2018 had its share of cybersecurity drama—Meltdown and Spectre vulnerabilities, installation of malicious computer chips within the hardware supply chain, major breaches, and data exposures due to misconfigurations and errors in the public cloud.
All this and more sparked several predictions of what’s likely to unfold in 2019, including increased accountability regarding regulatory compliance, security improvements in hardware and the cloud, advancements in serverless computing, a new focus on intellectual property as a bounty of trade wars, and more.
However, there are solutions! And there’s no better time than now—the beginning of a new year—to assess your infrastructure and implement proven cybersecurity measures that you might not be aware of.
Read on, and stay tuned! This cybersecurity checklist is just the first in a series of blogs that we’ll be sharing with you on today’s best practices in proactive cybersecurity.
Research has shown that passwords consisting of overly complex combinations of digits and/or characters, don’t necessarily equate to security. They’re often difficult to remember (especially if you update them often), causing many people to write them down, or reuse them across multiple accounts—an even worse security practice. Instead, and if possible, try using a silly phrase that wouldn’t make sense to anyone else (i.e.: “MY favorite color is 99 ducks!”), making it more difficult for hackers to guess your password, and steer clear of any element of your password being attained through social media stalking. Also consider requiring that employees use a password manager that allows them to store, remember and access passwords safely, instead of relying on crazy, complex character strings or dangerous shortcuts.
It’s a dangerous cyber-world out there, and threat actors are getting craftier every day. That’s why it’s important to employ a security solution that includes more than just one tool or technology, as well as an end-to-end and fully tested response plan. There is no one silver bullet. If you think you have one in place, ask yourself what happens when the lone bastion fails. If it sounds complex, it doesn’t have to be; there are solutions out there that are just right for an enterprise like yours.
Most people assume that their response plan is fool-proof and that everyone and every step will work as it should. However, many companies don’t fully test their response plans. One of the more common issues occurs when those backups you were sure would work end up failing when you need them most. It’s crucial not only to have a response plan in place in case of a data breach, but also to test it completely and ensure that all departments are prepared for when (not if) that day comes.
When partnering with third-party vendors—especially when giving them the ability to interact with your internal systems, such as order management, testing, etc.—both you and they become potentially vulnerable. As with any relationship, there is an assumed level of trust, and allowing another company to access your systems or environment is no different. There are ways to protect both entities, however, so that nefarious actors can’t compromise one company through the vulnerabilities of another. Both parties should also be aware of security controls and compliance obligations the other has in place. Additionally, while most don’t think about this, you shouldn’t advertise who you’re doing business with outside of marketing purposes. It’s not the most credible or safest practice and you make both organizations a target for cybercriminals through a waterhole attack.
Nothing stays the same for long—especially in the world of technology. So while, yes, it’s daunting to keep up with all the contents and activities of your existing servers, changes in compliance mandates, and all the security features of your network, the bottom line is: You can’t expect to secure an environment if you don’t know what’s on there. The good news? There are tools to help you assess your existing infrastructure and the data stored there, evaluate your security environment to ensure that it’s up to date, make sure you can patch it to minimize attacks, and know exactly how—and what—to patch.
Not knowing what is in your environment means you likely have a number of vulnerable systems that require patching. Most companies believe that a year is enough time to patch a vulnerability, when in fact, the time from vulnerability to weaponization is around 90 days. Organizations need to set up a reasonable timeline for identifying, testing, and deploying necessary patches. If there’s a patch needed and it can’t be rolled out, you shouldn’t be operating exposed to the world without other mitigating controls in place.
Storing Necessary Information
Stop and think for a moment: If a threat actor gains access to your system, what will they find? Why do you have that information stored? Now, ask yourself: “Do I need this information?” Whether it be medical information, credit card data, or other forms of personally identifiable information, only store customer information that you absolutely need. If you don’t need it, get rid of it. If you need it, are you protecting it adequately and in line with any applicable compliance standards? This mitigates the breadth of information cybercriminals can get their hands on when they compromise your system.
When it comes to cybersecurity, perhaps the two most important rules to follow are (1) Operate with a mentality of “not if a compromise will happen, but when”; and (2) prepare yourself to stay one step ahead using up-to-date security measures, as well as awareness of the ever-changing terrain. Be on the lookout for our next post in this series on best practices! At Armor, we’ve got your back!