by Doug Kreitzberg | Jul 20, 2020 | Cyber Awareness, Cybersecurity
When it comes to cybersecurity practices, there is an overwhelming amount of options available today, which can make it hard for businesses to figure out what they need. It’s easy to think you need newest and most expensive cybersecurity technology with all the bells and whistles to be protected. But the truth is that every business will have different needs and will need to develop cybersecurity practices that suit their specific business goals and strategies. If you don’t align your cybersecurity with your business objectives, chances are all your fancy security practices will end up hindering your business. There are, however, a number of critical cybersecurity practices that every business should consider. Each of these practices are all easy to implement and will leave your business a lot more secure:
1. Patching
One of the most critical cybersecurity practices is also the simplest: updating your applications and operating systems. Software updates aren’t just about adding new features, but in most cases also includes security improvements and patches to any known vulnerabilities. And while it can be tempting to put off updating your applications for another day, it is very important to install these updates as soon as you can. Hackers are constantly looking through popular applications for potential vulnerabilities, so keeping your systems up to date will help ensure the bad guys can’t exploit any weaknesses in the outdated version.
2. Access Control
Another vital component to any cybersecurity policy is controlling access to your networks, systems and data. This includes limiting employee access to areas of your system that aren’t relevant to their work. You also need to ensure that your employees are using passwords that meet certain length and complexity requirements, as well as using multi-factor authentication for all remote logins. This is especially important now that many employees are working from home.
3. Lockdown Mobile and Remote Devices
Whether employees are using company-issued or personal devices, it is important to ensure certain security settings are in place if those devices are used to access your network remotely. This includes ensuring that all devices are using a virtual private network (VPN) to keep internet data anonymous, and malware scanners to detect infected devices. Another big risk with mobile and remote devices is that potential for them to be lost or stolen. It’s therefore important to make sure your devices are encrypted and that you have a system in place that allows you to delete the data from any remote device if it goes missing. This will keep the anyone who finds the device from access any sensitive data it might contain.
4. Back up and Recovery Tests
It is also critical to keep regular backups are your most important networks and most sensitive data. This is especially important to protect yourself against ransomware attacks, where hackers lock you out of your own system. Having a backup may prevent you from having to pay to get your data back. However, it’s not enough to just keep backups, but to regularly test your recovery process. Backups will sometimes be corrupted and If you make a mistake or your backup settings are misconfigured, it’s possible you won’t be able to fully recover your data. Testing your backups regularly will ensure you can get your data back if sometime bad happens.
5. Firewall Configuration
Firewalls are essential for monitoring incoming and outgoing network traffic, and blocking any traffic that doesn’t meet your security standards. It’s often considered your first line of defense, so should be set up with care. The specific configurations you need depends on a number of factors, but overall you should make sure you don’t have any unnecessary open ports and ensure that traffic coming and going from the most critical and sensitive areas of your network have stricter traffic limitations. It’s also very important to change any default account and passwords that come with the firewall. Hackers can cause a lot of damage if they gain administrative access to your firewall, so you want to keep access to it as secure as possible.
6. Security Awareness Training
Last but definitely not least, it is critical that your employees receive security awareness training. Phishing and other social engineering attacks are now the number one cause of data breaches, meaning your employees are your frontline defense against cyber attacks. If your employees don’t know how to spot phish or business email compromise attempts, you leave your system dangerously vulnerable to attack. Simply put, by giving your employees the tools to develop safe online habits, you dramatically increase the security of your organizations.
by Doug Kreitzberg | Jul 17, 2020 | Behavior
This may seem obvious, but when you are trying to develop new habits and behaviors, one of the biggest areas to consider is your ability to actually do that new habit. If it’s too hard, you won’t be able to sustain the new habit unless highly motivated to do so —which, as we’ve mentioned, is not the right area to focus on. However, the point isn’t that you’ll never be able to learn new skills. The point is to think about ability differently. Instead of thinking that either you can do something or you can’t, breaking ability down into pieces will help you figure out what makes the new habit difficult to do.
When it comes to developing new behaviors, BJ Fogg breaks ability down into six categories that he called the “ability chain”:
- Time Do I have the time to devote to this?
- Money Can I afford to do this?
- Physical Effort Can I physically do this?
- Mental Effort Do I have the mental energy to do this?
- Routine Does the habit fit into my routine or will it require an adjustment?
- Social Is this behavior consistent with my social environment and values?
Once you’ve broken down ability into small chunks, you can start to figure out what exactly your are struggling with. Fogg says to ask the “Discovery Question:” For each link on the ability change ask yourself if that makes the new habit hard to do. Once you identify the ability (or abilities) that make doing this behavior hard, look for ways to make it easier.
Take running as an example. Do you have the time to run a couple times a week? Do you need to buy new shoes or clothes? If so, do you have the money to buy those things? Are you physically able to run? How much mental energy will going for a run take? Does going for a run change your routine too much? Is running consistent with my values? Once you go through the list, you can probably narrow the problem areas down to one or two of the links in the chain and focus on those. So, if my issue is that I can’t physically run for 30 minutes straight, maybe I start by trying to run for 5 minutes straight, then walk for a few minutes, then run for another 5. Then, over time, I’ll build up the strength to run for longer and longer stretches.
At the end of the day, it’s always better to start small in ways that addresses each link in the ability chain. Then you will be in a better position for sustained change over time.
by Doug Kreitzberg | Jul 15, 2020 | Cyber Awareness, Data Breach, Vendor Management
The 2013 Target breach served as a wake up call for many businesses about the importance of proper cybersecurity practices. Since then, organizations have devoted a lot of time and resources into putting security controls and trainings in the place to better protect their data. Yet, one piece that is often overlooked is vendor management. In fact, the Target breach occurred when the credentials of an HVAC vendor were stolen and used to gain access to Target’s network. Traditionally, vendor management involves creating a security agreement and routinely accessing vendors’ security practices, but doesn’t always include cyber awareness training. However, given that credentials are regularly stolen through social engineering tactics, organizations need to start focusing on training their critical vendors to be more cyber aware.
With the effort often involved in implementing training programs for employees, it may seem daunting to also train vendors. However, since vendors usually have limited access and have very specific roles, vendor cyber awareness programs should be customized to the role they play within your organization. While you should ensure that the Vendor does have a comprehensive awareness program for all employees, you should consider adding your own training to those individuals who are touching your account — including their accounts payable or receivable units — and tailor the training to the specific risks they present.
Take the Target breach as an example. Hackers gained access to the Target network through credentials to a vendor portal. In order to help prevent the breach, Target could have taken the following steps: first, require strong authentication, including multi-factor authentication, to access the Target system; second, receive verification that the vendor has a training program in place for all employees; third, identify the individuals within the vendor’s organization that need to access it’s system; finally, provide those individuals adequate, role-based training on topics like password strength, business email compromise, and phishing.
The importance of ensuring your vendors are cyber aware cannot be overstated, and should even be a requirement before entering into any agreement. While this training doesn’t need to be as extensive as it is for your employees, it should be focused on the individuals with access, and the role those individuals play within your organizations. Anything less than that could leave you vulnerable to unauthorized access.
by Doug Kreitzberg | Jul 13, 2020 | Data Breach, ransomware
Over the past few years, ransomware has become a more and more common form of cyber attack. In part, this is because hackers have started to sell pre-made packages that anyone can buy on the dark web and run without a lot of technical know-how. While this form of ransomware allows malicious code to spread automatically, it’s not always the most sophisticated form of attack. This may be why human-operated ransomware has become more popular over the past few months. Unlike pre-coded ransomware that blindly crawls through infected networks, human-operated ransomware attacks tend to play more of the long game. Once attackers gain access to a victim’s system, they take their time to gather as much intel as possible about their target, often waiting months before launching their attack. This helps them gain access to other areas within the network and ultimately make it extremely difficult for the victim to put a stop to the attack once it starts.
The key to combatting these more sophisticated attacks, then, is to stop them from accessing your systems in the first place. Often, ransomware attacks gain access by taking the path of least resistance, such as unpatched applications. This has been an especially big problem for the healthcare industry recently. As hospitals continue to be overwhelmed by COVID-19, they have not had the time and resources to safeguard security systems and update applications quickly.
For example, recently human-operated ransomware attackers are using out of date virtual private networks (VPNs) to gain access. In fact, Microsoft identified “several dozens of hospitals” that were vulnerable to attack because of outdated VPN applications. To help combat this issue, Microsoft has developed a new alert system to notify hospitals that have unpatched applications and other vulnerabilities.
With ransomware attackers playing the long game, it’s vitally important to ensure your systems and applications are patched and that you fix any known vulnerabilities. In addition, any potential compromise to your system, however small, should be investigated and dealt with as soon as possible. Otherwise, hackers can spend months moving throughout your networks undetected and make it near impossible to remove once they launch their attack.
by Doug Kreitzberg | Jul 10, 2020 | Human Factor, Phishing, social engineering
One of the main tenants of behavior science is something called “operant conditioning.” It’s a fancy phrase for a concept that’s actually pretty simple: a behavior followed by a reward is more likely to be repeated than a behavior followed by a punishment. While this is a pretty common sense idea, when it comes to our own goals, we don’t often think this way. Instead, we’ve grown up with a myth that true success comes only with struggle and that our biggest opponent is ourselves. Instead of focusing on our wins, we focus on our loses and think that to get anything accomplished we have to be hard on ourselves. And how well does that usually work out?
In order to create new behaviors that you can actually sustain, you need to have positive reinforcement. In other words, if you set yourself a goal that is too difficult or takes too long to achieve, your focus will be on what you’re doing wrong and lead you to give up. Instead, it’s important build on goals that you can actually achieve and feel positive about. This isn’t to say you shouldn’t set big goals for yourself, but that in, order to get there, you first have to focus on the wins: the small, achievable goals that you can then build upon to make the changes you want for yourself.
This is a lesson that most cybersecurity training programs have yet to understand. Phish simulation programs often will often focus on the loses: when you click on a phish or don’t report it to your IT department. Instead, accountability with compassion is far more effective for driving long term behavior change, and training programs that reward positive behaviors rather than punish bad ones are more likely to help users achieve their goals.
Using positive reinforcement and focusing on the wins helps us build the skills and abilities that enable us to do great things. And, perhaps after we have accomplished the large goal we were after, we’ll realize that the actual goal was to just feel better about ourselves.
