- Start with Policies and Procedures – Employees need to know what behavior is acceptable and what’s not. In the absence of a policy, employees will do whatever they think is the right thing to do, which may be the wrong thing. If it’s not in writing, it won’t be clear, and it can’t be enforced. A Password Policy is a great place to start. A recent study found that 32% of organizations were found to have weak password policies—a highly solvable problem that organizations apparently have not adequately tackled. In addition, 23% of organizations were found to have weak authentication mechanisms. This is concerning, because the combination of the two issues empowers hackers, who can then simply log in with minimal effort.
- Next, provide regular and disciplined Cybersecurity Awareness Education for ALL users (monthly) and random Phish Testing (twice monthly). Start with a policy and set everyone’s expectations, deliver ongoing training in an easy to understand and consumable way, phish test them regularly to inoculate them, and then hold them accountable with sanctions (if needed) to ensure everyone gets it. Employees also need repeated training on your policies and procedures. At Providence, we conduct 15 minutes of staff training EVERY WEEK during our staff huddle (Training Thursday), as well as monthly cybersecurity training that they take when it’s convenient for them. It’s essential!
- Prioritize Cloud Protections. Microsoft 365 is one of the biggest targets in the world, but so are cloud apps like membership databases, HR systems, Electronic Health Record systems, etc. Strong Passwords, proper MFA everywhere, and EVERYONE following the rules will help keep attackers out. A failure to make this a priority is creating risk in your environment today!
- Reduce the risk associated with uncontrollable social engineering attacks, by giving users the education and tools to properly manage their passwords. 91% of breaches involve social engineering attacks designed to steal credentials. These types of attacks are so prevalent because they are relatively low-cost and low risk for attackers. These attacks often rely on the use of widely used technology, such as email, where attackers can easily target many potential victims very efficiently. These attacks exploit people’s trusting nature and misplaced trust in technology, and attackers find great success using these techniques.
- Gain visibility into your security gaps and identify risks by regularly auditing your controls and user behaviors. It’s essential that we hold people accountable for complying with the rules that are designed to keep our organization cyber safe. It may be an area of management’s that’s difficult, but as business leaders, that’s OUR role and if we don’t do it, it won’t get done!
One way to look for gaps and risks is through penetration testing. Properly executed, it will expose users with poor password hygiene, the use of devices that are not in compliance with established standards, the presence of sensitive files stored on local systems, etc. Once risks are identified, then we need to determine if our policies and procedures are unclear, or are users unaware of them, or are users disregarding them because they are too hard, or whatever it is, and fix it.
Cyber-Crystal Ball: Attacks have been on the rise and will continue… there is no end in sight! Sophisticated attack tools are now sold as a service removing barriers to entry for young or old would-be cyber criminals. With each passing year the attacks become easier for them to execute, and with each successful attack, the threat actor gets paid, incentivizing them to continue. The risk of getting caught is virtually nil. In addition, political tensions and the Russian war will drive motivations to attack the “West” higher.
Regarding defense, security is a journey, and the road is taking us to a zero-trust model. We need to be putting one foot in front of the other and making consistent improvements. Standing still is not an option. If we do, we will be overtaken.
Technology can’t solve this problem. This is a business problem that involves People, Process, and Protections. It needs to be treated like any other business activity where a competent leader has the responsibility to affect change, and is held accountable to achieve success. This leader must be armed with an appropriate budget and the knowledge of where to spend the money wisely.
Attackers are focused on stealing credentials from your staff so that they can login as them and begin their criminal activity. This is where you need to invest your cyber-defense budget! The recommendations detailed above are a roadmap to success, and Providence Consulting is standing by to help!
If you would like to learn more, please contact us.