The previous post in our Cybersecurity strategy series addressed whether to outsource or keep cybersecurity efforts inside your organization, a critical consideration in building an effective cyberdefense strategy.
To refresh your memory:
- An effective cybersecurity strategy is divided into 7 characteristics, which categorize your strategy’s various entities and functions.
- These characteristics and independent functions can be outsourced a la carte – or you can go the ‘all or nothing’ route. Check out the post to see what we recommend keeping in-house.
- Four considerations should guide all of your outsource v. in-house decisions: Cost, Time, Vulnerability (risk), and Security
- When outsourcing, you should always evaluate and scrutinize third-party security vendors you’re considering before trusting them with your data.
Remember, based on your industry, size and function, some (or all) the entities in your cybersecurity strategy can be outsourced. But as we mentioned in our previous post, this doesn’t absolve you of responsibility… you will need to ensure your experienced third-party security vendor is executing credible and reliable methods of securing your data. Click here for our guide to screening third-party security vendors.
Deciding which cybersecurity efforts to keep in-house v. outsource is the beginning of phase 2 in building out your cybersecurity strategy:
This post is crucial in our Cybersecurity series, as we’re delving into specific functions your cybersecurity defense team should implement to build an effective preventative security infrastructure:
Your Preventative Cybersecurity Checklist
Employee Background Checks
No employee should ever be hired on without first being subject to an extensive background check. While federal and state laws require varying degrees of employee screenings, we recommend executing a screening that checks for nationwide criminal and sexual offender status. Also consider seeking character references and credit checks as part of employee screenings. Obviously, you’ll want to look for red flags, but make sure to compare screening results with information provided on the candidate’s resume… this speaks to credibility and trustworthiness.
This entity of a cybersecurity strategy is most often outsourced to a company specializing in employee screenings. These companies have resources that often make screening employees quicker, cheaper and more thorough than going at it yourself. Whether you choose to outsource or screen employees on your own, ensure that federal and state mandates are followed. We recommend being thorough, but the Fair Credit Reporting Act and state laws regulate what information about a candidate can be produced. Make sure you or your third party follow the letter of the law during the screening process… here’s what can happen if you don’t
Develop Organization-Wide Standards
Development of policies and expectations is key in creating cyber standards for your organization. Our next post will delve into factors to consider as you craft standards and policies that best protect your organization. Stay tuned.
Develop, Implement, and Maintain an Employee Training Program… Cyber style
A cybersecurity employee training program should be implemented as part of your employee onboarding. No employee should be permitted to have access to the organization’s network until undergoing this training. Like developing standards, we have some insight on developing, implementing, and maintaining an effective training program that we’ll share in our next post!
Create Individual User Accounts for Every Employee
Every employee and contractor should have an individual set of credentials (username & password) to log on to their digital devices and internal platforms or systems. Many security protocols and best practices rely on all users having their own user account. This allows tracking and logging of a user’s activity, which is crucial in identifying standards or policy violations and the source of cyber intrusion attempts or breaches.
“It is absolutely essential that organizations stay on top of what devices are running on their networks and whether they are in compliance with policy.” – Amy Larsen DeCarlo | TechTarget
A unique username and password should accompany every employee’s or contractor’s account, which is only given to that employee or contractor. Handling of user account passwords should be addressed in your employee cyber security training; however, when assigning credentials, confirm the employee knows that passwords should never be shared, written down, or stored in unauthorized applications or browser memory. Additionally, employees should change their temporary password immediately upon their first sign on—many applications and software automatically require this.
Some additional considerations regarding user account passwords:
- Passwords should be required to be strong and unique, meaning they are least 8-10 characters long with a mix of upper and lower-case letters and at at least one number and symbol.
- All user accounts—regardless of system, platform or device—should have a mandatory password expiration time frame, prompting for a new and different password after so much time has passed.
- Knowledge Base Authentication (KBA) is a supreme defender against impersonation attempts, which is why AssureSign offers this feature with our eSignature platform and integrations. KBA enables log in processes to require information unique to the person’s identity (owned vehicles, previous employers, current state of residence, etc.) before access is granted. This step is in addition to a password requirement. This security layer is likely excessive for every-day system use, but can be used for access to more sensitive or private data.
Limit User Permissions
User accounts also enable access controls for administrators, which allow permissions to be distributed to employees. Limiting permissions among user accounts dramatically decreases the potential for cyber breaches. As a rule, if employees don’t need a “permission” to perform tasks associated with their job role, they shouldn’t have it. Make a list of all possible permissions and who would need them. Document when an employee’s account has been given a permission and if it is revoked.
Identify and Control Access Allowances
After creating user accounts for internal employees and contractors, take steps to prevent anyone else from gaining access to your network. Depending on your organization… customers, cleaning crews, maintenance staff, external technicians and visitors may occasionally need access to areas where digital devices are. While they may require access to the area, they should never be permitted to have unsupervised access to machines connected to your network.
Allowing unsupervised access to machines and devices creates vulnerability and opportunity for malware, spyware, and other breaches to occur. Protocols in your cyber policy and standards should address issues of external access, such as supervision of external technicians or locking down devices before leaving them unattended.
Installations That Enhance Security
A host of software and applications are available to keep your network and machines free of malware, spyware, and other intrusion materials. Take a look at what every vigilant cyber hero should use or consider using in the fight against cybercrime:
- Operating System
We’ll start with an easy one. Every machine and mobile device requires an operating system. Whether it be Windows, macOS, or Linux for desktops/laptops or iOS, Android, or Blackberry OS for smart devices, the operating system should work well with your organization’s functionality and security needs.
Deciphering the “best” operating system will heavily depend on your use cases and organization needs.
It is critical that these operating systems be kept up-to-date with the latest patches from the manufacturer. Several well-known security incidents from earlier this year were promulgated by outdated operating systems.
Firewalls are an extremely effective method of deterring and preventing cyber breaches. They defend your digital machines and devices from unwanted malware, spyware, and traffic… like known intrusion websites and communications.
There are two types of firewalls, both work to protect your network and the machines connected to it:
1. Hardware Firewalls
Hardware firewalls are typically purchased as stand-alone hardware, but can also be found in other products, like Wi-Fi routers. These firewalls decipher the source and intended destination of data passing through your network to determine whether to allow or deny access to connected machines. While firewalls found in other products typically do just fine for personal networks, your organization will likely require a designated hardware firewall designed to protect larger networks. The perk of purchasing a hardware firewall? All your connected machines are protected… and most hardware firewalls come with the capacity to protect more than three devices.
2. Software Firewalls
Software firewalls are installed directly onto a device and protect it from outside control or access attempts. A software firewall should constantly be running on your system… the quality ones will run in the background and use only a small amount of the machine’s active memory. Many of these firewalls come with settings to automatically block applications it deems “unsafe” from running on your machine. Other protections may include print sharing controls, web filtering, safe file set up, and more. Make sure to invest in a software firewall complete with spyware that identifies and blocks known trojans and viruses.
So, which firewall should you invest in?… Both.
Both hardware and software firewalls work in tandem to protect machines and devices connected to your network.
- Intrusion Detection/Prevention System
An Intrusion Detection/Prevention System (IDPS)—or sometimes referred to simply as an Intrusion Prevention System (IPS)—is considered an advanced layer of security and may not always be necessary depending on the type and level of data your organization processes. An IPDS is a network security technology that analyzes network traffic flow to detect and prevent vulnerability exploits like application targeting or remote control attempts. Sonicwall is a popular IDPS, and is typically utilized by organizations with heavy or classified data.
- Remote Wiping Application
These applications allow a user to remotely wipe all the data from a device’s hard drive. This comes in handy when a device is lost or stolen.
What NOT to Install
- Any applications or programs that are flagged by a firewall. They’ve likely been flagged due to known issues or an expired/missing certification.
- Downloads or applications attached to an unexpected or unfamiliar email. If the email wasn’t expected or is not familiar to you, it’s likely a virus of sorts. If your firewall’s sophistication is adequate, it should block the install… however, we don’t recommend testing fate.
- Installs or uploads from URLs with no HTTPS. The “S” indicates the website is providing a “Secure” connection by encrypting data sent between your browser and the website. If a website has the HTTP:// prefix (with no “S”), it’s not considered a “Secure” connection and can be vulnerable to malware and other cyber intrusions.
- Unnecessary applications or software. If it’s not pertinent to the functioning of your organization, consider passing it up.
Secure Wireless Access Points and Networks
Your network and Wi-Fi connecter hardware should be properly protected and secured before going online. Make sure the settings on both your Wi-Fi router and your network access points are secured with the protections needed to keep your data safe. Ensuring your wireless internet connection is password protected (WPA-2), changing the network name (SSID) from the default, enabling encryption, and activating included firewalls are ways to reduce your cyber vulnerability.
Additionally, consider having a “guest” network for visitors and locking down your trusted Wi-Fi network to allow only previously defined devices. You can do this by limiting the MAC addresses on your wireless network. Not sure how to change your Wi-Fi settings? here’s how!
Browser and Email Filters
Internet browser and email filters are foundational—not to mention free and easy—security measures that help deter cyberattacks and intrusion attempts. Email filters can be utilized to reroute spam, prevent automatic downloading of HTML for messages with unrecognized senders, and even encrypt messages. Web filters can limit internet cookie use, password storing, and other preventative settings. We recommend modifying browser filters to prevent users from visiting a website with known issues (expired or fraudulent certificates, known malware, etc.).
Encrypt Sensitive (or all) Data
Encryption is defined as “the process of making your electronically stored information unreadable to anyone not having the correct password or key.” Many, if not most, operating systems and machines come standard with full-stack encryption (FDE) capabilities, while others require external applications. Even if the OS does not come equipped with full-stack encryption, most desktops and laptops are FDE capable. Some (not all) smart phones and tablets are FDE capable.
Click here for PCMag’s top encryption software of 2017. (you can find ones for free too!)
Properly Dispose of Old Equipment
And we end with the inevitable… the proper disposal of outdated or otherwise unusable digital equipment. The waters of digital transformation seem to churn faster and faster by the minute… leading to the eventual need to dispose of outdated equipment. Unlike the sandwich left in the breakroom fridge over the weekend, you can’t just toss your devices and head back to your desk—or the breakroom… again.
Improperly disposing of old equipment leaves your data unprotected and vulnerable at the very least. Follow these steps when disposing of digital equipment:
- Wipe the hard drive. Many operating systems provide this capability, if not, there are downloadable apps that can get the job done.
- Next, remove the hard drive and physically destroy it. Before you grab a hammer… consult a company that can securely (not to mention safely) destroy hard drives (find one that allows you to examine or watch the process).
- After the hard drive is removed, the computer can be sold, donated, or trashed.
Easy as 1-2-3. Follow this cycle for all stationary and mobile devices.
There you have it, the checklist of all checklists when it comes to implementing a preventative defense to cyberattacks. Following these steps will enable you to create an all-encompassing defense to the growing number of cyberthreats in the digital realm. Stay tunned for our guide to creating a quality employee training program along with policies and standards that protect both your organization and employees.