- Get buy-in from the C-suite about training employees on cyber security issues.Training everyone on what to look for when it comes to phishing, spear phishing, and whaling schemes. Doing so will go a long way toward cutting off, or at least reducing, at least one attack vector. Since approximately ninety-five percent of breaches start with email, having the C-suite training alongside the rank and file will stress how important this issue is.
- Audit your devices and make sure all firmware has been updated. We usually remember to update software on a regular basis thanks to Microsoft and programs like Secunia, which will remind you or update automatically. (You do practice patch management, right?) But firmware tends to be forgotten because many device firmware is not automatically updated, or, when a new device is installed onto a production environment, firmware checks may not have been made yet.
- Are you finding BYOD is becoming a major part of your network infrastructure? It may be time to re-evaluate your network bandwidth. The more devices you have, the less bandwidth you have for your existing devices. Perhaps it is also time to invest in a Mobile Device Management (MDM) solution. Keep the company data away from employee personal data. Make it easier to check BYOD devices for recent updates and sufficient anti-virus/malware protection.
- Cloud service providers are everywhere. In the past, all you had to worry about was moving files from your computer or server and putting it on someone else’s server someplace else. Now you have software providers, storage providers, infrastructure providers, platform providers and even Disaster Recovery as a Service Providers (DRaaS). What do you want to do? What do you want to pay? How much control do you want to give up and what Return on Investment (ROI) are you looking for. These are just a few questions you need to ask. All of these pose security implications, with the possible exceptions of ROI and what you want to pay. So maybe it is time to look into a cloud service. Just remember, research what you are getting into and know what you want to get out of cloud service. Also look at the human side. Are you replacing employees with the cloud service, or are you enhancing employee productivity?
- There is an old saying (anything older than one year in technology is considered an old saying): There are those who know they’ve been breached and those who’ve been breached but just don’t know it yet. It is along the same vein as: It isn’t if you lose your data, but when. Are you in an industry that requires a breach notification to the public, because compliance compels you to, or will you do it as a public service? I have a friend who is a psychologist who had her email hacked. An email went out to all of her clients and friends. Because she had less than 500 contacts in total, was a private practitioner, and HIPAA compliance didn’t have teeth yet, she didn’t have to notify her clients about the breach. So she didn’t. If your company is in a compliance situation (Sarbanes-Oxley (SOX), PCI-DSS, etc.), will you have the proper notification protocols in place to let your customers/clients know? Look over your notification protocols, and develop them if you don’t have them. In today’s world, breaches are almost an everyday occurrence. Coming clean to your customer base immediately will save the goodwill your company has developed over the years – and may prevent a lawsuit if you come forward. It may also create more trust from your customers since you have the strength of character to own it and take care of it immediately. The only time this may not be wise is if law enforcement tells you not to. In those cases, you can point to law enforcement for not letting you tell the public and your customers immediately.
2016 is going to be a bad year. Each year is going to get worse as newer and faster computers come online and more sophisticated forms of malware take shape. In this industry, we are only one step ahead of the bad actors. And even then that one step is tenuous. We win some, we lose some, and then we fight back and win some of the ground we lost. Cyber war is here to stay. We just have to try and keep our heads above water. Start with educating your staff, managers, and executives. Your worst enemy is not what is outside, but what lurks inside your company. Employees cause the most damage to networks, whether intentional or accidental. Training, though, can give your company a little bit of hope.