According to a recent survey of US CEOs, cybersecurity represents the biggest external concern for 2019. If organizations know cybersecurity is an issue, then why is there such a struggle to combat this universal problem?
In my opinion, the answer lies within the following Tony Robbins quote, “Complexity is the enemy of execution”. Organizations view cybersecurity as a problem too complex to combat and solutions too cost prohibitive to practice. In the midst of National Small Business week, it’s only appropriate to talk about building a solid cybersecurity foundation through cost-effective practice pointers.
Building a Solid Foundation
What if I told you the secret to cybersecurity isn’t all about industrial firewalls and around the clock threat monitoring but a foundational methodology built on easy-to-use principles. If you’re skeptical, take the word of my friend and former FBI agent and cybersecurity expert (and newly minted author) Scott Augenbaum.
“90% of the cases I investigated might have been prevented through user education & awareness and sound business processes.”
Before you could learn to run, you had to know how to walk; before you walked, you first crawled. The same line of thinking applies to a strong cybersecurity posture. The biggest mistake companies make is conflating cybersecurity with “IT problems”. In reality, cybersecurity is a pervasive problem from the top down. For any enterprise, big or small, to effectively combat a constantly evolving threat environment, a culture of cybersecurity starts with some simple (yet effective) business processes.
Passwords and Password Managers
The next time you go into a local business and speak to the person at the front desk, take a moment to casually scan the work area of the office administrator or receptionist. Odds are you will spot a sticky note with “Password” or “PW” followed by a simple string of characters somewhere in plain sight. This is a microcosm of one of the most pervasive cybersecurity problems — a lackadaisical attitude towards password security. Statistics find that people typically use the exact same password for different accounts. The problem with this is best illustrated in the Yahoo breach. When Yahoo publicized that a breach had compromised all 3 billion user accounts, security experts warned of hackers’ attempts to try the compromised passwords on other platforms in hopes that users had used the same credentials.
Every year, password management and security solutions company SplashData combs through millions of leaked passwords online. Out of this analysis comes an annual compilation of the most cringeworthy commonly used passwords. The five passwords at the top of the list for 2018? 123456, password, 123456789, 12345678, and 12345.
The National Institute of Standards and Technology (NIST) updated its guidelines last year on password security. While not law, the guidelines do represent a uniform standard widely accepted within the information security community. Per Special Publication 800-63B, password complexity isn’t as important as password efficiency. What does that mean? Overly complex password requirements often yield unsophisticated choices, such as the need to include an uppercase letter and number resulting in a creation of “Password1.” Practically speaking, employee buy-in for explicit password length and complexity requirements can present operational challenges, but that becomes a moot point with the use of a password manager.
Password manager applications are easy-to-use tools which create, remember and fill in complex passwords for users. 1Password is but one example (and my personal favorite). Businesses can use 1Password to control employee password management and stipulate requirements for password complexity (e.g., time frame on how long a password remains usable, how long a password must be, etc.). Password managers represent a cost-effective, turn-key solution to employee due diligence and provide a solid launching off point for adequate cybersecurity.
If you and your business do not use multi-factor authentication (MFA or 2FA) for personal and business accounts, stop what you are doing and Google how to enable it immediately. In January of 2018 a Google engineer reported that more than 90% of active Gmail accounts did not use 2FA. 2FA makes life harder for attackers to gain access to your accounts by adding one more step to the sign-in process. More often than not, that step is in the form of SMS text message codes. The most common reticence from clients on why they don’t mandate 2FA is user buy-in. “I just don’t think my employees will go for that.” Well, guess what? When negligent employees year after year make up the number one cause for data breaches, to use or not to use 2FA is no longer some arbitrary decision.
There are no shortages of third-party authenticator applications which make the 2FA process more user-friendly. Some password managers like the aforementioned 1Password even offer authentication as part of their services. The features of different third-party authentication apps may slightly differ, but the functionality remains the same: an additional layer of account security.
If you had a file cabinet full of documents containing your business’s most confidential information, wouldn’t you keep it under lock and key? Encryption serves that very purpose for an enterprise’s digital crown jewels. Encryption is the process by which data becomes encoded, rendering information unintelligible without the appropriate key. As I’ve detailed in the past, encryption of data and devices has huge legal implications. The loss of a company-issued laptop becomes a moot point with encryption safeguards in place. In the absence of any safeguards, you may be looking at a full-blown data breach necessitating breach notification obligations.
Numerous encryption applications exist on the open market, some even free. Nowadays, manufacturers like Apple and Microsoft build encryption tools into their products. It’s just a matter of taking advantage of FileVault or BitLocker.
When a ransomware incident strikes an organization and renders its files and devices completely useless, the common response resembles “Who do I pay and how much?” Contrary to the FBI’s suggestion not to pay a ransom to criminal actors, some businesses have no choice but to fork over cash if they want their stuff back. One way to avoid this nightmarish predicament is through regular backups to an external hard drive. To determine if your file(s), device(s), and/or system(s) should all fall under the umbrella of an external backup, consider questions like how long your organization could survive without [fill in the blank]. This self-exploratory exercise will help guide your backup strategy (i.e., how extensive, how often, does the recovery process even work).
The process of improving your cybersecurity risk profile doesn’t have to be a break-the-bank endeavor. Doing something — or anything, really — rather than nothing can surprisingly go a long way towards keeping your business safe.