10 Things You Can Do Right Now to Minimize Cybersecurity Threats
Tell me if you’ve heard this one before. You receive a harmless email from a recognized name on the executive team. Something like “Hey, are you in the office today? I need a small favor.” Even if the sender is not someone you would ordinarily hear from at least on a casual basis, the message isn’t entirely outside of the realm of possibility, so you reply in the affirmative. Then the follow-up email has a considerably more sinister financial component such as a request for bank account information for a wire transfer or a request for employee W-2s or maybe even a request to borrow a login for some urgent matter. Thankfully, the old adage of “fool me twice, shame on me” applies and this is where this story usually ends. You review the Outlook properties of the sender and find the naming convention is slightly off or the contact card says “presence unknown.” But what if the message is confirmed to be coming from the CEO’s legitimate email account? It wouldn’t be the first time.
Sometimes the last line of defense is end-user training and knowing how to detect the telltale signs that an email account has been hacked. Considering how clever and persistent cybercriminals can be, even the most aggressive security tools and policies are not 100% effective 100% of the time in filtering out those threats. An effective one-two punch with regard to cybersecurity threats involves proper configuration of automated security tools and encouraging good procedural data security habits among the end user population. Below are some recommended steps in the right direction that will minimize your risk of web-based security breaches.
Enable password complexity requirements and rotation at least every 90 days
Anyone using “pa55word1” as a password is simply asking for trouble. Instead, IT organizations should force end users to create strong passwords in terms of complexity and length using a variety of alphanumeric and special characters (10 or more) as well as upper and lower cases. If an end user can’t get to their email without creating a strong new password at regular intervals, enforced complexity compliance, no matter how unpopular it may be in the short term, contributes to improved cybersecurity.
Multi-Factor Authentication (MFA) implementation
If anyone can gain access to your most sensitive corporate data with just an email and a password, especially when your corporate email naming convention is public knowledge on your website, a security breach may be in your very near future. For every unique piece of Personally Identifiable Information (PII) required to verify a user’s identity, the odds of foiling hacker guesswork shift in your favor which is why a 2 factor or multifactor authentication policy is effective. The self-appointed Prince of Nigeria is much less likely to know your employee ID, last four digits of your SSN, first pet’s name, or high school mascot, at least not a combination of all at once. Cybercriminals are far less likely to expend the time and effort to crack an MFA code when the ROI is much more worthwhile at more vulnerable organizations.
Enforce account lockouts after multiple failed login attempts
IT organizations that neglect to institute a “three strikes and you’re out” rule are just giving cybercrime an unlimited number of times at bat. Without a forced lockout policy, accounts are vulnerable to brute force or dictionary attacks allowing hackers to use automated password cracking tools until they generate a successful username/password combination.
Increase audit logging
All login activities are typically captured in event logs which should be reviewed for failed login attempts. In addition to enforcing account lockouts, IT security staff should conduct a manual audit of those IP addresses repeatedly attempting to gain network access especially those that originate from countries outside of corporate locations.
Periodic audit of accounts
End-user account administration is a time-sensitive business. In addition to granting access for newly on-boarded employees, AAs must respond with even greater urgency for existing staff, disabling accounts almost instantaneously. At the same time periodic review of all accounts including those that have been inactive beyond configured intervals minimizes the potential for malicious access.
Establish a follow-up call policy
Sometimes being the “I just sent you an email” guy has its advantages especially when the email entails the release of financial or proprietary data. To validate such email requests, it’s good to have a familiar voice on the phone confirming they are the authorized originator, sort of like a verbal MFA policy.
IP Address and Domain Whitelisting/Blacklisting
No matter how well email filters are configured to recognize hyperlinks, attachments, and spam-like keywords, there will always be a certain number of inbound messages that get through and harmless ones that don’t. That’s why there needs to be human oversight to filter out or blacklist IP addresses and domains identified as the originators of spam or fraudulent emails. Likewise, those legitimate addresses that have been inadvertently blocked can be added to the whitelist.
End-user cybersecurity awareness training
Considering how relentless and innovative cybercriminals can be, IT organizations should conduct regular end-user training sessions to ensure they’re aware of the latest tricks they may be subjected to such as phishing, spoofing, and other fraudulent means. Adapting behavior in order to recognize the next threat is an ongoing process with the primary driver to awareness being team communication. Any time an end user receives a suspicious email, they should get a second and even third opinion before complying with any request for sensitive proprietary or financial data.
Limit personal use of company computers
When your employees use company-owned hardware and network resources to interact with personal contacts on social media and personal email accounts, they are effectively expanding the opportunity for a cyber attack. Written electronic communication policies are effective at educating and deterring employees from such behavior, a web content filtering (i.e. blocked sites) approach is a more realistic line of defense against the type of web surfing that may leave your network security all wet.
Audit messaging applications
When employees communicate over nonstandard applications such as Facebook Messenger, Viber, or WhatsApp, there is again minimal control on the means through which hackers can gain access to sensitive data. IT Security teams must evaluate whether or not the necessity for communicating outside the approved suite of applications is worth the risk and maybe consider establishing an approved desktop image at least with regard to inbound and outbound messaging.