Cyber Security begins in the Boardroom with the leaders of a business. It no longer can be the sole responsibility of your IT Director or your IT partner. Business leaders need to ask the “hard questions” to ensure they are protected.
The 12 questions below are a great place to start is assessing your level of Cyber Security.
1. Do we have a documented strategy that follows a nationally recognized framework that defines our cyber security strategy?
The most dangerous vulnerability to most small to medium sized businesses is a BAD ATTITUDE. This “bad attitude” includes downplaying the real threat of cyber threats and downplaying the cunning and skill of the cyber criminal. This falls squarely on the leadership in small to medium-sized businesses.
The organizations that respect this threat are open to developing an effective strategy that follows standards established by the top cyber security think tanks around the globe.
2. Do we have adequate cyber security insurance that has been reviewed and approved by our leadership team?
Every business needs cyber security insurance, and the leadership teams in these businesses need to make sure that they fully understand the security policy they have invested in. Unfortunately, cyber security insurance policies are not created equally> And as you might expect, policies that are “cheap” will not cover you in the event of a cyber breach.
One of the most significant changes to current cyber security thinking is accepting the term cyber resilience. Cyber resilience acknowledges that NO BUSINESS is safe from a cyber breach. Therefore, we all must be vigilant to protect ourselves from a cyber incidents, and we need to embrace the fact that we will eventually be breached.
“What? Are you saying that no matter what we do, we will be breached?”
The bottom line is YES. Most security experts today tell businesses to plan on being breached. And the first step after getting breached will be to contact your insurance carrier and start the remediation process. Hopefully, your cyber resilience strategy will prevent significant disruption (and cost). Still, you will want to engage with your insurance carrier immediately … and do that well before you start any remediation exercises on your own. This is because most current policies include some form of remediation assistance that can be deployed immediately following a breach incident.
3. Do we have an immutable and air-gapped backup system (protected by multifactor authentication [MFA])
A few years ago, businesses that had been hacked could fully recover pretty quickly using their backup system. Unfortunately, the hackers have figured this out and have devised ways around many standard backup systems. A recent study reports that most cyber breaches happen well over 200 days before they are discovered. This is because the cyber criminals are hacking into business networks, and they are hiding for over 6 months before they are coming out and demanding ransom money.
During these 6 months, cyber criminals are making a lot of discoveries about the business, the data, and the systems that drive the network. Most dangerously, these criminals carefully examine the systems in place to protect the data and the network resources. Once the backup system is figured out, the hackers compromise this system, leaving the business totally vulnerable in the event of a successful breach.
“Immutable and Air-gapped backup system … what is this?”
The newest versions of backup systems are immutable and air-gapped, meaning that they operate in an entirely different environment from the business network. So, when a network is compromised, the cyber criminals do not have access to the backup system … and the data on that system is safe and can be used to quickly re-build the network.
These air-gapped backup systems require multifactor authentication, so even though the hackers have admin credentials for the network, the MFA protects the air-gap-protected business data. The combination of air-gapping the system and securing the login with multifactor authentication assures that the data is secure.
4. Do ALL users access business data and resources through MFA (multifactor authentication) on every device from every location?
Admittedly, MFA is a pain in the butt, but it is critical in today’s connected world. The idea with multifactor authentication is to combine something you know (username and password) with something you have on your person. The bad guys are getting very good at guessing user names, and they have very sophisticated systems to crack passwords. But, even with all of these advancements, they don’t have your phone! And, this is a critical element for a cyber security solution. MFA on all systems, for all users (executives should NEVER be excluded), and employed at all times is a must in today’s dangerous cyber environment!
5. Do we have NextGen Antivirus (not standard business AV)?
Many business-class antivirus (AV) products are no longer sophisticated enough to combat today’s cyber criminals. NextGen AV works with many of the other aspects of your cyber defenses to create a much more secure environment. NextGen AV allows for a unified threat management program and enhances those capabilities. This unification creates a much safer environment than these systems have when working independently. In addition, the combination of these systems hardens the security platform, allowing for the layering of the various protections.
6. Do we have recurring cyber security awareness training & phishing exercises?
Unfortunately, the biggest threat to any business network is still the end user. Most of the breaches in the world today occur because an end-user has made a mistake and has clicked on a link that they should not have. Or, they have visited a website that they should not have visited. Therefore, every business, small or large, should have a robust and consistent security awareness program. This program should combine consistent and timely messaging about the current threat landscape. As well as cyber phishing tests to keep all end-users fully aware of the dangers that exist.
7. Do we have an outsourced 24/7 SOC (Security Operations Center) & Threat Hunting activity?
It is more important than ever for businesses to proactively search for cyber threats lurking within their networks in today’s world. Cyber threat hunting searches for malicious activity that have successfully slipped past the shell businesses build to protect their environments (firewalls, antivirus, anti-malware …). Threat hunting tools constantly scan network data and search for known threats or anomalies that need further investigation. When anomalies are found, human threat hunters from within the SOC are notified and do further investigation, And when necessary, take action to remove the threat from the environment. This layer of protection is usually provided by an outsourced security team within the SOC.
8. Do we have Web DNS Content Filtering and the scanning of email attachments and links?
As noted above, end-users continue to be the weakest link in business environments. Unfortunately, many businesses do not have DNS content filtering, which prevents users from accessing known vulnerable websites. Additionally, companies should deploy threat protections that scan incoming emails for infected attachments and infected links within the body of the email. Monitoring the email and catching these infected elements before they arrive in an end user’s inbox, is best way to guarantee that the links/attachments are not accidentally clicked.
9. Do we allow users to be Local Admins of their computers?
Another common problem with business networks occurs when end users can be local administrators of their computers. End users often request local admin access so they can load and run different software packages. These software applications are generally not “business approved” and can enter the business environment without proper scanning and verification. Allowing end-users this type of access to software and applications opens up many vulnerabilities that cyber criminals exploit.
10. Do we have a network Intrusion Detection System (not Intrusion Protection)?
An intrusion detection system monitors a business network from within the network. Rather than sitting on the external shell and preventing exploits from entering the network, the IDS (Intrusion Detection System) sits inside the network and “listens” for traffic from within the network that might indicate a breach. If a breach is detected, the IDS can immediately identify the equipment within the network that has been breached. This allows the remediation effort to shut down the breach. Without an IDS system, a business could be breached and not know about it for many months.
11. Do we have a Vulnerability Management process and an emergency patching process?
Security experts across the globe work together every day to keep the world safe from cyber crime. In addition, thousands of cyber security companies monitor millions of access points and are constantly searching for the next exploit. The collaboration between these entities is incredible, and communication of newly discovered threats covers the globe within minutes or hours of first discovery. But, for this amazing system to work effectively, businesses must have defined processes for deploying security and software patches. Furthermore, these vulnerability management processes need to be well defined to ensure rapid delivery without interrupting clients or employees within a business.
12. What do we use for Password Management?
End users are encouraged to use long and complex passwords to access all business data and resources. This creates some tension because users are forced to log into multiple systems and applications numerous times each day. Because these users are also encouraged to use different passwords for different applications, this creates the burden of remembering many complex passwords to do their work each day. This is the reason why password management and a password management system are critical. A company-wide password management approach simplifies the need for multiple, complex passwords and eases the use of business data and resources.
Cyber security is now a business-critical conversation. So it is critical to embrace the fact that cyber security begins in the Boardroom with you and your leaders.
It is no longer the sole responsibility of your technology team or your IT provider. As a business leader, you need to ask the hard questions to ensure your organization is secure and totally protected.
We hope these 12 questions encourage additional security conversations with your leadership team and the rest of your organization.
If you would like to get more insights on cyber security or learn the details of a fully layered cyber security solution for small to medium-sized businesses…please check out the links below.
If you have more immediate cyber security needs, please reach out to us by clicking on the link below.