Three simple cybersecurity steps to dramatically reduce your security risk

In the first half of 2020 alone, there were more than 600 significant, known data breaches.  According to IBM Security, more than 50% of organizations surveyed report a significant business disruption in the last two years because of cybersecurity incidents—and the average cost of a data breach in the U.S. was $8.64 million in 2020.  Yet, the shock factor begins to wear off as attack after attack is publicized. It’s also easy to assume that we must be getting better at detecting security threats because we are identifying more attacks before they happen. However, the reality is that attack vectors, and the costs associated with them, continue to multiply from changes such as the surge in remote work. 

There are hundreds of stories about the perils businesses have encountered. While these risks are sometimes associated with poorly designed security at the hardware, software or system architecture level, they can also be a byproduct of human behavior or immature processes. Even if your organization doesn’t have plentiful IT resources, you can begin your journey toward more mature security with just three simple steps.

First: Scan for vulnerabilities 

The time to identify weaknesses is before a breach occurs. As IT processes and systems get updated, and devices or their configurations change over time, vulnerabilities can appear even in networks, servers, applications or edge devices that you had previously thought to be secure. It is not enough to simply apply the latest patches or security solution and walk away.

The exponential growth in remotely connected devices from non-corporate networks in response to the COVID-19 pandemic also represents an expanded attack surface for those with malicious intent. Whether or not you had contingency plans for a scenario requiring all office employees to work remotely, you should conduct a thorough, objective vulnerability scan of your IT systems and network, looking for exploitable weaknesses. To ensure your scanning is comprehensive, it should encompass your network perimeter, including your VPN or other remote access portals, as well as the internal network, since some attacks may bypass your perimeter defenses. 

Once your scanning is complete, address the vulnerabilities detected in your environment. And remember, vulnerability scanning is not a “one-and-done” activity. Think through the rate and types of change in your environment—including how often you bring new systems online, apply patches, grant new users access—and ensure that your vulnerability testing keeps pace. Use these inputs to determine a regular vulnerability scanning schedule.

Second: Increase user awareness 

Scanning for vulnerabilities will likely reveal some areas of exposure. However, if employees get better at guarding against and detecting possible threats, their awareness can dramatically reduce your risk of a security breach. In 2019, two of the top five causes of security breaches were phishing scams (31%) and unauthorized use of employee credentials (29%)—couple this with a 45% increase (Ivanti) in risky and non-compliant end-user behavior in 2020 and security risks from user behavior have increased significantly. A million-dollar firewall running the latest update and backed by all the best security policies in the world might look great on paper—but it doesn’t stand a chance against that one dude in accounting who can’t spot a fake email.

A cybersecurity best practices review with users, and follow-up testing of how they can safely carry out their roles and responsibilities, will educate every employee, not just that one dude in accounting, activating everyone’s vital role in protecting your business. Establish a starting point—a companywide policy, rolled out and agreed upon by management—to ensure everyone has a common reference point to understand the basics of access control, security processes and the part played by each employee. Additional security practices for raising employee awareness include educating them about social engineering attacks and performing on-site security evaluations to find weaknesses that those with bad intent would exploit. 

Third: Improve remote workforce security 

Bad actors are already exploiting weaknesses caused by the rapid changes implemented to enable and empower remote workers; there has been a 148% rise this year in ransomware attacks relating specifically to COVID-19 scams. Therefore, quickly and thoroughly focusing on your remote workforce security can have a significant positive impact on your business.
Addressing potential points of exposure in your VPN or other remote access methods, mandating multi-factor authentication, and moving to a zero-trust based approach for sensitive applications and data are necessary parts of cybersecurity for remote workers and a timely and essential third step in maturing your security stance. Beyond securing the means of access and authentication, define the risk profile and business criticality of each application to ensure proper security controls appropriate for each application. Finally, revisit your incident response plan—make sure that a plan is in place and that it has been tested and run through with security staff so that when an incident happens, you are ready, and the team knows what they need to do. 

For many organizations, shifting economic realities and discovering that many workers can maintain significant productivity without the overhead of a full-time office means that what began as a response to a pandemic has become a potential long-term business reality. Add the dramatic increases in bad actor activity into the equation, and there is no putting off these cybersecurity steps until things “return to normal.”  

To support organizations committed to advancing their IT security, Flexential Professional Services offers broad-based security assessments as well as more targeted services such as social engineering tests, remote work security assessments, vulnerability management and cybersecurity program development.