With the return of the Pumpkin Spice Latte and the first leaves falling comes also Cybersecurity Month a time to focus on the fundamentals of IT security and to raise awareness on the best practices to keep us safe from cyberattacks and improve your organization’s security posture.
This year has seen attacks targeting large organisations that many would have considered too big to fail. These security incidents highlighted how, when it comes to security, there might be big and small players, but ultimately all it takes for organisations to have their defences breached is to leave a vulnerability unpatched or for an employee to click on the wrong link.
Attacks directed to OT, critical infrastructure, hospitals and government agencies have also highlighted to the public how real the consequences of a cyberattack can be. The attack on Colonial Pipeline created fuel shortages and chaos, while the ransomware that took JBM offline resulted in increased meat prices and panic buying. The physical world is so intertwined with the digital realm that cybersecurity has become everyone’s problem.
So, what better time than Cyber Security month, to check that your organisation has all the fundamentals covered and ensure a robust security posture?
1. Do you have an asset inventory?
It sounds obvious, but it’s worth repeating: you can’t protect what you didn’t know was there. Anything on the network – even an internet connected vending machine – needs to be accounted for. As IT infrastructures become more complicated, scanning all the assets and knowing what’s there is the first step to ensure that there are no visibility gaps. This has become even more relevant in the context of hybrid working models. Continuous asset scanning allows organisations to account for every machine, every server and every IoT device that needs monitoring. An effective external attack surface management tool provides full visibility to all global assets and shadow risk.
2. How often do you scan for vulnerabilities?
There is a right answer to this question, and that’s continuously. New vulnerabilities are discovered on a daily basis, and cybercriminals have become incredibly quick at finding exploits and sharing the intelligence on dark web hacking forums. You want to be the first to know if there is a vulnerability in your systems, so that it can be patched before it’s exploited.
3. Do you have a patch management policy?
Not all vulnerabilities were created equal, and not all the patches are feasibly installed immediately after they are made available. Sometimes installing a patch requires offline time that might impact operations, or a new software version might interfere with other programmes in the environment. Critical and high risk vulnerabilities should of course be patched as soon as possible, but other vulnerabilities might have mitigations that can delay an update. A patch management policy allows organisations to prioritise which fixes need to be installed immediately.
4. How often do you run security awareness training?
Phishing is still among cybercriminals’ favourite tactics to gain a foothold into an organisation’s network. Educating all employees is essential to avoid someone clicking on a malicious link or downloading an attachment that contains malware. One of the mistakes that many organisations make, however, is to underestimate how common spear phishing and BEC scams have become. Many C-level executives don’t attend security awareness training alongside their employees, and this can result in them falling for a carefully crafted phishing email that will allow an attacker to spoof their identity and commit BEC and CEO fraud. Security awareness training should be run on a regular basis, rather than as a one-off and it might be a good idea to introduce incentives for employees who succeed at a phishing exercise and report the malicious message.
5. What is your company’s security culture like?
Fostering a company culture that encourages employees to come forward when they think they might have clicked on something malicious or when they think they might have spotted a threat is also an important component: it serves nobody to create fear, it only delays the discovery of an incident. Encouraging all divisions to take an interest in security and inviting security teams to communicate more with the rest of the functions can go a long way to harden the frontline of any organisation’s defences.