vulnerability management: Establish a notification setup to handle zero-day vulnerabilities. When a high-profile, urgent fix is needed for a previously unknown attack, be sure your IT team is fully and promptly alerted to the need for patching and remediation.
• Ensure strong data control: Regularly perform access reviews, not only for your Microsoft login credentials, but also for any software that users maintain access to. Your software administrators should be periodically verifying what the user access levels are and if they need to be updated, given that people transfer jobs and responsibilities. Administrators should also be looped into the offboarding process, so when someone leaves the organization, they can verify what software they had access to and remove that access.
• Regularly monitor and test the environment: Have an independent party review your security controls. Consider a 24/7 SOC (and an outsourced test of those controls should be done at least annually). An independent party can connect to your organization and see all firewall activity. If an intruder gets in, they shut down that activity. This level of monitoring and testing is relevant for any-sized business that handles sensitive data.

Tip #9: Protect the organization with a password manager

Cybercriminals don’t always need a breach to gain an initial foothold in your organization. Employees seldom choose strong, complex passwords, and they tend to choose passwords composed of common elements, such as months, seasons and years, which an attacker can easily guess.

Employees also tend to reuse passwords across websites and different services, so one service or website that is compromised can lead to many, in what’s called a “credential-stuffing” attack (the automated use of a breached password to attempt a log in at many, even hundreds, of websites). If your users are reusing passwords, both your organization and partner organizations could be at risk.

Given the number of online services that most people use, plus the number of breaches that occur on a yearly basis, the question becomes not how to stop credential breaches, but how to minimize their potential impact. The most effective way to do so is with a password manager. Use one for the following reasons:

 

• They encourage the use of longer, more complex or even random passwords, since users don’t have to commit them to memory. Depending on the particular password manager, users may only have to remember one or two passwords: one for their initial network login and one for the password manager itself.
• Some password managers can also implement single sign-on. Having the password manager set very complex passwords prevents “password spray” attacks, as these passwords can’t be guessed by an attacker.
• They make it much easier to use unique passwords per login, as unique passwords can be randomly generated by the password manager itself, relieving the employee of having to compose a new password for every site or service. This helps prevent credential-stuffing attacks.
• They provide safe, encrypted storage for a user’s passwords, keeping them off Post-it notes or notepads and out of text, Word and Excel files, which could themselves be compromised.
• They enable employees to share login credentials with their colleagues without disclosing what the password is. If someone with access to your organization’s banking information leaves, there’s no need for others on the team who also access the account to change the password and share it with others. Permission is simply denied to that departing employee.

Next steps

• Use an enterprise-level password manager application: This relieves the user of the issues related to password management discussed above.
• Implement a single password manager for the entire organization: Don’t let employees use personal, standalone password managers for accessing your organization’s assets or services. If an individual leaves the organization, those company passwords leave with them. Meanwhile, employees should not be keeping passwords for sites they access for personal reasons — such as Amazon, Facebook or their financial institution — on the company’s password manager.
• Select the most appropriate password manager for your organization: Password managers can take on many forms: standalone applications for each user, applications that integrate with a web browser or centralized applications managed for the entire organization by your IT department. Base your decision on factors such as ease of administration, effectiveness and cost.

Tip #10: Examine your hybrid workforce practices

The transition to a more permanent hybrid or remote workforce seems here to stay. That flexibility comes with challenges for both workers and employers.

During the height of the COVID-19 pandemic, close to 70% of full-time employees were working from home. Now, in 2023, 35% of employees with jobs that can be done remotely are working fully from home, according to the Pew Research Center — up from 7% before the pandemic. And 41% are following a hybrid schedule.

With so many organizations managing a workforce with a large share of people working remotely on any given day, it’s critical for yours to implement the right technology and security controls to protect that workforce and your organization’s data.

Without a road map that identifies and prioritizes your organization’s challenges and plans around technology, your employees will start looking for workarounds. For example, if your organization hasn’t implemented a cloud storage solution, your employees might end up creating personal Dropbox or Google Drive accounts that don’t have proper security controls configured. Because services like these are beyond the control of your organization, the risk of a sensitive data leak increases.

Next steps

• Make the most of multifactor authentication (MFA): Remote work and multiple access points to your business network makes MFA more critical than ever. Beyond passwords and one-time codes, biometric verification using a wider array of traits, from retina and iris scanning to voice authentication and earlobe geometry, is gaining ground.
• Implement a secure VPN: A VPN allows your employees to have access to everything they need to do their jobs, whether they’re at the office or working remotely. Make sure you protect your VPN connection with MFA.
• Migrate legacy file servers and applications to the cloud: Cloud-hosted data is accessible anywhere, which is vital for hybrid and remote workers. By migrating your physical office environments to cloud solutions — which you control and can configure security around — you enable employees to securely access data from wherever they are working.
• Use business communication technology: Make sure the technology you rely on enables voice, video and text communication among users from anywhere, as well as allows secure file storage and sharing across your organization. Collaboration options include Microsoft Teams, Google Workspace and Webex Teams.

Tip #11: Revisit employee access and authorization

Properly managing employee access to your organization’s data and resources is vital to ensuring the security of your systems and assets. Failure to have the proper methods in place can lead to data breaches and security risks for your organization and a host of associated expenses.

Do your employees have access to more information than they need to perform their job duties? How do you monitor authorization levels? Your business could be at risk when people share information with others who don’t have that access, from the loss of trade secrets, pricing strategies and other competitive information to lowered morale and trust.

What’s more, many organizations are wasting money by paying for more licenses than they need. By reviewing access rights and restricting them appropriately, you can help reduce risk, costs and inefficiencies.

Next steps

• Review access and authorization rights on a regular basis: This is not a set-it-and-forget it endeavor. Review these rights wherever appropriate — on your network, in your accounting systems, in your ERP systems — to make sure the user really needs that access level, and determine how often you will do so. Setting a regular cadence further reduces risk.
• Regularly review licensing: Ensure counts are accurate and that only those who need the licenses have them.
• Assign an owner to your line of business software: Involve that individual in the approval process for granting access to systems. Have this individual review the list of people who have access at least annually, if not biannually. If individuals need access to new functionality in your systems, involve the process owner in that approval process.

Tip #12: Know when to use PINs vs. passwords

Organizations that stay on top of evolving security protocols are incorporating the simpler-to-remember PINs (personal identification numbers) into their platforms and sometimes replacing passwords as an authentication tool altogether. But before you can adopt PINs, you must have the right security foundations in place and be certain your systems are up to date. Currently, an estimated 15%-25% of organizations have adopted the full Windows Hello authentication system that includes PINs on their PCs.

People tend to think of a PIN as a simplified password, but it’s more complicated than that. Passwords can be transmitted across systems, whether that’s through the internet or from a system to a server. So, when a password gets compromised, a hacker using that same password and login credentials can move from one system to another. Businesses and their employees are vulnerable when they use the same usernames and passwords on numerous systems within their organization.

With a PIN, the number used is local to a specific system. It is tied to a single system and a single device. Because a PIN is not transferred, broadcasted or transmitted from system to system to system, in the event that device is compromised, only that particular system is affected. The breach can go nowhere else.

Next steps

• Be sure your trusted platform module (TPM) is working properly: Your organization needs a functioning TPM in its computers, a kind of secure cryptoprocessor designated to carry out cryptographic operations in order to deploy a PIN system.
• Activate Windows Hello for Business in your PC network: The Hello PIN is backed by the TPM chip. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software can’t tamper with the security functions of the TPM.
• Encourage PIN use: The comparatively short length of a PIN compared to a password is appealing to users. Another appeal: It doesn’t need to be changed regularly for security. But never permit anyone to use the same PIN on more than one device.
• Consider combining PIN and password use: Setting up a system so a password is still required at restart, along with a PIN, provides an extra layer of protection.

 

Tip #13: Elevate data privacy awareness training

Be sure everyone in your organization is clear on the distinctions between data privacy and data security.

• Data privacy centers on the organization’s proper use of personally identifiable information, including their responsibilities over that data, how it was obtained, on what and who it was collected about, how it is stored and secured, and how it is disposed of.
• Data security is one piece of data privacy, as it considers an organization’s responsibility over the protection of its data from unauthorized access.

Effective cybersecurity risk management means continuous improvement on all fronts. This includes enhancements such as leading-edge detection of new attack signatures, the expansion of incident response playbook coverages and the addition of multifactor authentication for more applications. It can also include the addition of data privacy components to role-based security training provided to employees.

It’s clear that data privacy and security go together but remember that data privacy is the fundamental reason why you invest so much in cybersecurity protections. Keeping employees attuned to this may strengthen their response to phishing and other social engineering attacks.

Best security management practices include periodically refreshing security awareness training content so that it’s up to date and covers all relevant current threats and attack tactics. The next time you do this, please take the opportunity to also supplement your curriculum with coverage of the data privacy goals and requirements relevant to your organization.

Next steps

• Identify relevant data privacy goals: Be sure your organization’s mission statement and business strategies discuss the importance of valuing and protecting the interests of your customers. In today’s customer-centric business climate, it is customer caring and commitment that drive data privacy goals.
• Identify relevant data privacy requirements: Review relevant data privacy laws and regulations to ensure you’re focused on compliance. The U.S. Computer Fraud and Abuse Act and the Children’s Online Privacy Protection Act apply to all industries. All 50 U.S. states now have data breach notification laws, and sectoral regulations, such as GLBA and HIPAA, could also be important.
• Build enhanced data privacy coverage into security training curricula: Apply the knowledge you gain within the action steps above to outline and summarize your knowledge for sharing with others via the slides or in-person presentations you use to deliver security training to your colleagues.
• Share the reasons why: It’s generally accepted that adults learn new things best when they also understand why they need to learn them. Thus, be sure to introduce any and all new data privacy elements in your enhanced curricula and provide context for your employees. When employees understand the necessity of data privacy, they’ll be far more likely to do their part in helping to protect data and your organization.

Tip #14: Mitigate risk in collaboration software

Remote and hybrid work continues to drive the need for organizations to provide collaboration solutions to work without limits, work on the go and work securely from anywhere.

The ability to share files with external users (guests) is an indispensable feature that allows you to securely collaborate with people outside your organization, such as your business partners, vendors, clients or customers — if it is set up and managed appropriately. But beware of cloud collaboration platforms with out-of-the-box settings to allow open or easy sharing.

Organizations that fail to provide employees with a centralized set of secure collaboration tools are setting up an environment in which workers use unapproved apps and software and thus create vulnerabilities. It’s up to your organization to implement collaboration solutions that restrict open sharing so as not to become an easy target for cybercriminals.

Fortunately, you can use tools to make sure each collaborator can only access what they need to, so the risk is limited to only small portions of the project with each person working on it. By establishing and reviewing external sharing practices, you can provide the right information to the right audience.

Next steps

• Review the external sharing configuration and settings: Review the external sharing settings (if enabled) and their limits, keeping in mind the configuration can be different for each collaboration solution and set at different levels within the solution. Check your application provider’s documentation or engage an experienced third party if you’re uncertain on how to configure.
• Know whether data is being shared externally: What information is being shared with external users and how much? Most collaboration solutions have auditing functions that provide the ability to log and search for external sharing. An even better solution is to set up alert policies that identify activities performed by users based on the conditions you define. You can also engage a third party if there is uncertainty about how to set up and monitor activity.
• Identify locations of sensitive information: Is there information in cloud applications that is sensitive and should have limited or no sharing? Where specifically does that information reside, and who has access? These are very important questions to ask and answer in order to make sure you are protecting your sensitive data.
• Configure restrictions on the sharing of sensitive information: Discuss protecting sensitive information with your IT department or IT service provider. Implement best practices by following the cloud application vendor’s guidance to secure your sensitive information. Here, too, you can engage an experienced third party if there is uncertainty about how to properly configure sharing.
• Implement an ongoing review of stored information and best practices: Regularly take inventory of shared information, since sensitive information may be added in new places. Frequently check your cloud application provider’s best practices for updated information.

Tip #15: Combat the cyber labor shortage

Even as other segments of the tech labor market are shedding jobs, cybersecurity continues to experience a significant shortage of skilled workers. A 2022 study found a 3.4 million shortfall in cybersecurity professionals. Leaders cited the following areas with the highest needs, according to the 2023 World Economic Forum’s Global Cybersecurity Outlook: cloud security (46%), cyberthreat intelligence (37%) and malware analysis (34%).

Because few business leaders feel confident that they have the security talent in place that they need, many are open to outsourcing roles to help ensure their organizations are doing all they can to protect their data and their systems.

Next steps

• Look into outside managed services for help: With permanent cybersecurity hires difficult to procure, you can find the help you need for the short or long term by working with outsourced cybersecurity pros. Using outsourced professionals may be the most cost-effective approach for organizations, especially with the more limited budgets of small or midsize organizations.
• Consider fractional leadership: A virtual chief information security officer (vCISO) can provide the strategic capabilities needed for a sound, effective cybersecurity operation. For smaller organizations, a fulltime CISO may not even make financial sense given more limited needs. A vCISO can provide the gravitas needed for your business with a more limited commitment of time and without incurring full-time costs.

Tip #16: Be sure your vCISO is separate from your IT operations

Chief information security officers (CISOs) are expensive because they are vital and as such can be cost prohibitive for many midsize organizations. Even if you have the budget, CISOs are in high demand and short supply. Most businesses need the expertise a CISO brings to the table, but not necessarily for 40 hours a week.

That’s when a virtual chief information security officer (vCISO) may be the right move, especially in light of increasing regulatory mandates to have someone overseeing your data security program. A vCISO’s fractional ownership model gives you part-time access to senior executive cybersecurity leadership and risk management capabilities. In other words, the CISO position is filled on a part-time basis by a consultant, and this person commits to providing strategic cybersecurity direction and helping organizations enhance their cybersecurity posture.

Having a vCISO in place to address vendor due diligence requests, respond to a security incident or enhance your information security program is necessary to reduce risk at your organization on a variety of fronts: financial, reputational and technical compliance. Your ability to even obtain cybersecurity insurance (or receive payout in the event of a damaging breach) may depend on proving that your organization’s data security practices are overseen by a vCISO.

Next steps

• Engage a specialist provider of vCISO services: Work with a firm that has the resources and experience necessary to provide executive-level oversight for strategic cybersecurity issues. Whether you need to meet industry-specific cybersecurity requirements to move into a new market and drive growth, or restore customer confidence after a data breach, you need someone who’s “been there and done that” to set your course.
• Segregate your vCISO from your IT functions: You need a separation of duties between your data security operations and your information technology team. While individuals in those areas work closely together, their goals are not always aligned with regard to mitigating risk. IT may be more focused on how to get more and better technology in the hands of users, and the data security side is zeroing in on potential new security holes created in those acquisitions.
• Set priorities and cybersecurity program objectives: Your vCISO needs to interact at the executive level and understand your business objectives. This is critical to aligning the cybersecurity program to support your business growth.
• Dedicate resources to do the work: By definition and structure, the vCISO isn’t a doing role. It’s oversight and strategic direction for your cybersecurity program. The vCISO will structure initiatives, track progress and clear roadblocks on initiatives. You’ll need to dedicate staff time to doing the work and making progress on the cybersecurity initiatives.
• Ensure vCISO agenda time at executive and board meetings: It’s important that you view the vCISO as an extension of your executive team. The vCISO will be presenting progress and key performance indicators about your cybersecurity program’s effectiveness and may be escalating issues to the rest of the C-suite. Without interaction and support of the executive team, the vCISO won’t be effective in driving the change you need in your cybersecurity program.

Tip #17: Protect against nation-state attacks

Nation-states are increasingly buying tools and services from the dark web while tools developed by nation-states are also making their way onto the black market.

Research shows a 100% rise in “significant” nation-state incidents between 2017 and 2020. An analysis of over 200 cybersecurity incidents associated with nation-state activity since 2009 shows that enterprises are now the most common target (35%). Often, organizations are targeted by nation-state attackers in a ransomware operation to gain funding or in an espionage campaign to obtain intellectual property.

Nation-state attacks typically come from three different sources:

• The nation itself (such as Russia, China, Iran or North Korea)
• Groups that are linked to a government (these attacks are also called state-sponsored attacks)
• Cybercriminal gangs in a country that allows them to operate freely (these attacks are also called state-ignored attacks) Nation-state attackers often target supply chains. The SolarWinds breach discovered in 2020, for example, underscores the necessity of understanding your software supply chain. Why? Because a nation-state attacker may not target your organization directly but rather target a company that can push updates into your network to gain initial access.

  Next steps

  • Audit your defensive posture: Audit your current information security posture. Do you have a defense-in-depth posture to defend against advanced attackers?
  • Understand the threat: Invest in threat intelligence and understand the threat actors interested in your business, product or data. Use this intelligence to create a defense-in-depth architecture.
  • Deploy software updates: Many attackers can use vulnerabilities in older products, so make sure to regularly test and implement security updates from vendors.
  • Protect your supply chain:Review and test software updates from vendors to ensure that no malicious code is contained in the update.
  • Test your defenses yearly: Conduct a red or purple team exercise to verify your defenses. Cybersecurity personnel can detect and respond to advanced attackers that are targeting your network or that are already in your network.

Tip #18: Incorporate cybersecurity reporting in your ESG approach

Nothing is more threatening to the sustainability of a business than a well-executed and successful cyberattack. Demonstrating that data security is a top priority for your organization is an important component for organizations adhering to a set of environmental, social and governance (ESG) principles.

Your measures to prevent and thwart efforts to compromise your systems, steal your data or wreak any other cyber havoc, should be communicated to your range of stakeholders — customers, investors and employees. Regulators increasingly expect to see how your cybersecurity policies and practices are mitigating risk and protecting your business to the greatest degree possible.

Next steps

• Get buy-in from employees: Your workforce is your front line of defense, and that means everyone, not just your IT and data security teams. It’s important to send the message “we’re all in this together” when it comes to keeping an eye out for phishing attempts and other suspicious activity.
• Address your broader range of stakeholders: What other organizations are you connected to that are dependent on your cybersecurity efforts? ESG concepts include understanding the cyber-related interests and expectations of customers, business partners, suppliers and employees. Be sure your cyber programs are inclusive in scope.
• Collect and share metrics: Let your employees and other stakeholders know on a regular basis about the types and numbers of attempted breaches to the firewall that were blocked. Understanding the magnitude of efforts to compromise your systems and data helps instill a sense of shared responsibility.
• Socialize your security changes or risk reduction strategies: Communicate, communicate, communicate. Employees need to understand their role in helping to keep their organization safe — which protects company, employee and client data. Lunch and learns, regular training classes and proactive phishing tests can help keep the responsibility to support information security top of mind. You can assess the results of your training efforts by looking at metrics for phishing emails blocked, quarantined or reported over a specific time period.
• Have direct conversations when needed: If people fail phishing tests or other in-house efforts to check vigilance, consider follow-up conversations or retraining.

Tip #19: Safeguard your digital supply chain

The COVID-19 pandemic highlighted just how vulnerable traditional supply chains are to disruption. Securing your organization’s digital supply chain, reliant on the cloud services that are integral to most business operations, is no less critical. Commonly used third-party software supply chain components are highly prized targets for cybercriminals.

Sophisticated attackers have already targeted widely used — and poorly secured — supply chain components. SVR, a Russian intelligence agency, is believed to have implanted malicious code into a software update of the cloud management software SolarWinds in 2020. This furnished SVR with a potential attack vector into the 18,000 enterprises and government agencies that dutifully installed the update.

Apply lessons learned from SolarWinds to help ensure the resiliency of business processes that depend on cloud services. Cloud services present unique risks that must be qualified on top of those risk attributes you may have already considered in third-party risk assessments of legacy vendors and service providers.

This means that you can’t stop at accrediting cloud service providers’ commercial insurances (especially cyber liability coverage) and ongoing financial viability, as you’ve been doing with typical vendor due diligence. Your cloud service provider review scope must expand to consider cloud-specific cybersecurity requirements. It must also place an even greater emphasis on cloud service providers’ business continuity and disaster recovery capabilities in concert with your organization’s own plans for supplementing (or replacing) cloud services when they unexpectedly become unavailable or constrained.

To ensure the confidentiality and integrity of the information being shared in the cloud, and to ensure the reliable ongoing availability of dependent business processes, make sure you also review cloud-specific risk attributes. These include data segmentation and partitioning, virtualization security, data sovereignty and secure coding practices, among others. Take extra care when confirming the viability of associated recovery plans.

Next steps

• Classify the cloud service: Is it software as a service (SaaS), platform as a service (PaaS) or infrastructure as a service (IaaS)? Moving from SaaS to PaaS to IaaS is called “down the stack,” and the further down the stack your subscribed cloud service lies, the more responsibility you must take for the design, application and effectiveness of the associated cybersecurity controls.
• Identify all essential service provider and user entity controls: Review assurance reports from the cloud provider to identify their controls. Those they direct must exist at the user entity to protect the information to be shared into the cloud.
• Establish and benchmark the cloud service provider’s risk profile: Use service provider/user entity controls knowledge to estimate the level of cybersecurity risk that information shared into the cloud will expose to. Measure this in context of information sensitivity and controls strength, and benchmark to the information’s risk profile when it’s on the internal network.
• Emphasize continuity/recovery plan viability: Take a deep dive into both the service provider’s business continuity and technology disaster recovery plans, as well as your own. Any gaps or insufficiencies you accept will create weakness in your digital supply chain.

Tip #20: Stabilize the cyberthreat moving target with a cybersecurity risk assessment

The only constant is change. It’s a truth that drives businesses’ growth and also applies to the constantly evolving cyberthreat spectrum. Variants to well-known threats are regularly emerging along with entirely new exploits and attack tactics.

Complacency around cybersecurity risk management can lead to serious consequences, even the demise of the business itself. If your business loses access to its network of other systems, the impact may be severe.

While gaining a complete picture of your risk can seem elusive given the changing threats, an important way to stabilize the moving target is by conducting a cybersecurity risk assessment.

When applied correctly, it dramatically reduces both the planning horizon and the level of effort required to navigate your security road map. Your road map is essential to controlling the impacts of existing cyberthreats, updating risk profiles to reflect organizational changes and avoiding impacts of cyberthreats that emerge in the future, so you want it to be easily navigable.

By performing a cybersecurity risk assessment, you gain an excellent baseline reference to benchmark and qualify whether your cybersecurity controls and management capabilities provide the same level of protection after you add new business locations, applications or other new processes. These results similarly inform next steps around variant or newly emergent cyberthreats.

Without a cybersecurity risk assessment, you’re forced to consider everything that’s proposed, or that could happen, from scratch. But with an assessment, both your starting point and waypoints along the risk management journey are much easier to discern and plan for. A risk assessment strategy provides needed structure and accountability.

Next steps

• Identify vulnerable assets and credible threats: Compress the scope of the cybersecurity risk assessment to include only credible cyberthreats and only those organizational assets vulnerable to them.
• Measure and prioritize cybersecurity gaps and business enablers: Maximize business benefits by planning the enterprise security road map such that its cadence and sequence mitigate larger-impact cyber risks first, and that it acknowledges potential future business use cases.
• Reference the cybersecurity risk assessment: Use cybersecurity risk assessment results to guide your thinking in response to newly announced business changes and emergent cyberthreats. Estimate your future cyber risk profile on the basis of your current one — is what you have sufficient for the future or do you need reinforcement?
• Sustain the cybersecurity risk assessment: Periodically renew the cybersecurity risk assessment to confirm that it’s still based on relevant assets and threats. Update its methodology and risk-scoring routines to pace improvements advanced by trusted sources, such as NIST.

Tip #21: Conduct ransomware simulations to bolster your defense

A ransomware attack restricts access to your data by encrypting it, requiring the victim to pay a ransom in order to regain access to their own data.

No industry is immune, as perpetrators know an organization’s data is highly valuable and perhaps irreplaceable, though smaller businesses receive a disproportionate share of the damage. Currently, some 82% of ransomware attacks are aimed at small and midsize businesses, as criminals perceive them as less prepared to defend themselves.

Conducting attack simulations is an important move to help ensure that employees know their responsibilities. In addition, they promote critical communication within your organization and can reduce the time needed to resolve an incident.

When relevant parties know how to react, how quickly to react and who needs to get involved, you can greatly reduce the impact of the ransomware attack. You’ll want to address these common questions:

• Can we identify when ransomware first infects a computer on our network?
• How much time elapses between the initial infection and alerting our security team and responding to the alert?
• If ransomware does infect a user’s computer, how much data on our network will be encrypted?
• Are our backups secured and not able to be encrypted during a ransomware attack?
• Do we have places on our network where we can’t see ransomware activity?

  Next steps

  • Simulate a ransomware attack through a tabletop exercise or live simulation: An exercise allows participants to walk through each step and learn how to identify what is encrypted, what is the impact to the organization and what options they can offer management for resolving the attack (e.g., pay the ransom or recover the data prior to the encryption within X amount of time with X amount of data loss). The tabletop exercise should allow discussion on all topics, such as what is impacted technically, communications requirements and resolution options. Once you discuss the exercise topics, document the process to respond to the ransomware attack. Should one occur, you’ll have a methodical process to follow. In addition, software tools can help you test your defenses for real, which can supplement the benefits of a tabletop exercise alone.
  • Test your employees’ skills at recognizing emails that may contain ransomware malware: Use software that can simulate and distribute emails that look like genuine requests from a customer, when in reality they are attack emails, so that you can understand the areas of exposure internally. Initiate the emails in a testing mode.