Attackers are changing the way they do business. Although malware is still a tremendous danger, many attackers use forged emails and social engineering to steal credentials without using any code. Once they’re able to log in to your network, they learn how they can abuse and escalate the privileges of the compromised user. Lastly, they’ll scan your network from the inside, finding vulnerabilities they can exploit to steal or encrypt your most valuable information.
As a CEO, your job is to understand that any user, including yourself, is vulnerable to attack. You may not be able to prevent every intrusion. You need to perform asset inventory – understand what your most valuable assets are, what it will cost to lose them, and how vulnerable they are, right at this moment. After that, your job is to mitigate the risk – using our four P’s approach to cybersecurity described below.
Your workforce is equal parts your first line of defense and your greatest vulnerability. The average employee receives about five phishing emails per week. Research from Verizon’s 2019 Data Breach Investigations Report shows that 30% of these emails are opened, and 12% of users will click the embedded link. A combination of your email security, integrated browser security, and endpoint protection will mitigate most of the attacks, but it only takes one successful attack to cause an average of $1.6 million in damage.
The good news is that training works to an extent. A four-week training course can reduce the susceptibility of your employees by up to 75%. These courses tell employees the hallmarks of a phishing email – what to look for and what the risks are. They’re followed up with automated random spot tests – fake phishing emails sent to keep employees on their toes and help them identify the real thing.
Here’s the catch – your email filter usually does a far better job of identifying phishing emails than your employees. Don’t just delete phishing email that makes it through your security filters. They should be studied by your triage team so that any future attempt using the same method will fail. If you don’t currently have a team that can do this, you need to invest in an MSP partnership that can monitor your environment and implement robust controls.
If you don’t know what you have, you don’t see what you have to protect. Your IT infrastructure is changing more rapidly than it used to. The commodification of applications has made it easier for departments to make purchases without the approval of the CIO. The commodification of servers has made it easy to perform infrastructure upgrades. The advent of solutions such as containers and microservices has made it easy to change your IT architecture.
Also, privilege creep has always been – and will continue to be – a problem.
Depending on the size of your organization, you now need to inventory your devices, infrastructure, software, and user privileges every three to six months. This inventory log helps you take a moving snapshot of your organization. Are there too many users with admin privileges? Do you suddenly have a new application stack in marketing? What are the latest devices in your network?
Having an eye on new software and infrastructure will allow you to patch it quickly in the event of new vulnerabilities. You should aim to check for new software versions and apply updates every 24-48 hours. Most companies don’t do this – the rule of thumb is that only 25% of companies patch on day one. Aim to be in the top quartile of companies, and you’ll be much more secure as an organization.
Additional considerations: External and Internal penetration testing every six months will help keep your patching and vulnerability management programs accountable. If you’re subject to HIPAA, PCI-DSS, GDPR, etc., then you may need to schedule audits more frequently. Try correlating the results of security awareness training with levels of employee access. In other words, someone who falls for phishing attempts should not have privileges.
Increasingly, the aftermath of a cyberattack is treated like that of a fire, health emergency, or car crash – it is something that should be expected, planned for, and insured against. Although most companies have cybersecurity policies, only 30% have full coverage. If you don’t have full coverage, you may wish you reevaluate your choices based on your level of risk.
Also, you should understand that cybersecurity insurance isn’t a cure-all. Many insurance companies will want to see evidence that you prepared in good faith against an attack. If you didn’t defend yourself, your insurer might deny your claim.
Companies need to invest in technologies that let them detect and mitigate the lateral movement of attackers throughout their network. Network Access Control (NAC) isn’t a new technology, but its use has become more critical because of this. Administrators should aggressively segment their internal networks so that they restrict even legitimate users – and authenticate them at every opportunity. Lastly, users and their accounts get compromised and layering on an infrastructure anomaly detection tool to wave red flags at their suspicious activity gives your security team another tool for triage. These tools can operate in conjunction with NAC to stop malicious behavior once those red flags are waived.
Getting started with cybersecurity is hard and getting harder – but you still have to do it. The good news is that there are more natural ways to evaluate your risk and determine the steps you need to take.
For example, you can try joining an industry peer group or bring in an industry expert. A peer group is a collective of similar industry individuals looking to solve a common set of problems. An industry expert would be a cybersecurity consultant from your industry to help you understand the specific risks that may be endemic to your organization. Your primary source of information will be asking questions such as:
From here, you may wish to bring in a third-party expert to drive your organization towards your goals. You might choose to hire a permanent consultant, such as an MSP, to implement a set of security protocols and manage them going forward. We also commonly see our customers hire a security expert to act as a Virtual Chief Information Security Officer (vCISO) who will continue to assess your organization for risks and adjust your strategic security posture on an ongoing, often annual basis. The primary difference between the two is strategy vs. implementation. A vCISO is going to look at the plan and strategy and tell you how to execute, but when we fulfill this role, we don't execute, your internal staff will be tasked with follow-through of the plan. The most successful prevention we see is a mixture of the two. A vCISO role to set the strategy and review the metrics and our MSP team doing the follow-through to ensure your organization is planning and executing your prevention strategy.
No matter what you choose, you need to select something. Ignoring security won’t make your problems go away. Let's revisit your IT policy. Grab our guide: Your Business Through the Eyes of a Cybercriminal and find out where your company may be vulnerable, and how we can help you lock it down.