While helping organizations shore up against potential cyber-attacks, I am surprised about how security teams still treat malware as a systemic issue rather the behavioral problem it has become. Yes, keeping your systems updated and behind a firewall is a necessity but so is educating your employees who are usually the weakest link in your business’s cyber security strategies.
Most companies pay lip service to security by distributing IT and device usage policy to employees, but that’s not enough. You must do more by providing computer-based training to every employee rather than ask them to attend webinars or presentations on their own time. Start a company-wide conversation and train your employees about risky behaviors in a way they can understand.
It’s easier said than done, but here are a few step-by-step plans you can use to safeguard your organization:
Employee exploitation by Hackers
One of the common techniques used by hackers to gain access to your business is through non-technical employees. They do this by enticing employees to download malware embedded within innocent looking files and apps. Once the malware is successfully executed it hides inside files on the company’s infrastructure and users’ devices where hackers can capture logins, passwords, and other sensitive data and send it to their server. All this happens without the knowledge of the employee and security team. Even if security teams are able to identify the breach after the fact, the harm has already been done. The stolen credentials can then be used to exfiltrate data and sensitive information affecting critical business operations.
- Deploy next-generation application firewalls with IPS/IDS to detect and prevent downloading of malware or compromised files.
- Train employees on how to identify suspicious looking files–especially in their inbox. Spammers are getting smarter and are able to bypass basic spam protection offered by Outlook and other email clients.
- Deploy an email security gateway to intercept every incoming and outgoing email. Why incoming and outgoing? In case of a compromised computer or email account, your company’s email server can be used to spam and send other damaging emails.
A corporate network that isn’t encrypted is an easy target for hackers to gain access into. Open Wi-Fi makes matters worse since the hackers are already within the business network to carry out their hacking activities where they can remotely access sensitive files and information.
- Train IT staff to monitor networks for suspicious activities and secure the business networks.
- Protect Wi-Fi with the strong and complex encryption key. If possible, use Radius server to authenticate users.
- Guest Wi-Fi must be separate and totally isolated from business networks. Even on guest networks client isolation must be enabled to prevent it from communicating with other guest devices.
Prevent Weak Passwords
Most cyber attacks involve the exploitation of weak passwords that can be comprised by the dictionary and brute force attacks. Employees usually use their pet names, family member names or other common passwords which can be gathered by social engineering attacks (discussed below).
- Accept only complex passwords with a combination of lowercase letters, uppercase letters, numbers and at least one special character.
- Force password changes regularly (at least every quarter).
- Decouple your digital assets. Every website or system should have unique passwords. A breach of one website should not impact other logins.
- Make use of two-factor authentication whenever possible.
- Use enterprise password managers to ensure passwords are stored in secure places rather than browser’s password vault, which is not secure.
- Employees should be sensitized and trained on the importance of using strong passwords and not sharing them.
Preventing Non-Work Related Activities
It’s common for employees to use their work devices (e.g. phones, tablets, laptops, and PCs) for things that aren’t work related. However, this makes it likely that users visit websites with questionable web security, exposing business information to hackers. In fact, data can be hacked if a user connects to a work network through public Wi-Fi—but only if the device is not configured properly.
- Ensure that all work devices remain behind a network firewall and content-filtering software. This will stop malware entering company’s network and also allow a user of white listed websites only.
- Set-up user groups and implement white list policies to regulate the websites your employees can access to on their work devices.
- Limit email access to devices covered by your mobile device management solution so that the device can be managed by the security team.
Patch Outdated Software
It’s easy to overlook the importance of software updates. However, as vulnerabilities are discovered in software and they are not patched, they can be exploited by hackers. The recent WannaCry ransomware global attack is a prime example. Microsoft discovered the vulnerabilities and released Security Bulletin MS17-010 – Critical advisory [and time frame. Example: two weeks before the attack, six hours after the attack was detected, etc.]. If businesses had patched the system they could have avoided such a global scale attack.
- Update all software in use with the latest software patches and pay attention to security advisories.
Attacking Inadequate Firewalls
Network Firewalls act as the first line of defense against hackers by blocking everything that isn’t authorized to access the network. However, just like other software, firewalls need regular monitoring and software upgrades and maintenance. If this isn’t done, the firewall won’t protect against new attacks as it is supposed to, thus leaving room for hackers to invade.
- Make sure your firewalls have updates enabled and are receiving new attack and virus definitions.
- Do periodic penetration testing to see if firewalls and other systems are protecting against attacks.
- Maintain firewalls on a regular basis.
Hackers don’t always rely entirely on software vulnerabilities to carry out their attacks, also exploiting flaws in human behavior. Social engineering is a technique where hackers manipulate employees into giving out crucial details that allow them to gain access to systems. In most cases, users aren’t even aware that they’re putting the business in jeopardy. However, sometimes disgruntled employees may willingly give out information to hackers. You must have preventive frameworks in place to protect your business against the latter.
- Train your employees to not unwillingly give out sensitive information such as login details to others, including to their fellow employees.
- Encourage employees to rethink what they reveal on social media–it’s all fodder for social engineers. You can’t expect people to stop using social media, but we can educate them about the real risk of sharing too much of their personal lives online.
- Develop policies for handling sensitive requests like password resets. Don’t send passwords in emails or text messages which can be compromised.
It doesn’t matter whether you’re a three-person company or a 3,000-person company, review your IT Infrastructure vulnerabilities and educate your people accordingly. Get security audits and penetration tests. It’s like going to a doctor and getting a check-up. Most managed IT service providers provide vulnerability assessment services that are a good starting point. Most importantly, be proactive rather than reactive.