The cybercrime landscape is changing. This means that your security methods should be in a constant state of flux, always shifting and morphing as new threats emerge. As you review your security protocols, consider how the cybercriminals of today will be attempting to access your data. It’ll likely look a bit different than it did five or ten years ago.
As you’re reviewing your security methods, be sure that you safeguard your digital assets from every angle. You should be building security measures in each of the following three areas:
- Account Security
- Device Security
- Human Security
Account Security
Multifactor Authentication
Multifactor authentication (MFA) is a multi-step process users take to gain access to an account. Three types of authentication methods are:
1. Knowledge Factor
Knowledge-based methods for authenticating identity might include passwords, PINs, and answering security questions.
2. Inherence Factor
Inherence factors are items unique to you as a person, like scanning your fingerprint or facial features.
3. Possession Factor
You can authenticate your identity using an item that only you possess, like entering a code that was displayed on a smartcard or inserting your unique thumb drive.
Cybercriminals know that MFA is the standard, which is why many are spoofing MFA requests. In this more complex version of a phishing attempt, the criminal sends an information request that looks like an MFA prompt. You should educate your employees on what a legitimate MFA request will look like. You should also consider combining MFA protocols from different categories. For example, using one knowledge and one possession factor protocol will be stronger than using two knowledge factor protocols.
Password Hygiene
Consider using a password manager application if you’re not already. Not only do these apps store your login information safely, but they can also help you create strong passwords. A few other common password hygiene tips are:
- Never reuse passwords.
- Require passwords to be a certain length that have a mixture of upper- and lower-case letters, numbers, and symbols.
- Never store passwords in a browser extension.
- Use different passwords for everything.
- Require employees to change passwords every 90 days.
VPN
Protect your network by setting your employees up with a virtual private network. When your employees are working outside of the office, VPNs encrypt the information sent between their computers and the outside world. When using a VPN, cybercriminals won’t be able to see their keystrokes or trace their actions back to your network.
Device Security
Antivirus/Firewalls
Make sure your antivirus software is up to date. Antivirus software provides basic protection against malicious software like worms, viruses, spyware, and ransomware; notifies you of vulnerabilities in your systems (like unpatched software); warns users of risky websites; and so much more. You should also be sure your firewall software has been patched so that it can manage network traffic as intended.
Blocking Pop-Up Ads
Pop-ups aren’t always problematic, but they can be. They can be used by hackers to collect sensitive information or encourage users to download harmful files. Blocking them at the source helps prevent accidental clicks and creates a safer browsing environment for your employees.
Back Up Your Data
Backing up your data is an effective failsafe if your employees’ devices fail, get stolen, or are otherwise compromised. Simple hardware failures can result in data loss that can negatively impact operations and permanently damage relationships you have with your customers and business partners.
But backups aren’t just helpful for preventing data loss; they can also help when you need to update your devices or migrate to a new system. If you have that data already backed up, you can quickly and easily transfer that data to the a device or network.
Human Security
Training and Awareness
Build a culture that promotes employee involvement in cybersecurity. You can have your employees play a part by:
- Performing live regular training sessions or providing training modules that employees can access at their convenience.
- Conducting drills and simulations that test your organization’s incident response capabilities.
- Drafting clear-cut security policies and updating them regularly.
- Launching cybersecurity awareness campaigns.
- Informing employees of their roles in security protocols.
Monitor for Suspicious Behavior
Continuously monitor employee activities for suspicious behavior. These monitoring systems can be technological (e.g., software that detects suspicious patterns) or human based (e.g., whistleblower options) or a combination of both. You can also perform regular security audits so that a third party can evaluate the effectiveness of your security measures.
Have a Process for Reporting Incidents
An incident response plan is a written playbook for how you should respond if a data breach occurs. Formalizing your plan of attack will help reduce the cost of a data breach. When building your plan, here are a few things to remember.
- Build an incident response team, and put that team to the test by testing and running simulations. Organizations that have an incident response team and test their incident response plans regularly identify breaches 54 days faster than those with neither.
- Prompt reporting is key, which means that you should build relationships with incident response professionals before an incident occurs. By gathering a legal team, IT professionals, or a public relations consultant before an incident occurs, you’ll be able to move quickly if your data is breached.
- Include recovery time objectives in your plan so that your team knows that time is of the essence.
Is Insurance the Answer?
Investing in cybersecurity insurance isn’t just recommended; today, it is absolutely necessary. Insurance should never be your only method for protecting yourself, but it should play an important role in managing the health of your organization. Cyber liability insurance can help organizations cover some of the following costs if a data breach occurs:
- Forensic and investigation fees
- Credit monitoring services
- Public relations
- Notification costs
- Legal fees and court-ordered settlements
- Regulatory compliance costs
- The cost to restore systems and networks
- The cost to recover lost data
- Business interruption
- Ransom payments
The bottom line is that the cybersecurity strategies you implemented in the past may not be enough to ward off the tactics that criminals are using today. Take the steps necessary to protect yourself, your employees, and your customers. If you want to discuss these practices with our team, reach out to us today. Our Meaden & Moore advisory team would be happy to assist.
