Best practices for defeating most attacks, hopefully making the need for future Cybersecurity Awareness Months obsolete
Cybersecurity Awareness Month, which was previously known as National Cybersecurity Awareness Month, is in its 19th year. Launched under the guidance of the U.S. Department of Homeland Security and the National Cyber Security Alliance (NCSA), it aims to help Americans stay safe and secure online. This year’s campaign theme – See Yourself in Cyber – is focused on the “people” equation of cybersecurity, while promoting how to recognize and report phishing, the use of strong passwords, password managers and multi-factor authentication, and applying software updates. While these tactics are certainly a great place to start, organizations need to go beyond these fundamental steps to strengthen their cyber resilience.
The last year has proven to be a game-changing year for cybersecurity: Cyber breaches are bigger and worse than ever. Hardly a week goes by without headlines about some new devastating cyberattack. In fact, the Federal Bureau of Investigation’s Internet Crime Report (PDF), saw a 7 percent increase in complaints, resulting in losses of nearly $6.9 billion. The surge in cyberattacks directly correlates to the broadened attack surface – specifically, the sudden shift to hybrid working. Cyber adversaries capitalized on the rapidly changing environment by intensifying their attacks and targeting the weakest link in the attack chain – the remote worker. Furthermore, professional hackers, cybercriminal syndicates, and nation-states are exploiting the supply chain, increasing their blast radius and overall damages.
Implementing an effective enterprise security strategy requires an understanding of hackers’ tactics, techniques, and procedures (so-called TTPs). In this context, it is vital for security practitioners to review the entire cyberattack lifecycle to gain a full grasp of the areas that need to be addressed as part of an in-depth cyber defense approach.
Here are five best practices for defeating against most attacks, hopefully making the need for future Cybersecurity Awareness Months obsolete.
1) Put your Trust in Zero Trust
Zero Trust means trusting no one – not even known users, applications, or devices – until they have been verified and validated. Zero Trust principles help enterprises enforce dynamic, contextual network access policies to grant access for people, devices, or applications. This entails analyzing device postures, application health, network connection security, as well as user activity to subsequently enforce pre-defined policies at the endpoint rather than via a centralized proxy.
For most organizations, the path to Zero Trust should start with identity paired with endpoint resilience to create a more secure work-from-anywhere user population. Applying Zero Trust principles can help companies avoid becoming the next breach headline, including the brand damage, customer loss, and value degradation that typically comes with it.
2) Focus on What Matters Most
Gartner estimates that global spending on cybersecurity will hit almost $173 billion annually in 2022, yet the breaches keep on coming. That’s probably because a large chunk of that money is being funneled toward solutions that don’t address modern security problems and cover the ever-growing attack surface of modern enterprises. Hackers, for their part, are taking advantage of the fact that organizations and their workforce are relying on mobile devices, home computers, and laptops to connect to company networks to conduct business. In turn, these endpoint devices become the natural point of entry for many attacks. In fact, a recent Ponemon Institute survey revealed that 68 percent of organizations suffered a successful endpoint attack within the last 12 months.
Understanding not just the tail end of the cyberattack kill chain, but also focusing on initial attack vectors like endpoints provides a roadmap for aligning preventive measures with today’s threats. It is vital to maintain granular visibility and control over access points to prevent and remediate vulnerabilities that can and often will surface on them. In today’s work-from-anywhere era, assuring endpoint resilience is a vital element of a successful in-depth cyber defense strategy.
3) Secure your Network Access
In today’s perimeter-less environment, security practitioners can no longer assume implicit trust among applications, users, devices, services, and networks. In fact, 51 percent of organizations have seen evidence of compromised endpoints being used to access company data via the corporate network. That’s why many organizations have started to embrace a Zero Trust approach and are considering augmenting their conventional network access security concepts such as virtual private networks (VPNs) and demilitarized zones (DMZs) with Zero Trust Network Access (ZTNA) solutions.
ZTNA solutions create an identity- and context-based, logical access boundary around an application or a set of applications. Access is granted to users based on a broad set of factors, for instance, the device being used, as well as other attributes such as the device posture (e.g., if anti-malware is present and functioning), time/date of the access request, and geolocation. Upon assessing the contextual attributes, ZTNA then dynamically offers the appropriate level of access at that specific time. Since risk levels of users, devices, and applications are constantly changing, access decisions are made for each individual access request.
4) Balance your Security Investments
It’s a fact that we can never eliminate cyber risk entirely, but we can manage it more effectively with “Left and Right of Boom” processes and procedures, creating a winning strategy by splitting an organization’s cybersecurity investments between strategic preparedness, prevention, and incident response. Finding the right balance has become essential in determining an organization’s ability to anticipate, withstand, recover from, and adapt to attacks, or compromises on cyber resources. Gartner, in its “Maverick Research: You Will be Hacked, So Embrace the Breach” report is emphasizing that “to make a real difference to the impact of cybersecurity incidents, cybersecurity priorities must shift from defensive strategies to the management of disruption through resilience.”
5) Become Cyber Resilient
More and more security professionals acknowledge that modern enterprise infrastructures are made up of large and complex entities, and therefore will always have flaws and weaknesses that adversaries will be able to exploit. In this context, they propagate the concept of cyber resilience to ensure that an adverse cyber event (intentional or unintentional, i.e., due to failed software updates) does not negatively impact the confidentiality, integrity, and availability of an organization’s business operations.
Like Zero Trust, cyber resilience offers a blueprint to strengthen an organization’s security posture in today’s dynamic threatscape, establish security controls that require cyber adversaries to spend more time figuring out how to bypass them (which they often are unwilling to do, because time is money), and the means to recover from cyberattacks quickly and efficiently.
6. Slow down.
We’re all busy. But slowing down before you open an email, or thinking twice before you click on a link, could be the difference between a close call and a massive data breach. We sat down with KnowBe4’s Roger Grimes, who shared some great insights for spotting and preventing phishing and social engineering attacks — and his interview is a great resource to share with employees for Cybersecurity Awareness Month. Check out our interview on the psychology of social engineering.
7. Make cybersecurity accessible.
As we mentioned above, cybersecurity is everyone’s job. Are your teams equipped with simple tools and a clear understanding of their role in protecting data? Our Empowered Employee Report contains tips for selecting easy-to-use data protection tools, as well as our recommendations for getting teams invested in security — conversation starters, communication advice, and more.
8. Secure your cloud-hosted data.
Did you know that you can shield your cloud-hosted data from third parties — including the cloud providers themselves? Virtru data protection makes this possible: As an example, we are a Google-recommended key management partner for Google Workspace Client-Side Encryption. Check out our blog post on 5 myths surrounding cloud migration, and how you can ensure total privacy and control of your data in the cloud.
9. Unusual requests are red flags.
Even if an email appears to come from someone you know and trust, be cautious of any message that asks you to do something that could put you or your organization at risk — even if it appears to come from your boss or an executive. Phishing attacks now commonly use industry-specific terms, jargon, and client scenarios to foster a false sense of trust. As they learn, hacking groups can make these emails look increasingly realistic. Learn more in our blog post on social engineering.
10. Focus on the most impactful priorities.
“Everyone is seeing threats like bubbles in a glass of champagne, and they’re not being told, ‘Two of those bubbles matter more than all the other bubbles.’ Because of that, they’re not focusing correctly,” says KnowBe4’s Roger Grimes, author of A Data-Driven Computer Defense. Those two most important “bubbles” have been the same for 30 years, he says: social engineering and unpatched software. Discover more insights on how to effectively prioritize your security efforts in our Empowered Employee report.
11. Assess data protection across departments.
Whether you’re a global manufacturer, a small retail shop, a healthcare provider, a school, or a nonprofit organization, you have sensitive information that hackers can profit from, and that data can be found across every corner of your business. Every department needs data protection. Have conversations with team members across every department to get a sense of the kinds of sensitive information they’re handling, and whether it’s being protected: Employee and customer information, proprietary strategic data, financial records, PHI, PII, and more. You might be surprised by how much data you uncover.
12. Construct a safety net for human error.
We’re all human. We’ve all made mistakes around cybersecurity. The question is — when mistakes happen, what tools do you have to mitigate or prevent damage? Virtru helps you implement two valuable safety nets for human error: Data Loss Prevention rules that automatically encrypt certain types of data by default, and a “Revoke” feature, which lets you revoke access to shared data at any time — even if that data has already been shared and accessed outside your network. This helps you take immediate action to mitigate your risk.
13. Revisit your breach prevention plan.
With ransomware attacks and data breaches on the rise, it’s important to ensure your breach prevention and response plan is up to date, and that everyone understands their role in preventing and responding to an incident. When evaluating your breach prevention plan, ask yourself: Are we just protecting our systems and networks, or are we protecting the data itself, everywhere it travels?
14. Examine how you manage and share customer data.
Most companies have some kind of Customer Relationship Management (CRM) software to maintain client data. This information is often sensitive in nature, containing personally identifiable information (PII) and credit card/billing information. Ensure the data flowing through those platforms remains secure. For more on how to protect customer data, listen to our recent webinar on adding a layer of encryption to your SaaS applications.
15. Build trust with a commitment to security.
Trust can be your competitive advantage. In a world where so many companies take a lax approach to protecting their users’ privacy, you can build stronger relationships by demonstrating a commitment to security — for your customers, employees, and partners. Cybersecurity Awareness Month presents a great opportunity to communicate this with your audience, as well. Discover six ways to protect customer data and win trust.
16. Bridge the gap between work and home.
By highlighting the risks of ransomware to employees’ personal as well as professional lives, security teams can convey the consequences of cyber attacks in a more tangible way. When individuals understand the potential personal impacts of a data breach — such as the compromise of their own personal accounts — they’ll start to take security more seriously. Our Empowered Employee Report includes conversation starters and tips for connecting with employees.
17. A Zero Trust strategy creates maximum confidence.
Zero Trust treats every user and every system with equal caution. Everyone is on the same playing field, and it frees up your organization to create and collaborate with greater confidence that their data remains safe. Check out our tips for explaining Zero Trust to employees during Cybersecurity Awareness Month.
18. Know who holds the keys to your data.
For strong security, you’ll want to manage your own encryption keys — or select a trusted partner who can manage them for you, separately from your data. Check out our encryption key management guide for details on how to evaluate the right key management framework for your organization.
19. Highlight your organization’s security heroes.
Have an IT team of rock stars? What about colleagues who do a great job of encouraging strong security behavior among their peers? Celebrate these employees and give them some well-deserved recognition. This can go a long way to cultivate openness and engagement around cybersecurity. Download our Empowered Employee Report for more tips for fostering an engaged culture.
20. Calculate how much data is leaving your organization.
Data flows in and out of organizations at high velocity. It’s important to understand just how much data is being shared externally so you can effectively protect it. Use the Virtru Data Sharing Calculator to understand your potential risk for a breach — and learn how you can mitigate the impact.
21. Find your cybersecurity advocates.
You know those colleagues who are always the early adopters of new technology? How about those who are passionate about blockchain, or ethical AI? These can be your most powerful cybersecurity advocates. Harness the passion and interest of these individuals to help your organization adopt a consistent, strong security mindset — one of continuous learning and knowledge sharing. After all, data security is everyone’s responsibility.
22. Start an insider threat prevention program.
Most companies face far more danger from lack of attention or training by insiders than from actual malice, but it’s still crucial to understand the security risks both pose. Fostering a collaborative culture of security will earn employee buy-in, and provide better results (and morale) than a top down “everyone’s a suspect” approach. Check out our Guide to Creating an Insider Threat Program for tips on how to cultivate engagement.
23. Make it easy to collaborate securely.
For your teams to actually use your security tools, they have to be easy to use. In a Virtru case study, Chartered Management Institute’s Information Security Manager, Leroy Cunningham, said it well: “It’s great having all the bells and whistles, but if your end users don’t know how to use it, they won’t use it, and it’s as simple as that. I like how clean and simple Virtru’s product is, it’s a simple toggle switch to turn it on or off, and it gives us more autonomy.” Read our Chartered Management Institute (CMI) case study to see how they used Virtru to help break down data silos.
24. Approach security conversations with positivity.
There’s enough messaging around fear, uncertainty, and doubt in the cybersecurity world. We’ve found it’s far more effective to empower teams with simple tools, clear education, and positive messaging that gives them the confidence to do their jobs while protecting data. Page 3 of our Empowered Employee report contains several tips to evaluate the way you position your security messages to teams.
25. Examine your supply chain connections.
Whether it’s third-party software or hardware throughout the enterprise supply chain ecosystem, even “trusted” networks quickly become a risk in the absence of data access controls. Here are some of the supply chain risks to be aware of, and why data-centric access controls can help you mitigate those risks.
26. Connect with the “why.”
For schools, it’s protecting students’ safety and privacy. For healthcare providers, it’s safeguarding patients’ well-being. For companies, it’s protecting confidentiality and maintaining trust. Whatever your “Why” is, it’s vital to make that a central part of your story for the importance of protecting data.
Our “Why” — helping create a world where your data remains under your control, everywhere, without limiting your ability to innovate, share, and collaborate.
27. Don’t overlook data flowing through SaaS apps.
The average enterprise has over 500 applications, and every app amplifies your risk. Determine which of those applications transmit sensitive data (e.g., customer records, employee PII, data for analytics), and evaluate whether that data is being protected everywhere it’s shared.
28. Make it simple for distributed teams to share information.
More teams than ever are moving to a remote-first or hybrid environment. These distributed teams need sophisticated tools to collaborate and share information quickly — with both internal and external partners. Virtru’s Secure Share encrypted file-sharing platform makes it simple for teams to send and receive information with external partners (like clients, business partners, board members, and others) with the confidence that it’s always protected.
29. Secure data management makes a strong first impression.
The competition for top talent is high — and it’s important for companies to make a strong first impression on prospective new hires, both during the interview process and during onboarding. Show that you take security seriously and are committed to protecting their private data.
30. Make sure you’re protecting employees’ COVID-19 vaccine and test results.
Many HR teams are still collecting and managing COVID-19 vaccine and test data. That information can remain on file, but it may also need to be communicated to managers and team leaders. If that information needs to be shared via email or other collaboration flows, it’s essential that those messages are secured with end-to-end data protection. Our blog post provides some recommendations for securing employees’ private COVID-19 vaccination and test data.
31. Continue the cybersecurity conversation year-round, not just during Cybersecurity Awareness Month.
The key to engaging your employees around cybersecurity is to make security a habit, an everyday part of your organization’s life. Just like any other habit, it’s about small, continuous shifts that add up to a big impact.
32. Ditch your reused passwords.
Data breaches often leak user credentials, including passwords. This can be hugely damaging for people who reuse the same passwords across accounts — and each additional account amplifies your risk. Protect yourself by using a password manager to create complex, unique passwords for each account. This might be a weekend project for some, but it’s absolutely worth the effort, and a great way to start off Cybersecurity Awareness Month. For more security tips, check out our Empowered Employee Report.
33. Check your security settings.
A staggering amount of information is sent via email every second, so it’s essential that all that data is properly secured. For practical ways to get started, check out our guide for 5 steps to secure your data in Gmail.
34. Apply multi-factor authentication.
It may add an extra step to your login process, but it’s well worth the extra 2 seconds. This way, if someone gets a hold of your password, they won’t be able to access your accounts without access to your phone or other verification information. Check out other best practices for email security.
35. Understand end-to-end encryption and how to use it.
End-to-end encryption ensures your data remains safe from the moment it’s created, to the moment it’s shared. Check out our blog for the answer to the question, “What is end-to-end encryption?”
36. Add end-to-end encryption to your email.
Email encryption doesn’t have to be cumbersome. In fact, it can be an easy, natural part of users’ workflows check out this guide for more information.
This article was curated from a number of other useful cyber awareness month resources.
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.