“There are risks and costs to a program of action – but they are far less than the long range cost of comfortable inaction.”
– John F. Kennedy
1. Have a written incident response plan and practice it on a regular basis.
Time is of the essence when responding to a data breach. Every second counts when systems are compromised and a company’s reputation is on the line. It sounds stressful, doesn’t it? If important decisions are being made “on the fly” during a data breach, then the likelihood of mistakes and poor judgement rises exponentially. Furthermore, how a company responds to a data breach may be analyzed and scrutinized by third parties and other stakeholders. As Benjamin Franklin famously said, “By failing to prepare, you are preparing to fail.”
A written incident response plan allows an organization to assign roles and responsibilities, set expectations, plan for a variety of scenarios, and contemplate tough decisions in advance rather than in the midst of a crisis. However, simply having a plan is not enough. It is important to ensure that the response team is aware of their responsibilities and trained on how to perform their tasks. Next, evaluate the incident response plan using a simulated emergency, i.e., a tabletop exercise, to identify opportunities for improvement and confirm the process for crisis communication.
2. Perform vulnerability scanning and penetration testing.
How do companies know if they are an easy target for hackers? How can they tell if their IT staff or managed services provider are keeping their network secure? Penetration testing, an authorized attempt by a third party to identify and exploit system vulnerabilities, can help them find out.
Vulnerabilities within an organization’s computer network act as unlocked doors that can provide easy access to critical systems. That is why it is essential to conduct regular penetration testing. By doing so, an organization can identify and fix vulnerabilities to prevent a hacker or other malicious person from exploiting them. By simulating a cyber-attack, a penetration test will safely reveal the unlocked doors within a network and provide the locks and keys to fix them in the form of a prioritized roadmap or task list.
3. Patch applications and operating systems within your network.
Vulnerabilities come in all shapes and sizes. Some can be complicated and require a large amount of time and effort to remediate while others can be as simple as running an automatic update. Patches are released for operating systems and applications as developers fix new vulnerabilities. By applying these patches, a company can fix bugs in their systems that could be exploited by hackers. On the other hand, by not patching systems on a regular basis, a company is leaving itself, and potentially their customers, at risk.
Network administrators can create a patch management program, encompassing their company’s information systems, which will automatically scan devices at regular intervals and determine whether or not updates are available. If they are, they can be applied as necessary based on a set policy.
4. Provide employee security training in regular intervals.
Sometimes, even with a highly secure IT infrastructure, hackers are still able to compromise a company through its “human firewall.” Believe it or not, many employees click on phishing emails. One reason the number is so high is that phishing emails are not as painfully obvious as they once were, and hackers have become adept at creating a sense of urgency.
Phishing messages are crafted to entice victims to click before they have a chance to gauge the authenticity of an email. When it feels like the clock is ticking, employees are more likely to be compromised by clicking on a malicious link, entering their credentials, or wiring money before confirming whether or not the request is legitimate.
Over the years, phishing schemes have been successfully used by attackers to steal billions from companies and gain unauthorized access to sensitive or private information. The best way to combat phishing is through security awareness training. Such training should be provided during on-boarding, and regularly thereafter, to strengthen a company’s “human firewall.”
5. Actively monitor your network, including anti-virus / malware protection.
Even if a company does all the right things, there is still a chance it will still suffer a data breach. That is why the saying is “it is not a matter of if, but when” holds true in cybersecurity. As such, it is important to proactively monitor computer networks for anomalous activity that could signal a data breach unfolding in real time.
The sooner a data breach is uncovered and contained, the lower the impact. Unfortunately, it takes many many days or even many months to uncover a data breach, because most organizations do not have monitoring in place. When a breach is discovered, log files become crucial to the investigation and the incident responders attempting to gather the facts. In some cases, logs can be overwritten or deleted by a cyber-criminal or malicious insider. By creating a robust logging system, an organization can minimize the chances of log tampering and preserve that critical evidence.
6. Perform a data audit – where is your data and what does it look like?
If a company does not know where their data is located and what it looks like, then it is difficult to put controls in place to protect it. That is why conducting a regular audit of data within an organization is essential. It will reveal which systems are storing the “crown jewels” and other sensitive information, such as payment card data or personally identifiable information. Knowing what data is stored and where it is located will help an organization prioritize where to focus their cybersecurity efforts.
7. Regularly audit active directory of authorized users and privileged accounts.
Just as it is important to conduct regular data audits, it is equally important to audit those who have access to a company’s systems, especially those with administrative access. Administrators often have the “keys to the kingdom” with unfettered access to files throughout an organization, the ability to create new accounts, and alter other users’ permissions settings. A common goal for hackers, once they have gained access to the network, is to establish access to an administrative account, i.e., privilege escalation.
By regularly auditing accounts and privileges, an organization can quickly identify whether or not there is an account with a name that they do not recognize or see if a recently departed employee still has access to the system with their old username and password.
8. Backup your data regularly and have a disaster recovery plan.
Once a company knows what data they have, where it is located, and who has access to it, the next step is to ensure that it is backed up. Having only one copy of an organization’s data leaves businesses at substantial risk, because losing the data to human error, ransomware, system failure, natural disaster, or other issue could mean it is gone forever. A common best practice for essential data is the 3-2-1 backup rule. Keep at least 3 copies of your data on 2 different storage types with at least 1 copy stored offsite.
It is also important to perform restore testing to identify any problems that may arise with the backup system such as a lengthy downtime or corrupt data. The last thing anyone wants to find out is their backups have not been working when they need them most.
9. Understand necessary compliance and regulatory requirements applicable to the business.
Being compliant does not mean a company is secure. Being secure does not mean a company is compliant. Often times, a company’s security initiatives will overlap with their regulatory requirements, but one may not be enough to satisfy the other. That is why it is important to understand what the compliance requirements are for an industry and determine a proportional approach.
By understanding which cybersecurity and compliance frameworks apply to an organization, they can determine whether or not their current security measures are enough to satisfy those requirements or if they need to do more to ensure confidential data remains secure.
10. Conduct a cybersecurity assessment.
According to Lean Six Sigma, the definition of a problem is the difference between what is and what should be. By engaging a trusted third-party advisor to conduct a cybersecurity assessment, a company creates a baseline to analyze where they currently stand and what needs to be done to improve security.
Furthermore, as managing third-party cybersecurity risk continues to grow in popularity, it is no surprise that companies are now regularly being audited by their customers and partners regarding data security policies and procedures. The results of the audit can be the difference between keeping and losing a large client. A cybersecurity assessment will help prepare an organization for a security audit so that they know what needs to be done to pass this important test.