By Chuck Brooks, President of Brooks Consulting International
Cyber awareness means strong risk management
While it is true that anyone and everyone is vulnerable to cyber-attacks, there are available protections and defenses for helping mitigate those threats. It starts with having a risk management strategy and being proactive.
Because of the emerging precarious digital cyber risk environment, a security strategy for risk management needs to be both comprehensive and adaptive. It involves people, processes and technologies. At its core, cyber awareness means being vigilant and identifying gaps, assessing vulnerabilities and having strategies in place to mitigate threats.
Companies and organizations should have a working understanding of risk management (and risk exposure) and have context on the different array of threats and threat actors. They should also be knowledgeable on the guiding axiom of the National Institute of Standards and Technology framework: identify, protect, detect, respond, recover.
There are some easy steps that can be taken to fortify cyber defenses and become more aware. Some things to keep in mind:
Patching and updating of software vulnerabilities must be current. Unfortunately, many companies and organizations are slow—and in many cases, negligent—on the update of patches that would prevent breaches. With so much malware circulating on an increasingly large attack surface, patching has become a top priority. There is no excuse for not keeping systems and applications updated.
Cyber hygiene is an elemental step in cyber-awareness. Phishing, because is very simple to do and often successful, is a preferred method for criminal hackers and the simplest advice is to not click on files that are unfamiliar. Because of hacker tools that employ automated phishes and quality graphics that can mimic banks and businesses, it is very important to pay careful attention to the URLs of websites to make sure they are legitimate and not spoofs. Especially watch closely for spam fake job offers, invoices for items you did not order and messages from your company that seem out of place. Also, you should make it a habit to verify that email senders are who they say they are and exercise caution when opening any email attachments.
Another part of cyber hygiene is having strong passwords that are not easy to guess via social engineering. Also, multifactor authentication is a good practice and a good means of preventing less sophisticated attacks. Training employees to recognize malware and phishing threats is a necessity in today’s business environment.
As part of cyber hygiene, check your permissions on your apps to see what data they are accessing. If it is not something you authorized, be sure to revoke those access rights and to clean out your cookies.
It is important to have a strategy for resilience. If you end up victimized by a breach, be sure to have an incident response plan in place. That plan should also include potentially contacting law enforcement to assist in recovering files and investigating who is doing the hacking.
Companies and individuals should employ anti-malware & anti-ransomware platforms, and technologies to guard your devices such as firewalls, and email filters. Emerging technologies such as artificial intelligence and machine learning offer software tools that can detect anomalies, provide user behavioral analytics and help mitigate threats. AI and ML are viable options for companies to consider for fortifying their security.
Everyone online—companies and consumers—should follow the important rule of backing up important or sensitive files. Proper back-up procedures cost little in expense and time and can be an insurance policy for maintain company operations flowing in the case of a breach. Encrypting those files is also a good path to follow in case of any breach.
If you are a small or medium company that lacks resources, managed security services and managed service providers are options to consider using for both prevention and incident response. Many firms can monitor networks, provide enabling cybersecurity technologies and threat assessments. MSS makes economic sense for many industries and businesses, which do not have (or can afford) the internal subject matter expertise or capabilities to handle increasingly sophisticated breaches.
Finally, but certainly not least on this risk management list is the need to share threat information. Unfortunately, the reality is that many small and medium businesses lack the resources and expertise to respond to growing cyber-threats. The harsher recognition is that many of the underserved communities and smaller businesses do not even have a basic awareness of the cyber threats to which they are susceptible. Sharing such information will help keep those that have been previously unaware abreast of the latest viruses, malware, phishing threats and ransomware putting them at risk. And, in addition to data, cyber defense tools could also be recommended or shared by the government to bolster defenses.
In summary, the Cybersecurity Awareness Act stipulates that “Government of the United States plays an important role in safeguarding the nation from malicious cyber activity. A citizenry that is knowledgeable regarding cybersecurity is critical to building a robust cybersecurity posture and reducing the threat of cyber attackers stealing sensitive information and causing public harm. While Cybersecurity Awareness Month is critical to supporting national cybersecurity awareness, it cannot be a once-a-year activity and must be a sustained, constant effort.”
A sustained, constant effort for cybersecurity awareness is key. Increased government and industry cooperation is the most prudent way to help mitigate cyber threats by educating those who are currently unaware. That is why the Cybersecurity Awareness Act is a big step in the right direction.