Are you practicing good cyber hygiene? How to clean up your security approach
- Published: Wednesday, 09 September 2020 07:41
We hear a lot about good hygiene these days, especially when it comes to personal hygiene. In fact, hygiene has never been more important as a way to protect ourselves and our families. The same is true for protecting an enterprise’s data assets says Dan Garcia.
With cyber security threats rising and developing, businesses—big and small—are more vulnerable to attacks. Working with a managed service provider (MSP) partner that can provide the expertise and technology to strengthen your security posture can safeguard your business: but picking the right partner requires a thoughtful evaluation and a thorough vetting to determine how they approach security in their own business.
If your MSP has implemented the best practices and processes to improve their own organization’s security, this is a good indication they’ll be able to support your cyber hygiene efforts. Good cyber hygiene is a continuous process that requires attention to threats and vulnerabilities.
Below is a checklist of key areas that can help you assess whether good cyber hygiene is being practiced for both your business and your MSP:
Are security basics covered?
Never underestimate the fundamental actions that your business can take to keep your business secure throughout your organization. Simple things like having a strong password policy in place, providing employees with ample education to recognise threats and introducing two-factor authentication can eliminate many security risks. Ask your MSP about what you can do to significantly improve email security, which is a critical area when it comes to security. Between password and email security improvements, an organization can help mitigate close to 70 percent of attacks on a small business (Verizon DBIR 2020 Report).
What and how often do you patch?
Many people become concerned about the latest attacks in the headlines - referring to zero-day exploits - but in reality, the majority of attacks use vulnerabilities in systems that have existed for months or years. It’s important that your cyber hygiene programme includes scanning of assets on the internal network but also those found on the public Internet. Beyond scanning, actually patching the systems within a reasonable timeframe and verifying that the vulnerabilities in the next scan are no longer present are just as important.
How secure is your data?
Data is everywhere so, first and foremost, you need to find where the valuable data resides throughout your systems and secure it appropriately. This includes enabling access controls, to ensure the data is only available to those who require it for their job role. Beyond preventative security, does the MSP provide backup and recovery as part of the offering? How robust are their security practices in managing your data? Having a backup that is inaccessible or is lost in an advanced attack scenario is of little value when it is needed.
Are you prepared with a business continuity and incident response plan?
Putting in place a strategic plan is a top priority. The more detailed and nuanced that plan is to your particular business and industry, the better. Additionally, having an at-a-glance checklist of what to do the minute you’ve detected a security breach is invaluable. In the urgency of a moment like this, every minute counts. Communication to key stakeholders, as well as giving your IT team clear direction about their role, can help improve your recovery response.
All too often when it comes to business continuity and incident response, actions are ad-hoc in nature. A documented plan (large or small) with the steps of what to do in the event of a cyber attack is often nowhere to be found. This can lead to unnecessary downtime and disruption to your business operations. In many cases your cyber insurance may also have requirements at the time of an incident, and you do not want to risk receiving your assumed liability coverage. For all these reasons, it’s important to be proactive in your planning.
Has your existing programme scaled in line with your business?
Has your organization grown in size recently? As you expand and scale your business, security measures need to be taken through that growth. While investment in technology typically increases as you grow, so do the security risks due to misconfigurations and data and access sprawl. The frequency of these concerns often correlates to the size of your tech stack. It’s worth having a security hardening assessment of the technologies in the environment, including how access is managed and their related configurations, to make sure something wasn’t overlooked.
Does your MSP practice threat modelling?
Threats - those targeting MSPs and their clients - are specific attack scenarios that businesses could face against their environment. An MSP should have undergone an extensive threat analysis for their own business and have in place threat modelling practices. Knowing they have state-of-the-art processes in place to detect and remediate threats means they’ll likely apply this expertise and know-how to your business.
Working through the threat modelling process should surface the objectives of an attacker, for example, are they aiming to steal data, take the data for ransom, or access one of the businesses clients? After identifying the objectives, understanding the methods the attackers will use to achieve their goals will help you focus your time in the areas that are the most important.
Consider conducting third-party penetration testing in your environment. It can help you gain an honest, unbiased perspective that can allow you to spend time validating the concerns raised during a threat modelling exercise. Having a third-party conduct this testing provides a level of accountability that can be difficult to replicate with only internal staff; it will highlight gaps that your MSP can focus on to strengthen your security plan.
Get into the mindset that security requires continuous improvement
Create goals for your cyber security programme that are reasonable and attainable. When faced with a long list of security improvements, prioritise the top five and work through those until they are complete. Review the list and repeat the process, don't tackle the whole list at once. It's worth noting that it should be an evolving list, because this is a continuous process.
Successful outcomes require more than a set-it and forget-it approach. Threats are continually evolving, and what was secured yesterday can be vulnerable today. While it’s possible to get to a level of comfort with your security posture, you should never sit back as if it is complete. Continual improvement needs to be built into your security plans.
Be open to an honest conversation
To improve your cyber hygiene, review your security posture with your MSP. Be honest about your needs and concerns and create an open dialogue that ensures you get the critical technology and support you need for better and more secure outcomes.