As we kick off Cybersecurity Awareness Month, we’ve gone through our archive of content and aggregated some salient tips for organizations to consider to help improve their cybersecurity.
Set up and structure a multidisciplinary cyber risk committee.
There should be little doubt based on all of the incidents this year that cyber risk is an enterprise risk. The entire enterprise can help shape this risk and can also be weakened by it. According to Aon’s bi-annual Global Risk Management Survey, cyber risk is seen as the greatest risk to business in North America. One of the simplest ways for cybersecurity to be viewed as a risk across an organization is to bring together key stakeholders—the general counsel, Chief Information Security Officer, Chief Risk Officer, Chief Technology Officer, product developers, financial executives, and compliance and audit team leaders—to work collaboratively in a cross-functional manner to focus on the issue. It is also important to set up a chain of command within this group so individuals know their roles and responsibilities in case of an incident.
Encourage reporting by not punishing employee behavior that’s ancillary to an incident.
Creating a culture of security will encourage employees to speak up once they realize something has gone wrong, or provide them permission to ask questions before something bad happens. Employees shouldn’t fear punishment for personal browsing, for instance, when reporting real threats. It could delay and inhibit people from speaking up, when speaking up could be instrumental in reducing damages. At the end of the day, a ransomware attack could hurt your business more than online shopping.
Protect against ransomware by testing your backups.
Recovering from a ransomware incident depends on being able to restore the affected systems to normal without having to pay the ransom. Backing up your data on a regular basis is a key part of this strategy. Ideally, utilize a system that allows the creation of snapshots in time or maintains multiple versions of documents as they are created over the course of the day. But you must test the backups. If you don’t, there’s a chance they won’t work, and your business may be disrupted nevertheless. If you have cloud backups, test the download and restore times—they may be slower than you expect. It’s also important to test the restore speed of a full system back up should you be hit with a deep malware infection.
Test your defenses with red teaming and cyber threat simulations.
Want to know how an attacker can gain unauthorized access to one of your critical systems but don’t want to incur any real loss in the process? Perform red team exercises to identify how effective your technical controls are against an attack. Cyber threat simulations can also help expose weaknesses to your security and incident response programs. Testing your security posture is a key way to determine how your organization would respond to a real world attack.
Avoid phishing attacks by tagging emails with a secret code.
A simple method to thwarting phishing attacks within a small group of influential, high risk individuals, like the executive suite, is by tagging every executive-to-executive email that contains a link or attachment with a code known only among the group. The code can be a list of numbers, letters, characters, or a passphrase, similar to a password. If the recipient doesn’t see the code, they know not to click the link or open the attachment. Executive assistants should also be made aware of this practice; they must be as vigilant as the executives themselves.
While no individual tip or even the best designed cybersecurity plan can prevent all attacks, each of these individual tips plays a part in boosting the cybersecurity posture of an organization and making the organization more resilient. The strongest buildings are still built brick by brick.