Cyber attacks occur through multiple channels. These can include illicit access of another’s user ID or password, malware injections, rogue hardware and phishing, among others.
It’s obvious that businesses are vulnerable from many angles, though not all of them are related to purely technology (e.g. mobile phones), but can involve manipulating human behavior or even a business’ operations through open-source sources of information.
Examples of How Hackers are Understanding their Targets
Besides the growing sophistication of cyber attacks, businesses also have the critical issue of reducing the time it requires for them to detect cyber attacks, much less stop them.
It Takes Too Long for Businesses to Detect Cyber Attacks
In an effort to understand how to best function in today’s cyber threat landscape, we outline 3 of the top actions businesses can take to seal their cyber security gaps.
1. Penetration Testing
Put your IT system through penetration testing to determine if your existing security practices and technologies are sufficient to shield your network(s), data, applications and hardware (e.g. computers and mobile phones).
A superficial test is useless. Rather, you must ensure that you’re properly calibrating penetration tests by accounting for cyber threats that are relevant to your business. Basically, simulate cyber attacks that are the likeliest to hit your IT system.
Stress test your entire IT infrastructure — i.e. hardware, software, outside service providers and processes — to identify root-vulnerabilities that you must address.
2. Invest in the Right Security Tools
Investing in the right cyber security technology is an essential — albeit costly — piece of shielding your IT system from current and emerging malware, spyware, phishing and other cyber threats.
This requires investment in multiple key areas:
Secure Your Hardware
Your company’s hardware assets include desktops/workstations, laptops, network routers and switches, and mobile devices, among others. Each of these requires a specific cyber security measure so as to ensure proper defensibility against cyber threats.
Computing devices such as desktops, workstations and laptops require protection at both the hardware and software or operating system level. In terms of the former, you could have disk encryption. As for the latter, it’s common practice to deploy a company-wide anti-virus.
Your networking infrastructure includes routers and switches. You must ensure that access to your network is protected through password protection (restricting access), firewalls as well as appropriate provisioning of administrator rights.
You must ensure that your device fleet is properly administered. Be it company-issued phones or bring-your-own-device (BYoD), you must enforce your company or organization’s policies on each device. Doing so prevents Shadow IT and enables your IT team to remotely wipe them should the device get lost or stolen (or belong to a former employee via BYoD).
If you’re hosting data in-house or on-premise, you must ensure that your server rooms (or data centers) are fully guarded in terms of both physical and cyber security.
Part of this is due to the need to ensure that only authorized persons have access to your data assets (an outsider is an obvious cyber security risk). However, there are compliance issues at hand as well, such as HIPAA and HITRUST, which require specific cyber security measures in place for your private, hybrid or public cloud hosting.
If your data is on-premise or via an in-house private cloud system, you must ensure that it has physical/on-site security (e.g. access controls, visual monitoring, etc) and it’s accessible to only those with high-level clearance in your company (who also need access for their jobs).
In terms of technology, communication to and from your servers must be secure (this will require security measures at the front-end as well) through encryption. You must also monitor access so as to ensure usage rates are normal (abnormalities are a red-flag for possible cyber attacks).
Regarding hybrid or public cloud-hosts, you must ensure that they are meeting or exceeding these requirements so as to meet HIPAA, HITRUST and other compliance standards.
Secure Your Software
Your software assets are likely to include internal business or productivity applications (such as a computer-aided design suite) and customer or client-facing apps (e.g. a banking app).
Software Asset Library
In terms of your internal applications (e.g. productivity apps), you can secure them by keeping your software licenses compliant and up-to-date in terms of app builds and security patches.
Besides licensing, you might be hosting your applications on the cloud (e.g. Office 365 can be hosted on a private, hybrid or public cloud system). In this case, you must ensure that hosting is secure and compliant with the original vendor’s requirements.
Secure Your Own Applications
If your business is deploying a customer-facing application (e.g. banking apps), then you must secure them as they too are potential attack vectors into your IT system.
Such applications could be the front-facing gateway to your database, which could affect client data (e.g. social security numbers, credit card information and other customer information).
Besides encrypting communication between the application and the database, a common way of securing such apps is to incorporate RASP (runtime application self-protection).
With RASP, your app will prevent itself from being affected by a malware-infected device or release encrypted data on vulnerable (e.g. rooted or jailbroken) devices.
3. Build and Enforce Strong Security Policies
Technology is only one side of the cyber security equation. Yes, apps and networks that aren’t secured properly are vulnerable, but people — i.e. end-users — are also points of vulnerability.
In fact, whether it was malicious or accidental, companies affected by data breaches told the Ponemon Institute that 48% — effectively half — of their incidents were traced back to insiders (via Deloitte).
This goes beyond just requiring your employees to maintain strong passwords (though that is a must), but rather, you must build a complete IT system that’s centered on access control as well as rapid and tightly-controlled provisioning and deprovisioning.
Device and Identity Management
We touched upon the hardware side (i.e. mobile device management), but device and identity management is meant to restrict access to specific data, applications and services to only your authorized and vetted employees, and to only those of them who need access for work.
Should a device get lost, stolen or (via BYoD) belong to a former employee, your IT team can readily deprovision access and delete your company’s data from it.
Education and Training
Finally, your business must incorporate end-user awareness and staff training. Certain cyber attacks, such as phishing attacks, aim to exploit the end-user’s lack of knowledge by having them submit their login details through fake pop-ups and pages purporting to be your site.
Should you become aware of phishing attempts at your business (or even your industry), then you must notify your customers and clients. Make them aware of the problem and inform them not to input their data on pages sent to them through email or messages.
For employees, you could train them to recognize phishing and spear-phishing (i.e. attempts by hackers to masquerade as colleagues, clients or managers as a means to get login details and other confidential information) and report it (instead of falling victim to it).