Posted by Hal Overman + Joe Vigorito on Feb 19, 2019 10:00:00 AM
In the first part of this blog series, we shared the importance of taking a step back and ensuring that your cybersecurity program addresses the basics before moving forward with “shiny new objects” like advanced analytics and machine learning. In this part, we will share some tips to help you build that strong foundation for your cybersecurity program.
1. Choose Your Partner Wisely
When talking to a prospective cybersecurity partner, make sure they understand the threat landscape well and can speak to a set of architectural solutions aligned to your existing environment. We call this diversity. Unlike other IT technologies, no one vendor has figured it all out, so you need a partner that looks around the corner and brings you actionable solutions in hand, not an information dump of data sheets from every manufacturer or software house in the market.
2. Protect Your Crown-Jewel Data
Next, think of cybersecurity in terms of concentric circles, with every circle serving as an obstacle for an attacker. In the center, you have your mission-critical data. The goal is to make it a “bad investment” in time and energy for an attacker to try and get to this data. Do not rely on one product or one type of technology, and add substantial amounts of cybersecurity education to create human firewalls. Make sure you regularly test your staff using continuous learning or LMS tools.
Limit what, you say? Limit everything. Have records retention policies to limit the data you keep and how long you keep it. Do what you are legally bound to do. Limit access. Understand the concept of “least privilege.” Give people what they need to have access to, and not more. Limit networks. Segment. Break down networks logically, by function, department, line of business, or compliance requirement. Build security based on risk and sensitivity of the data.
Obfuscate is a big word, but here is a simpler way of saying it: Encrypt. The days of encryption being optional are over. In fact, crypto-acceleration is so good now that you may be boosting performance by encrypting data! If you cannot encrypt, use data masking, which involves redacting the sensitive data out of your application environment. Most regulatory initiatives mention encryption. Not all have it as mandatory, but you had better be able to explain why you did not encrypt should an auditor or assessor come asking.
5. Training for All
Train everyone, even the CEO. Test, report, monitor. Like playing sports, you get better at diagnosing phishing, spear-phishing, and whaling by practicing defending against it. Train in multiple ways, as no one learns by a single method alone. Get help with your program, as there are excellent gamification tools out there that are not only informative, but also actually fun to use (and employees can go home and impress their families with all their knowledge)!
These tips are just the starting point. Check back for the final part of this Cybersecurity 101 blog series, where we will share additional basics to consider when developing your cybersecurity strategy.
[ GUIDE ] Building HUMAN FIREWALLS:
10 Steps to Cyber AWareness
Are your employees equipped to act as a human firewall, defending your organization against attempted cyber attacks?
The statistics are staggering: spear phishing accounts for 95% of enterprise network attacks, according to the SANS Institute. Since attacker can craft messages to your employees posing as a reputable contact, technology can only do so much. To effectively prevent your organization from falling victim to cyber attacks, it’s essential that your employees develop strong cyber instincts.
This guide contains an extended overview of ConvergeOne’s 10 steps to creating a cyber aware culture, including key questions and ideas for tackling each step.