There are days when protecting your business from threats will feel like a never-ending battle. Some of the cybersecurity measures you will take and recommend to others will come at high cost, while others might come at lower cost but with considerable effort attached. And then, there’s those special few measures that will make a significant difference in your company’s security posture, without breaking the bank or putting undue strain on your already stretched out resources.
In no particular order, here are a list of cybersecurity measures that will improve your company’s security while providing significant ROI for the effort or cost. Apologies in advance to those who consider such a list as subscribing to the silver bullet or magic pill theory. There is clearly no such thing. If you think you can only use one of the actions below, then you have already failed. Adopt them all and you will be well on your way to better protecting your business and being prepared to react when things go wrong. (N.B. They already have gone wrong, see #10 below)
1. Limit the distribution and usage of admin accounts
The proverbial sorcerer’s apprentice situation, those accounts have a lot of power and should not be bandied about or shared without extreme caution. Hackers have so many ways to get in, but if they get access to an admin account, then the havoc they can wreak is nearly limitless. Side benefit: by limiting access to these accounts you also avoid those painful self-inflicted wounds, where a novice admin takes out a network segment because they weren’t sure what they were doing. A corrolary to this of course is ‘least privilege’: accounts should have the absolute minimal amount of privilege required to perform the basic functions required of the account.
2. Adopt a cybersecurity framework such as the one from NIST
A huge amount of collective wisdom and experience has gone into the development of these frameworks, including the one from the NIST. You can save yourself literally years of learning by following the structure and steps, and further identifying where your organization lies in cybersecurity maturity.
Some industries enforce the usage of industry-related frameworks such as PCI, HIPAA and so on. It goes without saying that if your business is in such an industry or a combination of industries, then you should ensure you adhere to those frameworks.
3. Monitor your DNS logs
Come on, that’s so old school … not! A treasure trove of information for the paranoid, DNS logs give you foundational information on who is doing what, connecting to whom, at what time/date. Just don’t get carried away. You can even go a step deeper and implement trusted DNS and go as far as blacklisting specific countries. Your company doesn’t do business in Afghanistan and isn’t opening a branch office in the Ukraine? Then there’s no reason for you to be accepting any connections from those countries.
4. It is time for a Password Manager (and a password policy)
Sure, there are ways to create easy to remember but complex passwords that are different for each account and application. But using a good password manager is the right way to do it for a business. There are so many good password managers out there and cost is from low all the way to free. Get your users to understand that having and using a password manager is just the way businesses must operate today. Also, no point in using a password manager if it doesn’t include a core policy for creating difficult (ie long) passwords.
Oh man, this is going to be painful the very first time you undertake it! But then it gets easier, like brushing your teeth every day, it will become a daily/weekly operational habit that will require very little incremental effort and offer a lot of value. Why? Because you can’t protect what you don’t know you have. Servers, data, devices, applications, licenses, everything, you need to know what you have and where it is. A nice side effect of the inventory effort is that you will find all the unsupported or end-of-life software running on your network and will purge it. Another side effect is that you will find some security applications you thought were running that aren’t running at all or they’re not running to their full capability. (Admission: we’ve had that happen…).
6. Think ‘cui bono’ when analysing risks and threats
We are not talking about nuisance hacking or ransomware and the like, where criminals spread malware casting a very wide net to catch a large number of small fish. If you have very valuable data or information to protect, think first who would really benefit (‘cui bono’) from targeting an attack on your business to exfiltrate that information and use it or sell it. A fancier way of saying this would have been to mention threat modeling.
7. People over tools
No, this one isn’t about user training (although that is important, see #12 below). There are a lot of very expensive highly specialized tools out there that will check a lot of boxes and satisfy the C-suite and investors that you are doing something. But there are also very useful and credible open source tools that can be very useful, when managed by skilled experienced individuals. Get the right people first, they will know what to do and can get along quite well with less expensive tools. And keep those people happy, motivated, challenged and informed, because there are numerous employment opportunities out there for them.
No explanation required. Ok, maybe just one: make sure you test your backups too!
9. Take care of the very basics of security
The usual perimeter and network stuff that go without saying, yet we’re saying it: anti-virus, email protection, firewall, automated patching and updating, turn logging on, harden systems, limit USBs, consider 2FA or MFA, VPN, etc.
10. Change your mindset: you’ve already been breached
Much cybersecurity thinking revolves around protecting, blocking, isolating, obfuscating and generally trying to create an impregnable fortress. Give it up! Ok, don’t give it up, but change your mindset to one of ‘you’ve already been breached’. This mindset quickly moves to data protection, rights management, asset classification, encryption and such. The bad guys are in, let’s make sure we can detect their presence or footprints, and also make it hard for them to find and use stuff.
11. Watch those browsers
Everybody has a favorite one and there are quite a few around: Chrome, Firefox, IE (and Edge…), Opera, etc. Much of the trouble comes from those nasty plug-ins. A way to limit risk is to enforce a single hardened browser for business use, and limit which plug-ins can be used.
12. Awareness and Training
This is the biggest one of all! The most encouraging news is that we are making inroads into this, users are collectively getting more educated and more paranoid. Cybersecurity is not a single department’s problem, nor a single person’s problem, it’s everyone’s problem. Start with basic awareness, and keep things simple without freaking everyone out. Then progressively start some training and give it the time required. Avoid FUD, nobody learns well under stress. (Shameless Plug: we’ve put together a site to help your users learn more about email security, which is a big part of cybersecurity, since most attacks begin by email).
There you have it, we managed to get to 12 things you can do to improve your business’ cyber security without breaking the bank or tapping too much more into your already over-stretched teams. Every little bit counts, every little bit helps. No single measure, action, person or tool can get it done on its own.