Best cyber security practices to prioritize during National Cyber Security Awareness Month 2021:
- Cyber security hygiene
- Patch management
- Business email compromise
- Secure remote access
- Zero trust
Be cyber smart and ensure your organization is up to date with cyber security practices that can keep you safe in 2021 and beyond.
This blog is part 1 of a 4-part series for National Cyber Security Awareness Month 2021.
Cyber crime is costing U.S. consumers and businesses billions of dollars annually. According to the FBI’s Internet Crime Report, U.S consumers and businesses collectively lost $4.2 billion to cyber crime and online scams reported to the Internet Crime Complaint Center (IC3) last year.
Utilizing cyber security best practices can help you protect your organization from the devastating consequences of costly cyber attacks.
As a champion of National Cyber Security Awareness Month (NCSAM), we are dedicating the month of October to teaching you how you can #BeCyberSmart in 2021. We want to take this year’s NCSAM theme to the next level and help you level up your cyber security protection.
Our commitment to helping you simplify cyber security and #GetCyberSerious goes beyond October. At Proven Data, our security experts regularly assist our clients s clients with proactive cyber protection and are here to answer any questions you may have.
In this blog, you will:
- Learn about the importance of maintaining cyber hygiene
- Discover why proper patch management is crucial
- Find out how to prevent business email compromise
- Learn how to avoid security pitfalls caused by unsecured remote access
- Understand the principles of zero trust and how it can keep you safe
Cyber security best practices in 2021
Cyber security is constantly evolving. While there is no one-size-fits-all approach that can cover all your security bases, there are timeless cyber security best practices that can guide your organization’s security posture.
Below you will find a brief overview of five cyber security practices you can use to start improving your security today.
1. Cyber hygiene
Cyber hygiene is the practice of maintaining hardware and software health and security basics to support overall system health and improve online security.
According to Cybersecurity at a Crossroads: The Insight 2021 Report, 78% of survey respondents (including over 200 C-level IT and IT security executives) admitted their lack of confidence in their organization’s IT security posture, reporting they believe improvements are necessary.
One way to help ensure proper cyber hygiene is to set up routine security maintenance. This will help you keep your organization’s systems up to date and give you the ability to detect any cyber security issues proactively.
A maintained system is critical for your organization to operate at the highest efficiency and have the lowest chance of being vulnerable to cyber security risks.
Below you will find five cyber hygiene best practices and maintenance activities that you should follow:
- Document all hardware, software, and web applications used in your organization. Refer to this list to track installations and update schedules.
- Keep hardware and software updates current and uninstall any outdated or unused hardware and software.
- Utilize antivirus and Endpoint Detection and Response (EDR) software to protect your devices.
- Use proper authentication procedures, including password management practices and multi-factor authentication.
- Manage access privileges to reduce the attack surface, and mitigate damages in case of external attacks.
2. Patch management
In a nutshell, patch management is the process of updating hardware and software to correct errors and close up vulnerabilities. Having a consistent patch management process for your operating systems, applications, and other systems is critical to avoid cyber attacks that leverage vulnerable systems.
Patching vulnerabilities in your hardware and software promptly is equally important. Software vendors such as Microsoft regularly provide updates.
According to Ponemon’s 2020 Study on the State of Endpoint Security Risk, 80% of successful breaches are new or unknown zero-day attacks that infiltrate a system without detection or exploit undisclosed vulnerabilities.
According to the same study, it takes an average of 97 days to apply, test and deploy a patch.
Additionally, 40% of organizations prefer to take their time in testing and rolling out patches to avoid issues later on.
Below you will find five ways to manage patches effectively:
- Keep an up-to-date inventory of all software and hardware used in your organization.
- Designate priority for patching to ensure highest risk items are attended to first.
- Keep abreast of vendor patch announcements and subscribe to any security update channels that give timely patch announcements.
- Test patches before you deploy them to verify patches will not create any issues in your production environment.
- Automate any patches you can to guarantee patches are made immediately.
3. Business email compromise
Business Email Compromise (BEC) is an email phishing scam designed to conduct an illegal transfer of funds. BEC targets both businesses and individuals, usually due to a cyber criminal infiltrating legitimate business email accounts via social engineering or intrusion techniques resulting in an unauthorized transfer of funds.
According to the 2020 Internet Crime Report from the Federal Bureau of Investigation’s Internet Crime Complaint Center (FBI IC3), BEC accounted for 19,369 complaints with an adjusted loss of approximately $1.8 billion.
The FBI provides guidance on avoiding business email compromise scams, including the four tips listed below:
- Beware of overtly urgent requests – if the requester asks you to act immediately and uses language that indicates a time limit or urges you to respond rapidly, this may indicate a scam.
- Verify the sender – compare the suspicious email address, URL, or spelling used in previous correspondence to make sure it matched. Mistakes or inconsistencies are often a tip-off. If a phone number is provided in the suspicious email, look up the company’s phone number on your own and call the company to verify the request is legitimate. If possible, verify payment, and purchase requests face to face. Additionally, verify any account number or payment procedures with the person making the request.
- Do not open links/attachments – any link or attachment included in an unsolicited email or text that asks you to update or verify account information could be malicious.
- Be careful what you share – Sharing personal information (even seemingly insignificant information like pet names, schools you attended, links to family members) can provide cyber criminals with critical information to crack your password or security questions.
4. Secure remote access
The number of remote workers has increased significantly in recent years, and congruently, the number of remote access security issues has increased.
Managing a remote workforce is difficult enough, don’t let remote access issues become a roadblock to productivity and security.
Ponemon Institute’s A Crisis in Third-Party Remote Access Security report discovered that 51% of organizations suffered a data breach due to unsecured remote access.
According to the Federal Trade Commission (FTC), following the four secure remote access best practices listed below can help you maintain security while allowing remote access.
- Customize router settings by changing the default name and pre-set router passwords. Maintain a continual update schedule for your router’s software.
- Enable full-disk encryption for any devices connecting to your network remotely.
- Disable the automatic Wi-Fi connection setting to prevent your device from connecting to an unsecured public network.
- Use updated antivirus software on any device (including mobile) connecting to your network.
5. Implement zero trust security
Zero trust is a security concept based on viewing trust as a vulnerability. A zero trust strategy requires verification for any internal or external connections, refusing system access to any IP addresses, devices, etc. until authorization is granted.
Gartner predicts that by 2023, 60% of enterprises will adopt zero trust strategies in place of using virtual private networks(VPN).
VPNs are becoming outdated as insider threats are on the rise, with 60% of data breaches caused by insider threats. While VPNs provide perimeter protection, zero trust protects against both internal and external threats.
According to Microsoft President Brad Smith in U.S. Senate testimony, the damage that occurred on 18,000 government and private networks in the SolarWinds attack could have been significantly reduced if a zero trust security model would have been implemented.
Below you will find the best practices for building a zero trust strategy in your organization:
- Map your security architecture – identify users, devices, assets, services,, and data being accessed.
- Ensure each device has a strong identity – constructing identities for all devices is critical in zero trust. This allows for recognition and subsequently allows for authentication and authorization when access is needed.
- Create a safe communication channel – the communication between any two devices in a zero trust architecture must be confidential and free of any opportunity for eavesdropping, message modification, or other nefarious activities.
- Utilize the principle of least privilege – The principle of least privilege (PoLP) allows a user to be given only enough privilege to complete a particular task, minimizing issues with unauthorized access
- Monitor and review user activity – monitoring activity on your network assists you in the rapid identification of suspicious activity.
Next steps to comprehensive cyber security
Now that you understand the top five cyber security best practices that can improve your organization’s cyber security posture today, what else can you do to get cyber secure?
At Proven Data, we are committed to providing you with the information you need to stay up to date on cyber threats and take proactive steps to prevent them.
Together with Fmr. FBI Special Agent Patrick Gray of the Computer Crimes Squad, we created Operation Cyber Aware to encourage people to #GetCyberSerious and protect themselves from ransomware and other cyber attacks before they happen.
Cyber security awareness is just the first step, but we are here to walk with you every step of the way.
Consulting with a cyber security professional can assist you in discovering which customized cyber security products and services are the right fit for you. The cost of cyber security doesn’t have to break the bank, but you can’t afford to leave your organization at risk of costly cyber attacks.