IT IS EASY to become overwhelmed with all the latest cybersecurity products and information, but the good news is that many of the basic things organizations can do are also the most impactful. It is, however, important to mention that many things that are simple in concept can be complex in their execution.
Requirements are increasing, both from government as well as from contracts with the organizations with whom you engage. Be sure you know what you have, and to what you have agreed. A lot of onerous information and security requirements show up in contracts, and some may be irrelevant to the relationship and data. Having a strategy for how you will manage information security requirements and involving your IT team in the contracting process early on can save many headaches later.
Know your third parties (and their third parties). Even the best information security protections will be irrelevant if those with whom you share your data or have systems connections with are not protecting the data and systems appropriately. It is essential to understand who you are sharing your data with and how they are managing this data. Requirements should be built into contracts, and you should have processes in place to assess your vendors and partners to ensure that they are providing appropriate security processes and controls.
Make sure your staff is aware of and on the lookout for scams. Information security awareness training can be difficult to make effective, as in today’s world many of us spend most of our days responding to email and clicking links. Criminals know this and will take advantage of the fact that so much commerce is conducted through email and the internet. Ensuring that all of your employees understand the current ways that criminals try to take advantage of them, understand basic information security principles at minimum, and stay on the lookout for the signs of scams is essential. It is almost always much easier and more efficient for scammers and hackers to trick someone who already has access to your systems and data into giving them that access than it is for them to find technical vulnerabilities.
Understand your data and environment. It should be fairly straightforward that you can’t have a breach of information that you don’t have, but organizations often have a large quantity of data that they no longer need. It is not uncommon during an incident investigation to see that a lot of the data that was inappropriately accessed or stolen was data that the organization should have destroyed a long time ago. It is essential to know what data your organization has, where it is stored, and who has access to it. Without understanding the data, systems, and applications, it is not possible to ensure that you are providing appropriate protection. Having data classification and retention policies and procedures will inform other security controls in your environment, and also help ensure that you are removing data when it is no longer needed for contractual or other business purposes.
Have a plan for how to deal with incidents. It is essential to have a plan in place for dealing with information security incidents. Whether it is an incursion into your networks, a compromised vendor, ransomware, a data breach or other type of incident, the time to have a plan in place is before an incident happens. Understanding how you will react, determining who has responsibility for managing technical aspects of an incident, when and how to involve law enforcement, how systems will be restored, and how you will notify partners, insurers, and customers are all important planning aspects.
Take advantage of controls such as multifactor authentication. One of the most impactful things that organizations can do is require multifactor authentication (MFA). In fact, this one thing is so important that many cyber insurance policies require that MFA be implemented before they will write a policy. The form of MFA that people are most aware of is when you are sent a code to your phone that you must enter along with your username and password in order to gain access to a system, application or service. While there are many other forms of MFA as well, and there are ways that criminals can get around it, it is one of the most impactful things you can do from a security perspective.
Be aware of traditional fraud. While nation state threats and other flashy attacks often get a lot of news coverage, some of the most common issues affecting organizations are things we think of as typical fraud. Invoice fraud continues to grow and cause large losses for organizations. This can take several forms, including fraudsters sending invoices for services that were never purchased. But scammers and other criminals can also compromise the email accounts of your customers and send what look like legitimate invoices for services received but change the bank account numbers to trick you into sending payment to them rather than the intended recipient. Be sure that your users are aware of this common method and encourage them to confirm with a phone call or other offline method when they have suspicions that something may not be legitimate.
As technology continues to grow, so do threats. To manage risk requires constant vigilance. Information security programs don’t remain stagnant—they are either continuing to mature or they are degrading.