Tip #1: Understand current weaknesses so you can build a solid cyber program
Organizations with ad hoc or missing controls find it much harder to identify and address threats to their key systems and sensitive information.
The negative press that results from a data breach can damage your organization’s reputation and stunt your growth, as well as impact your customers’ confidence and drive them to your competitors. And it doesn’t stop there. The monetary consequences are even harsher when you consider the regulatory judgments and fines that could also result from a data breach.
When you build a formal information and cybersecurity program and risk management structure, you enable your employees to more effectively respond to cybersecurity events to keep your organization and its data secure.
Steps you can take
- Perform an information and cybersecurity program assessment: This assessment will help you understand and improve your risk exposure by identifying and addressing threats, risks and gaps in your security controls.
- Conduct a vulnerability assessment: Thoroughly analyze all computers and applications to identify software with known security issues or that is out of date. Review network infrastructure and firewalls to identify security misconfigurations. Use findings from this assessment to build a remediation plan to fix any identified security weaknesses.
- Adopt a formal structure: This will enable you to focus program developments in logical categories to help employees better understand and adopt the formal program.
- Obtain top-down support: By gaining top-down support for the program, you can better develop an organization-wide culture that embraces the role all staff and management play in supporting a comprehensive security program.
- Develop comprehensive policies and procedures: Develop policies, based on the results of your program assessment, that are specific to your organization, and use those comprehensive policies to guide the development of formal standards and procedures.
- Train subject matter experts: These SMEs can help you implement policies, standards and procedures and encourage adoption among employees.
- Develop an audit and reporting plan: This provides feedback to your management team that information and cybersecurity governance expectations are being met at the operational and technical levels.
Tip #2: Empower — and protect — your hybrid and remote workforce
More than ever before, employees are prioritizing working from home over other perks. Job openings are at a record high, and a recent Ziprecruiter.com survey shows that 55% of job seekers are looking for primarily remote jobs. Plus, 11.5 million workers left their jobs between April and July 2021, and many replaced an on-premises job with a hybrid or remote work situation.
By transitioning to permanent hybrid and remote work, your organization can better attract and retain employees, increase their productivity and reduce recruiting and training costs.
You just have to make sure you have the right technology and security controls in place.
Without an established plan for your organization’s data, users may find convenient solutions on their own, such as personal cloud storage accounts like Dropbox or Gmail. These services are beyond the control of your organization and can increase the risk of a sensitive data leak.
- Implement secure VPN connections: This allows your employees to“be in the office” when they’re off site. Furthermore, protect these connections with multi-factor authentication, which requires employees to authenticate a second set of credentials to gain access. (Example: They enter their email password and then a code texted to their mobile phone.)
- Migrate legacy file servers and applications to the cloud: Cloud-hosted data is accessible anywhere. When you migrate from physical office environments to cloud solutions like Microsoft SharePoint or Azure, you enable employees to securely access data from wherever they are working.
- Use technology such as Microsoft Teams: Microsoft Teams enables voice, video and text communication between users from anywhere, including laptops, mobile phones and tablets. In addition, any data or files shared by users are securely stored in Microsoft SharePoint, which is under the control of your organization.
- Implement conditional access policies and mobile device management: Solutions such as Microsoft Endpoint Manager ensure that only your trusted workers have access to sensitive data from external devices.
View previous tips: www.wipfli.com/30-tips-2021
Tip #3: Use password best practices in your organization
Weak or reused passwords are the cause of 80% of data breaches worldwide. The dark web, past data breaches and other illicit sources provide cybercriminals with a continual source of passwords — and hardware specifically dedicated to cracking passwords is becoming more powerful and efficient every year.
But passwords are the primary way most organizations authenticate users, so what steps can you take to reduce risk?
Next steps
- Implement password filtering for your Windows domain: This allows your organization to implement a blacklist to prevent weak and easily guessable elements such as seasons, years, months and sports teams from being included in your users’ passwords. Passwords can also be checked against lists of breached passwords. Many can be configured to allow decreased complexity with an increase in length, automatically encouraging employees to choose better passwords.
- Use password best practices: Increase your password length requirement to at least 14 characters and encourage the use of passphrases rather than passwords. Better yet, implement a password manager.
- Implement multi-factor authentication (MFA): Use MFA wherever possible to keep any single password from becoming the weak link in your authentication chain.
View previous tips: www.wipfli.com/30-tips-2021
Tip #4: Don’t stop at antivirus protection — deploy EDR
Ransomware and other malware is becoming so sophisticated that it is evading detection from traditional antivirus technologies. With the average cost of a ransomware attack approaching $2 million, your organization needs endpoint detection and response (EDR) tools to identify malicious processes and system events running within your computers.
EDR software monitors the processes running on these computers to identify abnormal processing activity, detect suspicious events and alert your security team.
Next steps
- Select an EDR solution: Work with your security team to evaluate leading EDR solutions and deploy one within your environment.
- Train employees: Ensure your team has the knowledge and capability to respond to alerts generated by EDR.
- Monitor on-premises and cloud environments: It’s important to monitor your entire attack surface, so ensure your EDR solution is monitoring all your assets — both on premises and in the cloud.
- Don’t rely on EDR alone to keep you safe: EDR is part of an overall “defense in depth” strategy and should be one layer of your cybersecurity defenses.
View previous tips: www.wipfli.com/30-tips-2021
Tip #5: Maintain and update your risk and cybersecurity assessment
Cyber criminals are constantly enhancing and diversifying the tools and tactics they use to gain access to sensitive systems and data.
Your organization could fall victim to a cyberattack if you don’t fully understand the threats and risks or if you fall victim to myths like thinking you’re too small to be a target, your firewalls and antivirus are protection enough, or the use of outsourced or cloud providers eliminates your risk.
When you perform regular risk and cyber assessments, you gain the information necessary to make informed and effective risk management decisions.
Next steps
- Update your risk assessment: It’s important to identify and periodically update the areas within and the types of risk assessment needed by your organization — and especially any required by regulatory or statutory expectations.
- Integrate reporting: Risk and cybersecurity assessment reporting should be integrated into key reports to senior management and the board of directors, as well as updated periodically (annually is recommended), so they can make informed decisions.
- Use your assessment results to make risk management decisions: Effective risk management is possible only when you have risk and cybersecurity assessment results tailored to your organization and can make decisions using the guidance provided by your organization’s board-approved, mission-based risk appetite statements. This allows you to better decide whether to avoid, mitigate or hold specific risks.
View previous tips: www.wipfli.com/30-tips-2021
Tip #6: Perform security awareness training and testing
You’re only as strong as your weakest link, and when it comes to security, that link is your employees. Any one of them could open an email and interact with a phishing link, compromising and locking you out of your business systems. And with more employees working from home due to the pandemic, cyberthreats have only increased in number.
Regular security awareness training is essential to keeping employees updated and educated on security threats and all the ways cybercriminals will try to infiltrate your systems.
Next steps
- Create a security awareness training plan and stick to it: Best practices include selecting a newsletter, such as the WipfliSecurity Weekly, that you can send out to users on a weekly basis, which will help keep security and awareness in your employees’ minds more frequently.
- Conduct longer training quarterly: Ensure that training is updated and aligns with current events and is meaningful and that all employees are required to take it.
- Conduct monthly phishing campaigns: Make these test phishing emails as difficult as possible so users start to identify what a potential phishing email may look like so they are less likely to be fooled by real phishing emails.
View previous tips: www.wipfli.com/30-tips-2021
Tip #7: Reduce the risk of business email compromise
It’s not just phishing emails that employees can fall prey to. Business email compromise (BEC) is another common way that cybercriminals attempt to steal your organization’s assets. These criminals target specific employees who have access to company funds or data.
If the employee falls victim, it could lead to a data breach, the introduction of malware and ransomware and/or the loss of company funds. But there are ways to help guard against BEC attacks.
Next steps
- Educate employees on common BEC attacks: Common attacks include vendor payment change requests, wire transfer requests, W-2 scams and gift card scams. Click here to learn more.
- Verify, verify, verify: Make sure employees verify instructions for payments and requests for sensitive information by a second means, other than email. This can take the form of directly calling the employee or vendor who supposedly made the request.
- Use MFA and strong passwords: Try to block BEC from the start by enabling multi-factor authentication and using strong passwords to stop cybercriminals from gaining access to an employee email account.
View previous tips: www.wipfli.com/30-tips-2021
Tip #8: Improve security around remote workforce solutions
Hybrid and remote work models present a new type of attack endpoint. Due to the COVID-19 pandemic, organizations adopted new platforms to enable remote work, but many have not secured these platforms to the necessary level to mitigate their risks.
When employee home offices are secure and up to date, it not only improves the stability and end user experience but also helps protect your organization’s data, infrastructure, access and solidity. Plus, your organization can feel more confident in adopting robust and extensive cloud-based solutions, which are becoming increasingly necessary to operate and compete in a digital world.
So how do you improve security for remote workers?
Next steps
- Create and enforce policies around home-office networks: Make sure home office wireless networks have the most up-to-date security patches and protocols. Limit smart devices (e.g., temperature controls, smart TVs, IOT devices) to a separate network. Enforce VPN, encryption, multi-factor authentication and other security measures for all devices touching the company network.
- Create policies around physical company assets: Employees should physically secure tangible company assets (e.g., paperwork, laptops and other company-owned property) in their home office. All company equipment should be used for the express and sole use of company business. And all decommissioned company equipment should be properly sanitized and disposed of (e.g., formatting and sanitizing old equipment).
- Don’t forget these other policies: Do not permit default passwords for home devices and user accounts. Ensure your policies cover remote data backup. And be sure to make security awareness training mandatory in your policies and at least an annual occurrence.
View previous tips: www.wipfli.com/30-tips-2021
Tip #9: Use a password manager
Cybercriminals don’t always need a breach to gain a foothold in your organization. Employees seldom choose strong, complex passwords, and many passwords can be easily guessed.
Employees also tend to reuse passwords across websites and different services, so one organization that gets compromised can lead to many in what’s called “credential stuffing” — the automated use of a breached password to attempt a login at many, even hundreds, of websites. Because of this, your organization is at risk.
Given the number of online services that most people use, plus the number of breaches that occur on a yearly basis, the question becomes not how to stop credential breaches but how to minimize their potential impact. And one big way to do so is with a password manager.
Next steps
- Require the use of a password manager: Password managers solve several issues related to user password management. They encourage the use of longer, more complex or even random passwords, since users don’t have to commit them to memory. They make it much easier to use unique passwords per service or website. The unique passwords can be generated by the password manager itself, relieving the employee of having to compose a new password for every service. And they provide safe, encrypted storage for a user’s passwords, keeping them off Post-It notes or out of text, Word and Excel files.
- Select the right password manager: Password managers can take on many forms, from individual standalone applications for each user to applications that integrate with a web browser to centralized applications managed by your IT department. Choose whichever is most appropriate for your organization’s needs.
View previous tips: www.wipfli.com/30-tips-2021
Tip #10: Create a plan to back up your data
If you’ve ever accidentally deleted a Word document, you know it’s easy enough to recover an unsaved document. If your hard drive crashes, it’s a little more difficult to recover your data, but it’s not impossible.
But what if your systems become infected with ransomware and all your files are inaccessible until you pay the ransom? Your systems contain information on payroll, inventory, client financial information and other sensitive data. Customers count on you to ensure the safety and security of their confidential and even nonconfidential data.
Without being able to recover data quickly, your organization loses valuable time and money on recovery that you should be spending on new development and sales. You also suffer a loss of reputation as your customers lose confidence in your ability to protect their data and keep their best interests at heart.
Backing up your data has never been more important.
Next steps
- Follow the 3-2-1 rule: Keep at least three copies of your data, store copies on two different types of storage and store at least one copy off site.
- Choose a backup tool that allows for easy recovery and recovery testing: The reason you are using a backup tool is the reassurance that you can recover if/when necessary, so it’s critical to test the tool periodically to ensure it works as intended.
- Ensure the backup allows for full recovery of your data, not just file recovery: If the primary data center needs to be recovered at an alternate location, it may be necessary to recover to new hardware. Recoveries should be tested to the alternate data center.
View previous tips: www.wipfli.com/30-tips-2021
Tip #11: Test your data backup plan
So we discussed how having a backup plan is critical, but testing your backup systems is just as essential. Have you checked your whether your backups are corrupt? That your configurations are backing up the correct data? That the right personnel can access backup systems and data?
Do all stakeholders know your backup recovery plan, and do they agree with your backup and recovery priorities? Do your personnel know their part in the backup recovery plan?
To adequately protect your business’s valuable data, follow these next steps as they align with your organization’s risk appetite.
Next steps
- Back up data on a regular basis: Set your backup tool to back up systems and data periodically during off hours.
- Check for integrity: Randomly test specific backup media to check for integrity. Even better, implement data-integrity-checking software.
- Conduct testing: Test each responsible party’s access to backup systems and data. Also, conduct a tabletop exercise with a specific recovery scenario to test all involved parties’ steps in the plan.
- Plan and confirm: Confirm who the stakeholders are for data that is being backed up and confirm backup and recovery priorities with those stakeholders and management.
- Refresh and update your backup and recovery plans: Do this on an annual basis, as well as after you make any necessary changes for deficiencies based on testing.
View previous tips: www.wipfli.com/30-tips-2021
Tip #12: Apply security patches and software updates
To gain access to your systems, cybercriminals scan endpoints exposed to the internet and identify any unpatched or out-of-date software, operating systems and hardware. They look for weak links anywhere — laptops, programs, Wi-Fi routers, mobile phones, etc.
Keeping your software, systems and devices up to date is the simplest and most effective thing you can do to mitigate risks tied to outdated and vulnerable software.
Various exploits that take advantage of vulnerabilities become available, often within a day of a patch being released. In some cases, exploits are developed for vulnerabilities that have not yet been identified, referred to as zero-day exploits. Patches for these are typically released pretty quickly upon discovery of exploitation and should be applied immediately to prevent compromise, data loss, financial loss and denials of service.
Next steps
- Establish and routinely update your organization’s patch management program: Ensure updates are installed on release. If you use automatic updates, be sure to routinely audit your systems to make sure patches were applied. Use threat intelligence to stay on top of news regarding new patches for vulnerabilities being actively exploited.
- Upgrade or decommission devices and technology that are end of life (EOL): Once software has reached EOL, vendors no longer support it, and as a result, it is no longer protected against vulnerabilities and exploits that are discovered.
- Ensure updates are being applied to hardware, not just software: Routers, wireless access points, firewalls, smart devices and mobile devices are all frequent targets of exploitation. Make sure you have a reliable asset inventory so you have a list of all of your physical devices you need to apply updates to.
View previous tips: www.wipfli.com/30-tips-2021
Tip #13: Review external sharing practices
Collaboration systems with open sharing present an easy target for cybercriminals.
Many cloud collaboration platforms have out-of-the-box settings to allow open or easy sharing, which lets employees share any information with anyone in or outside your organization. Your employees may not know the level of security that exists (or doesn’t exist) for the information they share.
By establishing and reviewing external sharing practices, you can provide the right information to the right audience.
Next steps
- Identify locations of sensitive information: Is there information in cloud applications that is sensitive and should have limited or no sharing? Where specifically does that information reside?
- Configure restrictions on sharing of sensitive information: Discuss protecting sensitive information with your IT department or IT service provider. Implement best practices by following the cloud application vendor’s guidance to secure your sensitive information. Engage an experienced third party if there is uncertainty about how to properly configure sharing.
- Implement an ongoing review of stored information and best practices: Regularly take inventory of shared information, since sensitive information may be added in new places. Frequently check your cloud application provider’s best practices for updated information.
View previous tips: www.wipfli.com/30-tips-2021
Tip #14: Review privilege
Anything can happen in an onosecond. What’s an onosecond? It’s that indeterminate amount of time after you’ve clicked “submit” and you stop and say, “Oh no …”
There are some places where doing your daily work while logged into an account with excessive privileges can cause you a lot of trouble:
- Phishing attacks are extremely common. Is your individual account considered a “global administrator”in Microsoft 365? If that gets phished, your entire company gets compromised.
- Making your individual account a network administrator means it’s easy to log in to your servers and do administrative work. It also means your individual account is a great target for password attacks.
- With full network administrator access, it’s also a lot easier for that ransomware you just accidentally activated to go rummaging through all your servers.
Think about your third-party vendors too. If they need access to your network, do they really need domain admin, or would local server admin work?
Next steps
- Adjust access levels: Keep your individual account at the same access level as your users have. Keep your admin accounts separate and absolutely use different passwords for those.
- Keep your vendor accounts as minimal as needed: Don’t give vendors access to a greater scope than what they need and disable/delete them when you no longer work with them.
- Review C-level access: Your C-suite execs are going to be targeted too. Yes, they run the company, but their daily driver accounts shouldn’t be allowed to “run” the company if they’re compromised.
View previous tips: www.wipfli.com/30-tips-2021
Tip #15: Manage access and authorization
Employees sometimes have access to more information than they need to perform their job duties, which raises the risk they will unknowingly share that information with others.
This could impact morale if sensitive information is accidentally shared with other employees. You could also lose trade secrets, pricing strategies and other competitive information. On top of that, many organizations are paying for licenses they don’t need.
Next steps
- Regularly review access and authorization rights: Review these rights on your network, in your accounting systems and in your ERP systems.
- Regularly review licensing: Ensure counts are accurate and only those who need the licenses have them.
- Assign a “business owner” to your line of business software: Involve that individual in the approval process for granting access to systems. Have this individual review the list of people who have access at least annually. If individuals need access to new functionality in your systems, involve the business owner in that approval process.
View previous tips: www.wipfli.com/30-tips-2021
Tip #16: Eliminate old or unsupported hardware
Older hardware comes with quite a few downsides you might not have considered.
First, it’s a compelling target for cybercriminals, since it may be unable to run newer, more modern and secure software.
Second, replacement parts for older components may have long shipping times or may be unavailable altogether. This downtime means lost productivity and revenue for your business. Not to mention that old, slow computers take longer to process common tasks, leading to idle time while users wait for systems to boot, login and process applications.
Lastly, outdated hardware can also be unreliable, risking glitches or complete failure and loss of critical data. In 2016, a five-hour system outage at a Delta Airlines data center cost the company over $150 million after a power supply system failed and caught fire, potentially due to age and wear.
Really, it’s not a question of whether hard drives, CPUs and other components will fail, but a question of when. And when is usually the worst possible time. Instead of replacing equipment on a comfortable schedule dictated by your business, your IT team could be left scrambling to find a spare part or recover data in the middle of the night or while clients are calling.
Next steps
- Regularly audit your infrastructure: Keep a proper inventory system with warranty expiration dates and end-of-life information. If a component is nearing the end of the manufacturer’s support life cycle, plan and budget ahead to implement a modern replacement. Equipment failure events should not determine your budget or schedule.
- Consider high-availability options for mission-critical systems: If your organization’s success hinges on a single component or components, make sure you have a backup system ready to take over when needed. Some infrastructure components can be installed in high-availability pairs to share the load in case of an outage.
- Keep warranties active and current: Keep warranties active and current on all mission-critical infrastructure components such as firewalls, routers and switches. An extended warranty with next-day (or sooner) support will help get your business back up and running more quickly in the event of a component failure, and vendors routinely keep replacement parts available for warranty-covered equipment.
View previous tips: www.wipfli.com/30-tips-2021
Tip #17: Mitigate risks from using personal devices
Employers have seen improved productivity and cost savings by allowing the use of personal mobile devices for work. This bring your own device (BYOD) trend continues to rise, but while many vendors offer mobile applications, they may not properly protect the information that is stored in applications on personal devices.
Unprotected information can easily be obtained by cybercriminals when devices are left unencrypted or unprotected by a passcode. Plus, there is the risk the employee will lose or misplace the personal device. Organizations need to take steps to reduce these risks.
Next steps
- Define organization policies for personal device usage: This includes how to securely access organization data, as well as the types of information that should be available on personal devices.
- Implement MDM to protect information: It’s a good idea to implement a mobile device management (MDM) solution. This solution places organization information in a separate “container” on the device, automatically applies a passcode to that information and allows for remote removal of the information. It also ensures encryption is enabled on the device before organization information is stored, as well as prevents sharing of information to other apps.
- Regularly provide guidance to employees on personal device use: Make sure employees know they need to regularly update mobile operating systems and apps, avoid using risky public Wi-Fi and avoid leaving devices unattended and unlocked.
View previous tips: www.wipfli.com/30-tips-2021
Tip #18: Change your cloud security configurations from the default
Your organization’s cloud solutions are not inherently secure from data compromise or disaster.
Cloud services offer impressive physical and infrastructure security that is unparalleled due to scale and specialization, but the implementation of this security is up to your organization. Default configurations do not include many standard security configurations and features, and many cloud data storage access controls are designed to give website assets flexible access and thus allow for public access out of the box. What’s more, computer infrastructure is not automatically backed up or failed over.
Cybercriminals use free, automated and crowdsourced tools to leverage blind spots in an organization’s cloud security and configurations.
Next steps
- Use built-in security testing features, if available: Microsoft has Secure Score for Microsoft and Office 365 implementations, as well as Microsoft 365 Compliance Center. Amazon Web Services has Inspector and AWS Compliance Center.
- Contract a third party to assess your cloud infrastructure’s security: When Wipfli performs penetration testing, we can often compromise a network because of cloud infrastructure. Engaging a third party helps you identify weaknesses and mitigate your risk.
- Include cloud infrastructure, data and access in your business continuity, disaster recovery and incident response plans: Data center servers are hardware, and hardware failure still happens in the cloud. Cybersecurity threats also necessitate including the cloud in your continuity and response plans.
View previous tips: www.wipfli.com/30-tips-2021
Tip #19: Perform ransomware tabletop exercises
Ransomware is a huge threat. It infiltrates your computer data, restricts access to that data by encrypting it and won’t release it until you pay a ransom.
Of course, you want to do what you can to prevent a ransomware attack, but what if it does happen? Knowing how to react, how quickly to react and who needs to get involved will greatly reduce the impact of the attack.
That means documenting ahead of time things like when you should contact law enforcement, whether to involve your insurance company, whether that insurance company dictates which forensic investigation firm you need to use, who can help you determine the extent of the ransomware encryption and what messaging is appropriate for employees, customers, stakeholders and others.
Next steps
- Simulate a ransomware attack by performing a tabletop exercise: The tabletop exercise should facilitate discussion on all of the topics, such as what is impacted technically, what are your communications requirements and what are your resolution options. After these discussions, document a methodical process to respond to the ransomware attack.
- Plan for how to make decisions about whether or not to pay the ransom: A tabletop exercise teaches participants how to identify what is encrypted and the impact to your organization. It also helps your management work through options to resolve the attack: 1) pay the ransom or 2) recover the data prior to the encryption within “X” amount of time with “X” data loss.
- Test your employees’ skills at recognizing emails that may contain ransomware malware:Use software that can simulate and distribute emails that look like genuine requests from a customer when, in reality, they are attack emails. This will allow you to see where you need to provide further security awareness training, as well as help employees identify suspicious emails.
View previous tips: www.wipfli.com/30-tips-2021
Tip #20: Increase your threat intelligence
Cybercriminals are constantly developing new tools, methods and exploits to take advantage of vulnerabilities. Keeping up to date with recent threat intelligence can help your organization discover, analyze and effectively respond to attacks.
Failing to stay current with threat intelligence can leave your organization open to attacks and compromise, since the attacks may use methods you’re not currently aware of. This can lead to massive sensitive data loss, disruption of services, destruction of critical infrastructure and — arguably most importantly — the theft or loss of large sums of money.
Active threats are routinely identified and reported by various government agencies, including US-CERT and the FBI, as well as numerous private companies, and will typically include guidance and instructions to protect against and mitigate attacks.
Next steps
- Find respected organizations to provide you with reliable information on threats: Some may require fee-based membership for full access, and some may come as a part of a service. InfraGard, a partnership between the FBI and the private sector, has industry-specific chapters you can join. Other valuable threat intelligence sources include SANS Institute, Internet Storm Center/DShield and US-CERT.
- Leverage an ISAC as one of your sources: The National Council of ISACs comprises 25 Information Sharing and Analysis Centers (ISACs) spread across different industries. Their purpose is to maximize information flow around cyberthreat prevention, protection, response and recovery. Examples of ISACs include the MS-ISAC(MS-ISAC) for state, local, tribal and territorial governments; Health-ISACfor the healthcare industry; and FS-ISACfor financial institutions and other financial services firms.
- Use the information provided: Apply information obtained from (but not limited to) these sources to continuously evolve your cyber security program and stay ahead of new threats.
View previous tips: www.wipfli.com/30-tips-2021
Tip #21: Monitor your security with MDR
Most cybersecurity attacks today aren’t traditional viruses. Cybercriminals are using file-less malware that runs in memory, and hackers are exploiting software vulnerabilities to gain access to your systems.
Cybercriminals have also proven that all organizations are fair game. It doesn’t matter if your data has value to others. Ransomware attacks are based on the idea that your data has value to you.
With ransomware and other modern attacks having become so sophisticated that they can evade detection from traditional antivirus technologies, your organization needs automated/artificial intelligence-based solutions that can identify non-normal activity occurring within your computers and networks.
That’s where managed detection and response (MDR) comes into play. It leverages automation and outsourced specialists to monitor your environment, identify security incidents and respond quickly to mitigate threats and evict attackers. It’s also much more cost-effective than hiring and retaining dedicated security operations staff.
Next steps
- Select an MDR solution: Choose a solution that aligns with your organization’s needs. If you have cybersecurity insurance, note that carriers are increasingly requiring their policy holders to have specialized software called endpoint detection and response (EDR). This is a component of any MDR service, so it will help you meet the requirements from your insurance carrier.
- Engage a managed security services provider: This provider can supplement your team and provide the expertise to identify threats in your network.
- Monitor your entire attack surface: Ensure your MDR solution and team are monitoring all your assets — both on premises and in the cloud.
View previous tips: www.wipfli.com/30-tips-2021
Tip #22: Obtain cybersecurity insurance
The cost of cybersecurity incidents continues to increase. Ransom demands are up, and the average payout by midsized organizations exceeds $170,000. Total costs of ransomware attacks are estimated to exceed $20 billion this year.
Even if it’s absolutely their only choice to stay in business, many organizations don’t have the immediate liquidity to make ransom payments — not to mention pay for credit monitoring for your customers, hire specialists to clean up your network and replace computer hardware.
What’s more, cybercriminals often demand payment in cryptocurrency (and increasingly not Bitcoin). Most organizations aren’t able to set up crypto wallets to obtain sufficient cryptocurrency in time to pay the demands.
Cybersecurity insurance is designed to help offset the costs above, including lost revenue from the attack, and can even facilitate the cryptocurrency ransomware payment if it’s the last resort and you decide to go that route.
Next steps
- Work with an insurance broker: Work with a broker experienced in cybersecurity policies to help you get the right amount and type of coverage. The devil can be in the details with these policies, and you need to understand exclusions and any specific considerations to pay a claim.
- Ensure your cybersecurity safeguards are up to snuff: Insurance carriers have been taking it on the chin with increased ransom payouts and are getting smarter about underwriting policies. You may be required to have multi-factor authentication and endpoint detection tools in place.
- Document your cybersecurity program: Documenting your program allows you to articulate the preventive safeguards and detective controls you have in place. This could streamline the underwriting process.
View previous tips: www.wipfli.com/30-tips-2021
Tip #23: Perform cloud provider cyber due diligence
Cloud technology delivers high efficiency and technology enhancement. But it also comes with inherent risk in transferring elements of your security responsibility — including governing access to your information, as well as the integrity and availability of your data — to your cloud provider.
Depending on the type of data your organization maintains, you could also have additional requirements specifying where your data can be stored and whether it can be accessed by foreign nationals. What’s more, legal and contractual requirements with your customers may have implications for providing evidence that your cloud service providers have effective security controls in place.
Much like evaluating a new raw materials supplier, you should do your due diligence on cloud service providers and make sure they meet your expectations and address your cybersecurity requirements.
Next steps
- Look for certifications: Reputable cloud service providers should be able to provide you with a SOC 2 report or HITRUST certification highlighting the effectiveness of their security controls. In sensitive federal government work, like with the Department of Defense, cloud providers should be able to show you their FedRAMP certification.
- Verify control performance: If your cloud service provider can’t provide you with control assurances via one of these reports or certifications, you’ll need to verify control performance on your own. To do so, you need to make sure you have a “right to audit” clause in your agreement. If you end up doing your own verification, bring along an experienced IT auditor to help verify the effectiveness of the cloud service provider’s IT general controls, specifically for how they manage access to your programs and data, change control and backup and recovery of your data.
- Understand the shared responsibility model: Just because you moved to the cloud doesn’t let you off the security hook. Many cloud providers have a shared responsibility model (for example, here is Microsoft's). Depending on the type of cloud service you’re consuming (e.g., software as a service or infrastructure as a service), your responsibility changes. You need to understand these differences and make sure you’re keeping up your end of the bargain.
View previous tips: www.wipfli.com/30-tips-2021
Tip #24: Test your backups regularly
An organization is only as good as its last backup. The last thing you want is to think your backups are solid only to find out during a fire, natural disaster or ransomware attack that they’ve failed — leading to lost productivity and profits.
We talked in tip #11 about how important it is to test your data backup plan, but it’s also vital to test the backups themselves.
Next steps
- Don’t stop at just creating a backup: Make sure backups are being tested and your organization can get back to normal on those backups. Going above and beyond in test scenarios will help alleviate headaches if a worst-case scenario arises.
- Create a plan for when you are going to test the backups: Quarterly testing is a good place to start, but ideally it should be more frequent. The process will become easier and require less manpower after a few tests.
- Include as many people as possible while testing those backups: This will help avoid being single threaded with a key resource. You don’t want to have only one person who knows how to do a full restore and then have them out sick or on vacation during an emergency.
View previous tips: www.wipfli.com/30-tips-2021
Tip #25: Manage exceptions to your cybersecurity policy
A good cybersecurity policy sets the expectation for what security controls your organization needs to have in place. But your organization may have certain legacy systems that aren’t able to meet every aspect set out in your policy. Or you may have weaknesses in your cyber defenses that your management team knows about.
All too often, we see organizations condone exceptions when certain policy requirements can’t be met. While there could be a valid reason for an exception, these are things an attacker can use to breach your organization, so they need to be managed and corrected to make sure you’re continuously improving your ability to resist a cybersecurity attack.
Next steps
- Conduct a thorough vulnerability assessmentand a risk assessment: These assessments will allow you to identify areas were you’re not meeting your cybersecurity policy today.
- Document the exceptions where your systems aren’t capable of meeting your cybersecurity policy: These exceptions need to be well-defined. Also, an executive manager who is ultimately responsible for making sure the exception is resolved needs to be assigned. Set an expiration date at which you will review progress on remediating the exception and determine whether the exception needs to be extended.
- Review exceptions nearing expiration: Periodically review exceptions and make sure progress is being made to resolve them. Just like any other corrective action, you need to monitor progress and empower and hold accountable those who have been designated to resolve the exception.
View previous tips: www.wipfli.com/30-tips-2021
Tip #26: Don’t single thread IT
IT professionals get to feel like superheroes when things are going well — and supervillains when things aren’t going well (there’s often a lot of yelling). There’s something to remember, though: Superman can’t be everywhere at once, and even he needs to go to his fortress of solitude from time to time.
Does your IT person find themselves unable to plan for big changes because they’re too bogged down by break-fix issues? Are they unable to take vacations where they can actually shut off their phone and laptop? What would happen to your busines if your IT person got run over by a winning lottery ticket (no buses here)?
Next steps
- Split up jobs: There are still a lot of people with the old mindset that “my job isn’t IT.” Everything touches IT, and if it’s important enough to complain about when it’s down, it’s important enough to cross-train on. Get yourself some power users. Take those who are the loudest when things go bad and get them tools to help themselves and others in their group.
- Start partnering with a managed services provider: Offload desktop work to them so your IT person can focus on server/cloud-level organizational changes. Or offload server/cloud work on them so your IT person can focus on keeping in touch with your users. And have someone else reboot servers at midnight so your IT person can sleep.
- Give your IT person a vacation: C-level executives, if you start working with a managed service provider, your IT person will finally be able to take that vacation and come back happier and refreshed. Also, if they ever do buy that winning lottery ticket, you’ll have the backup needed to keep your business going.
View previous tips: www.wipfli.com/30-tips-2021
Tip #27: Enhance your physical security
Cybercriminals are using social engineering techniques to gain unauthorized, physical access to restricted areas. They are stealing company documents and computers to retrieve sensitive data.
This can result in not only robbery but also malware installation, data breaches, corporate espionage and the loss of access control in and out of your property due to stolen identification.
Next steps
- Watch out for tailgating and piggyback rides: Prevent unauthorized entry to restricted spaces by watching out for tailgating (i.e., “slipping” in behind someone when entering a restricted area) and piggyback rides (i.e., using social engineering to convince someone to provide access to a restricted area).
- Make sure everything is locked: Lock devices, doors and drawers to prevent unwanted access. Also, test automatic locks and keypads. The last thing you want is to think your server room is secured only to find out the keypad’s battery has been dead and the door is unlocked.
- Frequently shred documents: Shred documents with any sensitive information, in a timely manner, and ensure these shredded documents are disposed of properly.
View previous tips: www.wipfli.com/30-tips-2021
Tip #28: Be proactive and get the experts involved
Cybercriminals target organizations of all size, regardless of industry. Increasingly, there is pressure from executives and the board of directors to improve an organization’s security posture, as well as regulatory compliance requirements to meet stringent cybersecurity standards.
However, many organizations lack the internal expertise to set a security strategy and then configure systems to ensure security objectives are being met. Qualified cybersecurity executive leadership and engineering talent is expensive and difficult to recruit in the midmarket. Plus, technical cybersecurity skills are difficult to maintain, and practitioners generally want consistent challenges — which may not always be present in midmarket organizations.
Next steps
- Consider a virtual chief information security officer (vCISO): This outsourced CISO would not be acting as your organization’s security leader, but rather as an advisor and mentor who provides insight to your organization based on their years of experience in the profession. Their mentorship of one or more employees in your organization can help you develop the internal security resources you need to protect your business.
- Enter into a retainer agreement with an incident response firm: This firm can help you contain, eradicate and recover from a threat in a timely manner, which means you can safeguard your organization and get back to business faster.
- Work a managed security services provider: This firm can monitor your network for suspicious events, as well as harden your network and make you more resistant to cybersecurity attack.
- Perform penetrating testing: Engage penetration testers on a regular basis to validate the effectiveness of your cybersecurity safeguards and controls.
View previous tips: www.wipfli.com/30-tips-2021
Tip #29: Implement multi-factor authentication
We’ve recommended multi-factor authentication (MFA) several times in previous tips, but it really is deserving of its own tip because of its sheer amount of benefits. Implementing MFA:
- Increases security of internet-accessible resources.
- Reduces the surface area of attack for cybercriminals trying to access your organization’s data.
- Protects data against lost or stolen passwords and equipment.
- Allows your organization to enable remote employees to access systems and resources from anywhere.
It’s increasingly required from a regulatory or compliance perspective (e.g., HIPAA, CMMC, FFIEC). Even cyber insurance providers are starting to require MFA to be in place for policy renewal and underwriting.
Next steps
- Inventory all platforms: Inventory the platforms where employees have access to remote company data and resources. This can include email, VPN, remote desktop platforms and collaboration software like SharePoint and the Google suite.
- Review vendor account logins: Review vendors to ensure they have MFA enabled.
- Engage third-party expertise: These third parties can audit and implement MFA solutions around your organization, from online collaboration platforms to security systems to line-of-business software.
View previous tips: www.wipfli.com/30-tips-2021
Tip #30: Review administrative accounts
How many administrative accounts does your organization have that it isn’t necessarily aware of? Do any share passwords?
Cybercriminals are exploiting weak and shared passwords to gain unauthorized access to information and launch ransomware attacks. These takeovers can lead to lost production time and millions of dollars in ransom, recovery and lost productivity.
After a catastrophic security event, some businesses never fully recover. In fact, 60% of small businesses go under within six months of a data breach.
Next steps
- Make a list of administrative accounts: Take an inventory of admin accounts to your systems and cloud services and keep it current on an ongoing basis.
- Set up a regular review process for these accounts: At minimum, perform an annual review of who has access to these administrative accounts and determine whether they still need these access levels.
- Require strong passwords and MFA: Make sure these accounts each have a unique password that follows strong password requirements. Implement multi-factor authentication for all administrative access to add a second layer of security.
- Monitor all login activity associated with administrative accounts: Investigate any activity that appears out of the norm.
View previous tips: www.wipfli.com/30-tips-2021