Cybersecurity - Back to Basics

Welcome to summer in New England! Or close to it at any rate. Today I would like to talk about a slightly different topic than usual on these blogs. For those of you that have read past entries, you know they are full of good advice on not many different compliance issues. We deal with everything from banking audits to HIPAA reviews, and we have many, MANY stories of things we’ve seen and best practices that go into these writings.

And like you, I read quite a few articles as well. Lately, there seem to be a large number of them devoted to shouting from the rooftops about some sort of breach. Municipalities, hospitals, insurance, retailers, no one is immune. However, there is a definite pattern that comes of reading all these stories. So rather than talk about PCI (Credit and Debit Cards), GDPR (European Privacy Law), or any of the 100 different acronyms that I could make your eyes glaze over with, I’m simply going to give you three tips. Those of you old enough to remember that three is a magic number know how important that is.

Seriously though, no matter what framework, rule, or regulation that is out there, there are common steps you can take that will make it much harder for the bad guys to take advantage of you. These are issues that appear in the majority of the compromises that we see. Will making sure these are in place guarantee that you won’t be hacked or compromised? Of course not. Only the Lone Ranger has silver bullets. But without these in place it can be like leaving the door unlocked before an overseas trip. Without any further introduction, they are:

1. Patch your systems – You hear this all the time, right? And yet, when a compromise is reviewed, it turns out that the breaches can be traced back to a hole in a system where a patch was available, but never applied. I get it. Patching is time consuming. It will sometimes break things, and they never seem to stop putting out new patches daily. However, if you had a cracked window in your car, or a hole in your roof, would you just keep using them as is? A good patch program is like an update to your GPS maps. Without it you can still drive, but sooner or later you’re going to run out of road. If you can’t afford an expensive patch solution, at a minimum turn on Windows Updates on desktops and laptops, and make sure servers and network equipment get reviewed regularly.
2. Protect your identity – This one sounds like an identity theft protection ad, I know. But in many cases, the reason people can get into your systems (at home and at work) is because they have stolen credentials. Again, this is something you hear ad nauseam. Don’t reuse passwords. Don’t write them down. In this day and age where everything is online, having the same password for your coffee app as you do for your work credentials means that you could be paying tens of thousands of dollars or more for that latte, and even the extra-large shouldn’t be THAT expensive. Take basic precautions. Make sure not only passwords, but USERNAMES are different at work than at home. Don’t mix work and home email addresses either. If your next-door neighbor’s key opens your house, how would that make you feel? When possible, set up your system so that access is guarded by multi-factor authentication (MFA). That way even if they do compromise a password, it makes it much harder to get into the system. Like a deadbolt on the door. Not impossible to break in, but much harder than using a credit card to jimmy the door lock, which is a lot easier than you might think. At least it was when I locked myself out of my house!
3. Educate your users – The previous suggestion goes hand in hand with this one. We've all seen the upswing in phishing attacks, even though the days of winning millions of dollars in the Nigerian lottery seem very far away. Not only are phishing attacks (and all the many variations) more sophisticated than ever before, but lately they have been compromising email accounts and using them to spread the attack to everyone in the compromised user’s address book. This means that the phishing attempt is actually coming from someone you know, making it even harder to ignore. The key takeaways here are to train the users on what to look for, like hovering over links or emails that ask for credentials, and to have them reach out whenever something doesn’t smell right. When I was at the help desk, I’d rather get 10 questions a day on legitimate emails rather than have deal with a single malware attack. The former takes 10 minutes a day. The latter can trigger your incident response plan!

Sometimes we are so intent on educating and warning people on the new threats and how to be compliant that we make assumptions that the basics are being handled. It’s similar to having a state-of-the-art security system and leaving the back door open because there’s a nice breeze. If you make sure the vectors that most criminals use (unpatched systems, compromised credentials, and user ignorance) are addressed, you make it exponentially harder to be attacked. In many cases these bad guys are looking for the quick and easy score, and will move down the block to an easier target. Interested in learning how you can further address these basic security areas? Contact us today to discuss your cybersecurity program and risks!