I came across this article that I thought our audience would find interesting. You can read it here if you like. It’s a bit salesy, and Microsoft-centric (consider the source!). But the cybersecurity tips are useful to consider in framing your organization’s cybersecurity strategy. I’ll list them below with my thoughts.
Take a “Zero Trust” Approach
The concept of “zero trust” is beginning to take hold. I find this cybersecurity tip to be a good way of thinking about security as it starts with the idea that nothing and no one should be trusted unless shown otherwise. Why is this a valid point of view? In many (if not most) organizations, users are able to access corporate information and resources using devices and applications that were not supplied by IT. That fact of life is unlikely to change.
As a consequence, it’s now possible to consider several risk/trust factors before allowing access to organizational services and information:
- What device is being used? Do I know it’s secured?
- What application is being used? Did IT supply the app?
- What network is the source of the request?
- Who is making the access request? Does this fit within a regular pattern of requests?
- What data does the user want to access? Does this fit within their normal pattern, or is it unusual?
Based on these kinds of risk factors, organizations can allow or deny the request.
Wait, what? I thought we wanted more passwords and changed more frequently?!
Alright, I’ll admit this is one of those attention-grabbing headlines. As we’ve written about before, the thinking nowadays is to focus on setting up secure passwords and changing them less frequently. Why? Because people can’t remember complex passwords and will tend to use easier passwords that they can remember.
What’s not being said with this cybersecurity tip is the use of a password manager. To be honest, if you’re using a password manager it doesn’t matter if you have to change passwords often. The password manager can take care of generating a new password for you (that’s kinda the point.) But regardless of how often you need to change it, the point is to start with a complex password (better yet, a passphrase). I recently changed the password for one of my online finance accounts to nineteen characters. I would never have done that if I thought I’d have to type that password even once. Now, the chances of cracking that password are something north of 19^40
But is password-less a reality? I don’t think we’re there yet. We are at the point of using something other than passwords for a second authentication factor. This includes authentication apps, SMS/text messages, fingerprints and facial recognition. If you consider that most of your smartphone apps are always connected (you don’t have to enter the password every time you use them), then this second authentication method is kind of like going password-less.
Watch this space for more developments.
Keep Devices Current
This has to be the #1, least glamorous but most important, cybersecurity tip of all. There’s really no reason not to keep devices, applications and servers current with respect to security releases. There are plenty of tools that help you accomplish this. I can’t tell you how many times we hear news of a customer whose network has been compromised, followed by the admission that, “we hadn’t gotten around to updating the ___.”
I’m not saying you should blindly take every Windows update (that Windows 10 October update drama is still a timely reminder that caution is a good defense mechanism). But, the security updates should get pushed out when they’re available. The idea that IT has to thoroughly test OS updates before pushing them out is outdated. Do you really have time for that?
Stay on Top of Your Data
Managing your data means a couple of things.
First, make sure you have a tested plan for data backup and restoration. The ransomware people are hoping you haven’t done this. It’s much more satisfying to give hackers the one-finger salute (OK, not actually) when they ask for a ransom in order to restore access to your data. With backup and restore, you wipe the device and restore the data. Problem solved.
Second, you have to know something about the data you have. Namely, you want to be able to label the data-assign it to one of a small number of “buckets”—that share a common level of required security. With the labels in place, you can go on to define policies that allow for certain levels of access based on the label.
This sounds daunting, but it doesn’t need to be. Don’t start with the idea of classifying all of your data. Pick off the most obvious “buckets” such as financial information. Try applying some labels and defining some policies. Then you can monitor to see if the policies are appropriately controlling information access and not throwing too many “false positives” that end up inappropriately restricting user access. Once you have the process dialed in, you can move from manually operated tools to automated ones for content classification. Just remember to keep things simple.
I’m a big proponent of this move to attaching relevant levels of protection to the information itself (information rights management is the buzzphrase here).
You’re Never Too Small for Cybersecurity
This isn’t the cybersecurity tip listed in the Microsoft article, but I think this is an appropriate point. First, get over the notion that your organization is too small and boring to be of interest to hackers. The evidence shows this isn’t the case. Furthermore, hacking is a numbers game. They’re scanning the Internet for weak spots and will exploit the first weak network they find.
Second, tools that help with cybersecurity are no longer the province of just the biggest organizations. Yes, that’s where things hit the market first. But cybersecurity providers are figuring out that going “downmarket” is a profitable move. This means that tools such as Azure Information Protection that used to be available only in the more expensive Microsoft subscriptions are now available as add-on’s or as part of subscriptions geared toward smaller organizations. So don’t just presume that you can’t afford to be secure.
Because you can’t afford not to be secure. Now go and do.