Part One: Best Practices for Keeping Company Data Secure 

“One of the main cyber-risks is to think they don’t exist. The other is to try to treat all potential risks. Fix the basics, protect first what matters for your business and be ready to react properly to pertinent threats. Think data, but also business services integrity, awareness, customer experience, compliance, and reputation.”
―Stephane Nappo, Global Head of Information Security, Société Générale 

Over the last several years, I have written many blogs, presentations, and articles regarding cybersecurity. In each of them, I have stressed that modern businesses live or die based on the digital records we keep and that cybercriminals really are out to get you, one way or another. As you can see from the above quote, cybersecurity is still the topic and I very much agree with Stephane – we have to fix the basics and protect what matters most. 

This series will include:  

• Part 1: We will explore this topic again from the viewpoint of getting those basics covered. 
• Part 2: We will move to building up from your foundational basics into more robust defense in depth.  

Laying your security foundation 

It may come as surprise, but the very first brick of the security foundation doesn’t involve technical geegaws, doodads, or wizardry; it is about changing your way of thinking. I cannot count the times I’ve heard phrases such as, “No one cares about hacking my systems” or “I don’t have anything worth taking” or “We are too small of a target”. Let me be perfectly clear – those sentiments are dead wrong. Even if the typical cybercriminal may not be all that interested in your inventory lists, marketing material, current orders and projects, or payroll information, every cybercriminal understands a brutally simple truth: they know that every bit and bite of that information has value to you. Furthermore, they know that you will pay handsomely to get that data back should something happen to it. This is exactly the reason for ransomware going from a brand new phenomenon in 1989 to a $20 billion-dollar criminal enterprise in 2021. Since virtually every ransomware attack begins with a phishing email or some other social engineering technique, a lack of caution or awareness on the part of a human being is directly responsible.  

Change your mindset 

At the risk of sounding like an old codger, we live in a world that is radically different than the one in which I was born and grew up. Business then was often conducted face-to-face and the transaction completed with a handshake, a result of interpersonal trust that developed naturally. Today, we frequently communicate and do business with people that we never meet in person and may, in fact, not even reside in the same hemisphere. To wax philosophic for a moment, technology that was intended to “connect us faster and more widely than ever before possible” has actually driven a wedge between us because digital identities are easily spoofed, manipulated, or manufactured out of nothing.  

What does this mean for cybersecurity and changing my mindset, you ask? Simple. The old adage of “Trust, but verify” has to change to “Trust nothing until vetted. Verify everything.” Even after you can establish a level of trust, you have to be continuously vigilant because digital identities are not 100% trustworthy and security conditions are fluid. 

I’m not recommending total paranoia, but a healthy dose of both wariness and skepticism will take you quite a way down the road toward cybersecurity. 

They really are out to get you. 

The title of this blog states it plainly – you will be hacked. Accept the fact that whether you are specifically targeted or just a chance opportunity for a cybercriminal, they will get to you. Even if your business is locked down tighter than a CDC biohazard lab, you still do business with companies like Target, Home Depot, Marriot Hotels, or Equifax. Hacked, one and all, and every one of these breaches exposed millions of records. Some of that data might be specific to you or your business. 

This is not a defeatist rant – rather see it as a wakeup call. You have to take steps in your personal life, business environment, and interactions with other companies to limit your exposure to the best of your ability. 

How to stop being your own worst cyber-enemy 

It is well-known that the weakest part of any secure system is the human, including the one looking back at you in the mirror. Trust is a deep human need – both needing to receive it and give it; however, building cybersecurity means that you have to limit trust and then constantly check to make sure that the trust given is still valid. There are behaviors that have to be deliberately modified to achieve this goal. 

In cyber-geek speak, these are known as administrative controls. This includes policies and procedures, but most importantly, it expresses the core security principles to keep your business, customers, employees, and your personal life as safe as possible by limiting what we ethical hackers call the ‘attack surface’. Here is a list of best practices you should adopt: 

• Know what you need to protect – This isn’t just about the computers on desks and servers in the data room; ask yourself: 
  • What data/systems/people/processes need to be protected? 
  • Where is it located? Is it in more than one place? 
  • Who can access it? Who requires access in order to do their jobs?
  • What is critical to keep my business operational and my customers secure? 
• Know what threats are real – It is impossible to protect against everything, so make sure you are putting your efforts and resources where they will do the most good. Spending money for hurricane insurance makes sense if you live on the Gulf Coast, but not if you are located in Arizona. On the other hand, you should spend money on an emergency generator if you have perishable inventory or operate a life critical equipment. 
  • Were you aware that your email is the easiest way for a cybercriminal to get to you? According to Verizon, 94% of all malware arrives in your inbox and phishing email is on the rise yet again. Make sure that you can tell phish from foul (couldn’t resist the pun J) by engaging in security education and phishing tests on a regular basis. 
• Practice good cyber-hygiene – Cyber-hygiene is about all of the old tropes you’ve heard a million times, but probably still aren’t doing. There is a reason you’ve heard these things a million times – these are the basics of cybersecurity. 
  • Manage your account identities – According to Dashlane, the average person has 130 accounts to track and maintain. That’s a lot… 
    • Use a password manager. Don’t be one of those people who use the exact same credentials for every account. That’s just begging for identity theft. 
    • Delete/disable unused accounts on a regular basis and limit social media accounts. Social media is free and legal intelligence gathering for cybercriminals. 
    • Use multifactor authentication (MFA) every time it is offered. If you don’t have MFA at work, especially for Office 365, get it. 
    • Keep your business and personal credentials completely separate. Cybercriminals look for the easy way into businesses and a CEO or secretary or janitor who reuses their business credentials is the easiest. 
    • Track your financial records and email accounts tied to the various accounts. The only way you will know if something is odd is to look on a regular basis.
• Principle of least privilege – Don’t give access for anything to anyone who doesn’t need it to do their job. That includes the CEO. Just like a janitor probably doesn’t need access to payroll, a CEO probably doesn’t need access to engineering plans or logins for the firewall. This isn’t just for people: don’t give machines more access or services than they need to do what they are intended. Generally speaking, a server doesn’t really need direct access to the internet and a workstation doesn’t need to share files or printers. 
• Keep things patched – The manufacturers don’t write updates because they are bored. Those updates fix tons of security vulnerabilities. The latest Microsoft ‘Patch Tuesday’ fixed 87 of them. 
• Back it up – Having known good, offline, and offsite backups are often the ‘Hail Mary’ pass that save a business from total loss and bankruptcy. I’m not talking about the ‘whenever I think about, I’ll copy this to my Google Drive’ kind of backup (boy, I really hope that isn’t your backup plan); this means you need a real backup infrastructure. If you aren’t sure what that means, stay tuned as we will go into depth in the next installment. 

And finally… 

“The five most efficient cyber defenders are: Anticipation, Education, Detection, Reaction and Resilience. Do remember: “Cybersecurity is much more than an IT topic.”
―Stephane Nappo, Global Head of Information Security, Société Générale 

Cybersecurity isn’t a buzzword to sell you goodies, nor is it a fad. It is a way of life that you have to adopt in today’s always-connected world. Our friend, Stephane, gives more great advice in this quote. Today, we’ve scratched the surface of Anticipation and Education, as well as some of the best practices of good cyber-hygiene. I look forward to sharing more with you in Part Two. In the meantime, if you have any questions or want to explore some products and services we offer to help you build your cybersecurity, please contact our Business Consulting Team.