Written by: Alex Hubbard & Derek J. Morris
As our 2024 year begins companies like yours, whether large or small, should take a step back and look at all their technologies and services. Your organization should be reviewing both to ensure you are getting the security basics right. We’ll explore key concepts and tips on establishing a strong foundation in cybersecurity. This can be used to help develop a solid security posture and enable your organization to protect your most critical assets.
Security Responsibility
Appoint a dedicated cybersecurity leader within your organization to oversee the crucial responsibility of safeguarding sensitive data from cyber threats. This leader may work internally or collaboratively with an outsourced vCISO service. Their goal is to prioritize the confidentiality, integrity, and availability of critical information. Senior leaders within an organization may wear many hats, with cybersecurity being just one of them. Consider contracting with a vCISO service, like Wolf & Company’s, to provide a well-rounded, experienced approach to securing your organization. Ensuring adherence to best practices, implementing appropriate security measures, and developing a culture of awareness are essential steps to effectively mitigate risks. Utilizing the NIST Cybersecurity Framework for the right controls and best practices can start the organization in the right security direction.
Understanding the Threat Landscape
Cybersecurity is a dynamic field, and staying informed is key. Threats come in various forms, from malware and phishing emails to ransomware and social engineering attacks. Stay informed about the latest cybersecurity threats through reputable, industry-appropriate sources, such as blogs, webinars, online courses, CISA, ISACA, and HIMSS, to enhance your awareness. Familiarize yourself with emerging threats and evolving best practices to adapt your security measures accordingly.
Password Hygiene
One of the simplest yet most effective cybersecurity practices is maintaining strong and unique passphrases. Passphrases are far easier for users to remember than a complex password. This often reduces the risk of the user writing down a password. A passphrase can be thought of as a sentence or chain of words that is far longer than a normal password and should be a minimum of 14 characters in length. They can include hundreds of different characters and punctuation. Avoid using easily guessable information, such as birthdays or names, and consider using a reputable password manager to generate and store complex passwords securely.
Keeping Software Updated
Regularly updating your operating system, antivirus software, and other applications is critical. Software updates often include security patches that address vulnerabilities discovered by developers or researchers. Third-party applications used throughout your company should not be overlooked when it comes to proper patches. By keeping your software current, you reduce the likelihood of falling victim to known exploits.
Recognizing Phishing Attempts
Phishing remains a prevalent method for cybercriminals to gain unauthorized access to sensitive information. Be cautious of unsolicited emails, messages, or links, especially those urging immediate action. Verify the legitimacy of requests by contacting the organization directly through official channels before providing any sensitive information.
Two-Factor Authentication (2FA)
Enable two-factor authentication wherever possible. This adds an extra layer of security by requiring a secondary verification step, such as a code sent to your mobile device, in addition to your password. 2FA significantly enhances the security of your accounts, even if your password is compromised. 2FA should go beyond traditional methods like SMS messages. SMS messages can easily be spoofed. Consider leveraging an authentication mechanism like Microsoft Authenticator, Okta, or Duo. If you do consider these applications, ensure that they are configured to not enable 2FA/MFA fatigue, and that users cannot change or update their number and device without administrative approval.
Your Devices
Protecting your devices is integral to overall cybersecurity. Install reputable antivirus software, enable firewalls, and use encryption tools when applicable. Additionally, consider device-specific security measures, such as implementing a Mobile Device Management (MDM) tool with the capabilities to remotely wipe and locate mobile devices.
Asset Management
Implement tools to track hardware, software, and data assets within the environment. As a cybersecurity or IT professional, you need to know exactly what is in the environment to secure it appropriately. Take measures to automate asset discovery. Anytime a new asset is discovered, the appropriate team is alerted and can act immediately.
Backing Up Data
Regularly back up your important data to an external and secure location. This precaution ensures that even if your system is compromised, you can restore your information without succumbing to data loss. Cloud storage services and external hard drives are popular choices for backups. Ensure that whatever your backup media choice is, that your backups are encrypted and immutable from change. Regularly testing the recovery of your backups is just as important as taking the backup in the first place.
Risk Management
Consider performing a regular risk assessment, either annually or when material changes occur within the environment. Tools like WolfPAC can make this task easier. Once you understand what is in your environment, you now must look at the risks associated with those systems. Many regulatory requirements now include mandatory risk assessments. Risk assessments can also help you understand where you may have control gaps and prioritize their remediation.
Penetration Testing
As a final recommendation, you should consider conducting regular penetration tests. Much like a risk assessment, penetration tests can give you an early indication of where your gaps are before attackers attempt to leverage them. Penetration tests should be conducted at least once annually from an external standpoint or when a material change (IE a new system is implemented) occurs. Some regulatory bodies and sectors also require a mandatory internal penetration test.
By incorporating these fundamental practices your routine, you’ll be well on your way to establishing a robust cybersecurity posture. Remember, cybersecurity is an ongoing commitment, and regularly updating your knowledge and practices is essential to help stay ahead of new and existing threats.
If your organization needs assistance preparing or updating its cybersecurity framework, reach out to our expert vCISO team today!
