12+ actions to protect yourself against security breaches and cyber threats

Attractive a target, I do not make, hmmm? Yoda-speak with a slightly inquisitive tone, indicating that he means the opposite. And many (small) business owners also feel they are no target. But 61% of SMBs were attacked already. And large corporations also still have a ways to go.

I have not yet seen the 2022 statistics for small companies, but they will likely be higher than the 61% estimated in 2021. StrongDM has a nice blog post with many statistics that serve to make my point for me. Let's face it, any company, small or large, local or international, and even global, has an attack surface. And the reasons for it? They can range from money to politics"and economics  via ideology to "just because we can."

In other words, we cannot predict when a hacker or hacker group will take an interest in us. So what can we do? How can we keep a measure of control?

Given a set of actionable items, we can prioritize in several ways. Let's start with the least to most user impact (this is not necessarily the best way)

  1. Regularly update software and operating systems {Lifecycle management).
  2. Keep software and systems patched and up-to-date (Vulnerability management).
  3. Back up data regularly and keep backups in a secure location. (Backup and restore)
  4. Consider using a threat intelligence service to monitor for and respond to emerging threats. (Security management)
  5. Conduct regular security audits and penetration testing. (Business process control and internal audit)
  6. Use encryption for sensitive data in transit and at rest. (Security strategy and management)
  7. Have a comprehensive incident response plan in place and regularly test it. (Incident management)
  8. Use firewalls and antivirus software to protect against external threats. (Architecture and Security management)
  9. Educate employees on cyber security best practices and dangers of phishing and social engineering. (Training, People management, Security strategy)
  10. Regularly train employees to maintain awareness and stay current with evolving cyber threats. (Leadership, People Management)
  11. Review security policies to stay current with evolving cyber threats. (Security management)
  12. Limit access to sensitive data and regularly monitor user activity. (Data Architecture, Application development, Security management)
  13. Implement strong password policies and multi-factor authentication. (Data Architecture, Application development, Security management)

 Does this mean we can apply the 80/20 rule and do those and be ok? Unfortunately not. I picked this (incorrect) implementation order because that is how we humans think. Our instinct is to pick those actions first that do not disturb users or that do not require them to change their ways of working. While you will certainly increase your security by tackling items one through eight, they are by themselves not enough. Compare it to putting locks on all the windows and doors but then never telling your house members to actually lock things.

Actions nine through thirteen impact the way people go about their day. It starts with security awareness and making people responsible for doing their part. Security is not just the responsibility of the door guards, the Operational Security team, or the system administrators, or worse, "management."  For security to work, all listed elements must have their place within the organization. And they need to evolve with advances in technology and changing attitudes. 

Your password policies must both support the use of secure passwords while enabling staff to do their work.  Number eleven checks that the policies themselves keep up with advances and changing work attitudes. Nothing is as damaging as forcing people to re-enter passwords and having MFA multiple times a day, seemingly at random. Of course, it is not random; it is perhaps dependent on expiring caches (the favorite answer at many help desks)  or system resets, or simply because that is the way it was designed. 

When security policies are not in line with what you are trying to protect, or not a good fit with the way people operate, or worse, when they prohibit people from working at all, they will be circumvented. E.g.; having MFA on your corporate and personal Google accounts is a very good idea. Forcing people to enter their MFA in order to watch cute cat videos on YouTube is overkill and actually causes people to remove the MFA from their Google account. That results in an account that is now wholly unprotected. The policy is good, but the execution is lousy, as it does not take human behavior into account.

Another example is when the duration of a new temporary staff account takes too long. Many companies take on student workers in the summer or temporary staff during commercial or cyclical events; if the onboarding process takes too long, the staff will still come, but the business will work around the policies and find a way.

Large corporations will take a different approach than small companies; just be sure to implement security comprehensively and befitting your company while keeping your people and data safe. All listed actions, except 2 and 3 — I'll upload these asap — have links to further research and toolkits. 

 

 

IT Risk Management · IT Leadership & Strategy implementation · Operational Management · Service Delivery · Organizational Management · Process Improvements · ITIL, CORM, Agile · Cost Control · Business Process Analysis · Technology Development · Project Implementation · International Coordination · In & Outsourcing · Customer Care · Multilingual: Dutch, English, French, German, Japanese · Entrepreneur
Tymans Group is a brand by Gert Taeymans BV
Gert Taeymans bv
Europe: Koning Albertstraat 136, 2070 Burcht, Belgium — VAT No: BE0685.974.694 — phone: +32 (0) 468.142.754
USA: 4023 KENNETT PIKE, SUITE 751, GREENVILLE, DE 19807 — Phone: 1-917-473-8669

Copyright 2017-2022 Gert Taeymans BV