When it comes to a subject as complex as cybersecurity, it’s easy to become a victim of decision paralysis.
When company leaders and IT staff begin looking at their options around improving their security and discover hundreds of possible solutions, they can become overwhelmed. However, the best thing they can do is just start somewhere. IT and security specialists can get started by simply identifying the most critical risk areas in their business. Once they’ve taken that crucial first step, they can build the next steps around that risk assessment.
Cybersecurity is an ongoing strategic project. The initial goal shouldn’t be perfection. Instead, the goal can simply be to be better than yesterday.
Just start with a risk assessment
IT and security specialists can begin by pinpointing their organizations’ most critical risk areas and then taking the steps to secure them. IT specialists should conduct a full data and asset inventory and assess where the greatest risk lies.
There are two areas that IT specialists should examine:
- Critical systems and data – Examining where their most critical data lives and identifying unpatched vulnerabilities in applications is essential. Cybercriminals often exploit unpatched vulnerabilities in commonly used applications to gain a foothold in the network and steal credentials or data. For example, cyber attackers exploited four Microsoft Exchange Server vulnerabilities at the start of 2021, resulting in hundreds of thousands of organizations around the world being compromised.
- The people within the organization – Based on their work functions, determine what their level of access to data should be. For example, a business may determine that financial data should only be accessed by employees in the finance department. IT administrators can then examine their security policy development and configuration. Based on the risk assessment and a comprehensive understanding of the employees gaining access to critical data systems, organizations can develop granular security policies that apply the appropriate level of security for the present cyber risk. This will ensure optimal security maintenance, along with greater usability and convenience to users and data that do not require as much protection.
It is also important to remember to assess third party risk. It’s crucial for organizations to understand that it’s inheriting the cyber risk of the vendors it works with. Once IT specialists have completed their risk assessment and have identified those critical vulnerabilities, they can take steps to secure them. Here are some areas where IT professionals can improve their cybersecurity based on their risk assessment:
Make sure security policies match the risk
All security controls should be driven by security policies, which should be granular and specific to not only the data and application, but also the users and their everyday context. Security policies are the foundation for any cybersecurity strategy and dictate where specific controls will be implemented. For example, to achieve zero trust, security policies are essential to limit access and enforce additional controls such as multi-factor authentication as a user gains access to various resources.
Educating employees to achieve full adoption
While there is a common perception that the cyberhealth of an organization rests on the shoulders of its IT staff, the users of each and every company play a role in preventing attacks. It’s important that everyone within an organization strives to be cybersmart, rather than simply relying solely on company leaders and IT specialists.
An essential part of strengthening security is implementing company-wide adoption and successfully rolling out the new security practices. To keep the entire organization safe, businesses need to get every member of the company onboard in adhering to best practices.
A key component of implementing a comprehensive, organization-wide security plan is employee education. It’s vital to educate everyone who works in the company about the enhanced security protocols. Employees should understand the importance of cybersecurity and receive training on security issues and protocols.
Tighten up the security controls, especially authentication
Once they understand where their risks lie, and have defined the security policies, next it is critical to decide what types of controls will be used to apply the right amount of security to reduce the risk of attack.
IT specialists can secure their most vulnerable areas by strengthening identity and authentication. Passwords are outdated and tend to be high risk, with 61% of all data breaches involve stolen passwords. Businesses should stop relying on usernames and passwords for proving identity and gaining access to sensitive, confidential, secret, and other personal data. A username/password combination is susceptible to myriad attack types, including phishing attacks, password spraying, and brute-force attacks. Where passwords must still be used, complex and unique passwords are strongly recommended rather than reusing passwords across applications.
Stronger and less vulnerable approaches to identity and authentication, such as multi-factor authentication (MFA), are essential. Organizations not using MFA are especially vulnerable to cyberattacks. MFA adds a layer of protection to the sign-in process by requiring users to provide additional verification, such as a verification code received on their phone. MFA is more secure than passwords and is a must-have security control. Traditional authentication methods often include a personal identification number or one-time password and side-channel verification such as via a phone, hardware token, or biometric system.
MFA solutions can be enhanced with stronger protections. Wherever possible, MFA that relies on biometrics and public-key cryptography should be preferred to sending authentication codes via SMS and email.
Employees are likely to need flexible options for MFA to counteract variations in their workflows, device access and capabilities, and forgotten tokens or devices.
While improving cybersecurity may seem overwhelming, IT specialists can begin with the modest goal of becoming more secure than they were yesterday. Once they’ve taken the pivotal first step of assessing their risk, they can advance to securing their most critical systems and formulating their long-term cybersecurity strategy.