The don'ts - Where companies are so far wrong:
A major shortcoming of companies of all sizes is the lack of understanding of the value of files and documents, and therefore the need to protect them. Proper precautions, then, are also lacking. So attackers can access files that should actually be stored on separate networks or separate infrastructure.
Studies have shown that many enterprises lack a reaction or emergency system, dragging out the time it takes to eliminate incidents, defend against attacks and, ultimately, restore the system. Time is money.
Companies that don’t deal with the safety aspects of developments such as Bring Your Own Device (BYOD) / Wear Your Own Device (WYOD) don’t care about authentication and do not have strict rules on access rights, are likely sooner or later to fall victim to a cyber-attack.
Besides authentication, users need authorization to access specific company resources and must be monitored while doing so. This not only keeps prying eyes away from sensitive information, but also guarantees that only legitimate and authorized personnel can perform certain actions.
Small companies also often fail at implementing security best practices by enforcing the use of strong passwords and limiting users from performing rogue IT. Setting up user accounts – and not leaving everyone logged in with administrative privileges on their PCs – limits the exposure to data breaches caused by rogue or malicious software.
These two basic security measures can be adopted even by companies with a minimal IT budget, as they don’t require dedicated hardware or software.
The Do's – what can make businesses better:
As it's just a matter of time before disaster occurs, companies are well advised to draw up an internal response plan. This should include a security mechanism that notifies all stakeholders in an incident to give them the opportunity to respond adequately.
A crucial point is, of course, classification of data according to their value to the business. This must be backed up - and it’s where security is most important.
It also shows companies only need to develop an awareness of IT security. This is not achieved solely by legislation and compliance. Instead, companies should resolve to actively test their network environment for vulnerabilities and train their employees to identify and report threats.
One thing companies can improve at implementing the three A’s (also known as AAA): Authentication, Authorization and Accounting. Just by building this very simple framework, IT managers will have a better understanding of who is accessing company resources, from where, and for how long.
Authentication is all about credentials for all employees to guarantee no unauthorized personnel accesses mission-critical data. By coupling this with authorization for each authenticated user, you guarantee that only specific users have access to critical data and can perform specific actions, such as editing or deleting files.
The third “A” is all about measuring what the user consumes during access. To this end, you have visibility into how long was he logged into the system, what data was sent and received, and any other session activities that can provide insight into what the user was doing while logged into the corporate network.
What exactly are those deficits and risks?
A major deficit of all companies, regardless of size, is the inability to identify critical assets or data and properly secure it. As a result, by breaching non-critical systems, attackers could end up with data that should otherwise be stored on a segregated network or infrastructure. Recent studies have shown that businesses have no incident response or disaster recovery plans in case of security breaches, meaning that threat mitigation and remediation can take a significant amount of time. Although a technology and layered security mechanisms provide a level of security and reduce the surface of attack, a quick incident management and response process can make all the difference in terms of business continuity.
Understanding security risks associated with used software and hardware can help asses, prioritize, and even mitigate the impact of a security breach. Companies that do not manage BYOD/WYOD, practice poor authentication, and lack strong access policies are highly likely to experience a security incident.
Rogue IT is yet another element to take into consideration when employees are allowed to install software that has not been sanctioned by the IT department. Such software could lead to security risks, as it could expose users to previously unknown attack vectors. Even installing a media player not sanctioned by the IT department could introduce a vulnerability that would allow a cybercriminal to gain remote access to the employee’s computer.
Following this, it’s only a matter of covert lateral movement and searching for other ways to escalate privileges in the hopes of gaining full control over the network. This could lead to data exfiltration for an unlimited time. Risks associated with installing unsanctioned software can be easily mitigated and can save the company millions of dollars in intellectual property losses or client law suits that could result from a breach.
How can individual persons/enterprises protect themselves?
Starting from the premise that it’s only a matter of time until a company’s network perimeter is breached, enterprises should focus on having an internal incident response plan, a classification of business value of data, and an incident response process to report and handle breaches to third parties. Alerts triggered by security mechanisms need to reach all key stakeholders to proactively respond to threats.
Both people and enterprises need to correctly identify their critical data and make sure it’s properly protected. Companies should not focus only on adhering to guidelines and certifications, but actively test their network perimeter and train employees in correctly identifying and reporting security incidents.
Employees should undergo regular training and simulation to make sure they’re up to speed with the latest security practices and can identify spearphishing and social engineering methods. Scheduling and simulating attacks will not only keep employees vigilant, but will also thwart a wide range of attacks before inflicting any serious damage. Such policies and regulations should be enforced in any organization, regardless of size.