Cybercrime is on the rise and organisations are worried and confused about how to protect themselves. Recent eir research indicates that over 80% of businesses intend investing in network and information security in the coming 1-2 years and businesses say that identifying and addressing their security gaps is their #1 security need.
But if you’re an enterprise, where should you focus your activity? Before investing in expensive technology and services, get familiar with the 9 important Ps of network security. Take action on these, and you can dramatically reduce your risk profile.
Your weakest link is not hardware or software, it’s people. Educate your team in basic cyber threat awareness. Over 30% of phishing emails are opened by people, and a substantial number of those people go on to click on links within. Educate your people to be more aware, and you can significantly reduce the opportunity for malware to enter the organisation. And continually train your security specialists.
Have a person in the organisation who is clearly responsible for security – shared responsibility usually results in everyone thinking that someone else is taking care of it. Best practice indicates that this person should not be parked in the IT department, as there is too much scope for conflict of interest – should you meet that pressing project deadline, or complete the full security hardening of the new system?
According to Verizon’s 2016 data breach investigations report, 63% of data breaches last year relate to passwords. Yes – that’s 63%! Vulnerabilities include weak passwords, default passwords not changed or stolen passwords. Up your game with regards to mandatory password strength, enforce uppercase, lowercase, numbers, letters and other symbols, use password phrases and mandate they are changed periodically. Especially sysadmin! Yes, we mean you, too…especially you. Here are the 25 most common passwords people used in 2016 that are easily hackable, as per Splashdata’s annual report of worst passwords. Make sure yours are nothing like these:
123456, password, 12345, 12345678, football, qwerty, 1234567890, 1234567, princess, 1234, login, welcome, solo, abc123, admin, 121212, flower, passw0rd, dragon, sunshine, master, hottie, loveme, zaq1zaq1, password1
Also see point 1 – educate your staff about good password hygiene.
Enter your email address into https:/www.haveibeenpwned.com to see if your credentials have been hacked before, and make sure those accounts are now secure and passwords changed. And don’t reuse the same passwords across different applications or websites.
85% of exploits target the top 10 known vulnerabilities, for each of which there are available patches, in some cases for years! Patch all the known vulnerabilities, perform regular vulnerability scanning (see point 4) and implement an ongoing patching process to keep on top of new ones.
4. Penetration testing
Perform regular penetration testing (pen tests) and vulnerability scanning. Pen tests should be conducted by an expert third party at least once a year on your external AND internal infrastructure (intruders like to move around your network once they get in), or whenever you make any significant changes.
Vulnerability scanning, a more automated assessment, should be more on an ongoing basis, at least quarterly. This provides an independent perspective on how vulnerable you are and identifies where you need to address risk.
5. Proactive monitoring
Proactively monitor your logs and alerts. Great technology is useless if nobody is looking at what it’s saying. We go into customers quite often and hear that the customer is confident they are protected, given a security investment they have made previously, only to find out that
- It’s been going “beep, beep, beep!” for the last four months about an intrusion and nobody noticed.
- The license expired months ago and the customer had actually no protection at all, only the illusion of it.
Ah, yes, products. You will need these. But make sure you cover the basics above, too, otherwise it’s all for nought.
Security Products needed depend on your systems include Next Generation Firewall and Denial of Service protection. For example, if you have any public-internet facing infrastructure out there, and especially if you offer products and services online, you are at tremendous risk of Distributed Denial of Service attack unless you have some form of protection.
7. Protect your endpoints
Your endpoints are one of the most vulnerable areas. Ensure you have endpoint protection for laptops and other devices, so that data is encrypted and devices and passwords are virus-protected. Make sure you have mobile device management for your mobile devices so that devices can be wiped remotely if they are lost or stolen, and so that you can control the applications permitted appropriately. Consider mobile data protection, also. And if you are investing in IOT (Internet of Things) and machine-to-machine communications, don’t buy dodgy devices from questionable sources and slap them onto your network. The largest distributed Denial of Service attack ever recorded (1.2 Terabits) was launched last October using exclusively IOT devices infected with malware due to poor or non-existent security on those devices. Make sure IOT device endpoints have an appropriate level of security and protection.
Cyber security is an ongoing process of risk identification, mitigation and management. Make sure you have established and well-documented processes in place to identify and respond to risks.
There is no such thing as absolute security. According to John Chambers of Cisco, there are only two types of organisations – those that have been hacked and those that will be hacked.
Andrew Harbison of Grant Thornton has a different view: at the 2017 Cantillon security conference, he said the second category is actually those that have been hacked but don’t know it yet.
All organisations need an Incident Response Plan for such an event, including processes for informing the authorities, limiting damage, securing from any further breaches and more. And with the EU’s GDPR Data Protection Regulation coming into effect in May 2018, the implications of not being prepared can be severe. Consider cyber insurance to mitigate the cost exposure.
I hope these 9 Ps help. The list is by no means exhaustive, but all these points are essential for a good security management protocol within an organisation. Follow these 9 Ps and you’re well on your way to having your cyber risks significantly reduced. If you don’t have the skills or resources to do all of this yourself, by all means engage a third party service provider to help you.