Cyber Resilient Best Practices

Cyber Resilient Best Practices
Userlevel 2
Badge
  • Sr. Engineering Data Analyst
  • 0 replies

Those of us who are able to work remotely in response to the COVID-19 outbreak are now taking more of our IT security into our own hands. But beyond staying aware of the latest coronavirus-inspired scams, what we can do to look after our own online security in these uncertain times?

What follows is our time-tested list of cybersecurity best practices that, in a perfect world, we’d all adhere to all the time. Nothing flashy, nothing dramatic. Just a list of habits cybersecurity experts agree could help make us all a little more cyber resilient.

 

Use antivirus software

While it sounds like a given from a company that makes it, antivirus software—we prefer the all-encompassing term anti-malware software, since viruses are only one strain of malicious software and you’re likely to be targeted by others—is an essential step in securing your devices. All your devices.

While most anti-malware software was once list-based, meaning it relied on a semi-static list of known threats living on your devices and fed by continuous updates, the industry gold standard is shifting to cloud-based.

This eliminates the need to continuously update and store bulky lists on your devices, which can lead to performance issues and allow new, sometimes as-yet-identified, threats to slip by. Cloud-based anti-malware software that can monitor unknown applications and decide on threat status based on their actions (with the ability to roll those actions back) is even better.

 

Regularly patch system software

This should be a no-brainer. But just like periodically changing your home’s air filter, it’s easily lost in the shuffle of everyday life.

Patching is essential since cyber criminals are always on the hunt for known exploits that could help them profitably infect unsuspecting users. Once patches are issued in response to exploits discovered by (sometimes ethical) hackers, it’s a simpler proposition to work backwards to the original security gap being addressed.

This applies to all software installed on your system, but it’s especially important for operating systems. They must be kept up to date, with upgrades if necessary. Windows 7, for which service has been discontinued by Microsoft, saw a 125% increase in malware targeting it over the course of 2019, as reported in the 2020 Webroot Threat Report.

 

Use strong passwords. And keep them to yourself

Our latest study on the password habits of 2020’s Most (and least) Secure States, we found that 34% of Americans are still sharing passwords! Americans who shared passwords for streaming services like Netflix were twice as likely to experience identity theft as those who didn’t.

Without going into too much math here (though it can be found here for those interested), long passwords are simply more effective than short ones against brute-force attacks, even when special characters are used. Passphrases are even better.

Essentially, it’s important to understand that “Keyb04rd$” is significantly weaker than “everyone loves a good passphrase”. 

 

Limit your sharing of data

As data breaches continue to occur, we as internet users, must understand the tradeoffs and risks that accompany its many benefits. Users should limit where they share their information online and with whom. This, along with the other cybersecurity best practices we've discussed, make things safer not only for individuals but also for the internet as a whole.

If we stop offering up our data so freely, then we leave a less enticing bounty for cybercriminals to pursue. Being better stewards of our own data could also reduce the need for more legislation and privacy penalties, making the internet a more enjoyable place to spend our time.

 

When all else fails, back up

Another essential best practice for protecting data while working from home is reliable backup. When all else fails, data backup is the only surefire way to bounce back. True cyber resilience requires having a plan when all else fails.

Backup solutions can also protect you from unforeseen events around the house. Ever dropped your laptop? Ever spilt coffee on the keyboard? What about a hard drive failing? It’s essential to think about the physical risks around the home as well as the security risks.
There are four main ingredients to a resilient backup solution:

  • Backups need to be automatic. It's no good relying on memory. Backups needs to happen regularly, especially when you're not thinking about them.
  • Backups need to be off-site. Local backups are not secure. You’re tempting fate by keeping originals and copies like eggs in the same basket.
  • Backups need to be immutable. Once a backup happens, there should be no way anyone or anything can get into it, modify it, or delete it.
  • Lastly, backups should allow for recovery from any point in time. In the event of any kind data corruption, accidental deletion, unintentional overwrite or hardware failure, it’s important to be able to roll files back to when the data was good.

Stay safe out there, everyone, and start with these tips.


21 replies

Userlevel 3
Badge +4

Thanks, @bbutler . I’ve really been thinking about  your final bullet, limiting data sharing, lately and really asking myself what I need to sign up for / download before giving away information. 

Userlevel 4
Badge +1

Reading through the list of best practices, there is 1 that comes to mind which is missing.  Inevitably companies will invest time and effort to utilise training packages to educate their workforce of the need to be vigilant when it comes to online websites and emails which appear in inboxes.

Whilst much emphasis is placed on completing mandatory training on the perils of malware, how many companies and enterprises take this 1 step further and actively select random groups of employees to receive a simulated malware-loaded email which reinforces training?

2 years ago an employer implemented this approach in response to a malware attack and gullible employees who fell for the trap were greeted with the news that they needed to undertake additional remediatory training  which had to be completed within a set period of time.  As a result, many personnel became more aware of what to look for.

My present employer utilises a similar approach to reinforcing training with similar simulations and examples which appear to be legitimate.  For instance, how many employees would innocently click on a web link in email which refers to an imminent payrise and more holiday time off work?  I recently received such an email, looked carefully at the sender’s details and hovered over a web link only to find that it looked suspicious.  In the email was a button to report suspicious email messages and upon hitting that button, I was instantaneously congratulated on detecting malware which was part of a simulation exercise.  This reminded me of my previous employer’s practice and suddenly I felt comforted that my employer is thinking outside of the box to test employee skills on an ongoing basis.

As the presentation of malware evolves over time, there is a need for ongoing yet practical exercises to ensure that workforces are equipped and knowledgeable on how to react in an appropriate manner.

Userlevel 7
Badge +4

Always make sure my machine is patched and store all my important data in the cloud. Rather embarrassingly I don't actually have AV protection on my home PC but having worked in IT for years I have rightly or wrongly come to the conclusion I know what I am looking for in terms of dangers and focus more on education for preventative measures...perhaps a bit naive of me in this day and age but had no issues so far

Userlevel 7
Badge +4

Always make sure my machine is patched and store all my important data in the cloud. Rather embarrassingly I don't actually have AV protection on my home PC but having worked in IT for years I have rightly or wrongly come to the conclusion I know what I am looking for in terms of dangers and focus more on education for preventative measures...perhaps a bit naive of me in this day and age but had no issues so far

We’ve all been there

Userlevel 7
Badge +33

This list could go on for almost forever. I focus mainly on businesses, but this is all good practice. 

  • Focusing on ingress/egress for your network (what goes out is almost more important than what’s coming in nowadays)
  • Application Allowlisting
  • Strong EDR/MDR in practice either in house or having a third party help watch over
  • Ongoing Security Awareness Trining. The term to not is “Ongoing.” Security changes and so must the training to show what to be mindful of.
  • Backups
  • Cyber Insurance
  • Incident response plans and do “round table” practice drills of said response plans.
  • Segment/VLANs in place on your network.
  • Strong passwords/2FA/Hardware 2FA Tokens
  • Strong VPN to “call home” with 2FA implemented
  • Full patch management

And this list could go on and on. I’ll tell you it does indeed get exhausting trying to keep up with all of this. But doing this is far better than dealing with worst case scenario like a ransomware or exfiltration of IP.

 

John

 

Userlevel 6
Badge +1

Reading through the list of best practices, there is 1 that comes to mind which is missing.  Inevitably companies will invest time and effort to utilise training packages to educate their workforce of the need to be vigilant when it comes to online websites and emails which appear in inboxes.

Whilst much emphasis is placed on completing mandatory training on the perils of malware, how many companies and enterprises take this 1 step further and actively select random groups of employees to receive a simulated malware-loaded email which reinforces training?

2 years ago an employer implemented this approach in response to a malware attack and gullible employees who fell for the trap were greeted with the news that they needed to undertake additional remediatory training  which had to be completed within a set period of time.  As a result, many personnel became more aware of what to look for.

My present employer utilises a similar approach to reinforcing training with similar simulations and examples which appear to be legitimate.  For instance, how many employees would innocently click on a web link in email which refers to an imminent payrise and more holiday time off work?  I recently received such an email, looked carefully at the sender’s details and hovered over a web link only to find that it looked suspicious.  In the email was a button to report suspicious email messages and upon hitting that button, I was instantaneously congratulated on detecting malware which was part of a simulation exercise.  This reminded me of my previous employer’s practice and suddenly I felt comforted that my employer is thinking outside of the box to test employee skills on an ongoing basis.

As the presentation of malware evolves over time, there is a need for ongoing yet practical exercises to ensure that workforces are equipped and knowledgeable on how to react in an appropriate manner.

I completely agree. In our org we have this exact system and the statistics from month to month were shocking. Over time there is a significant change in user click rate as a result of ongoing phishing tests with remedial training for those that fail. Our users are much more vigilant as a result. I would much rather them send in suspicious mail vs. blindly clicking. A little extra work day to day is better than the alternative that results from a malicious click. 

Userlevel 6
Badge +1

This list could go on for almost forever. I focus mainly on businesses, but this is all good practice. 

  • Focusing on ingress/egress for your network (what goes out is almost more important than what’s coming in nowadays)
  • Application Allowlisting
  • Strong EDR/MDR in practice either in house or having a third party help watch over
  • Ongoing Security Awareness Trining. The term to not is “Ongoing.” Security changes and so must the training to show what to be mindful of.
  • Backups
  • Cyber Insurance
  • Incident response plans and do “round table” practice drills of said response plans.
  • Segment/VLANs in place on your network.
  • Strong passwords/2FA/Hardware 2FA Tokens
  • Strong VPN to “call home” with 2FA implemented
  • Full patch management

And this list could go on and on. I’ll tell you it does indeed get exhausting trying to keep up with all of this. But doing this is far better than dealing with worst case scenario like a ransomware or exfiltration of IP.

 

John

 

Having worked through multiple ransomware incidents at my former employer for customers, I couldn’t agree more. The day to day work of keeping up with these suggestions along with everything else that inevitably comes up is far better than trying to remediate a ransomware event. Great points!

Userlevel 7
Badge +4

All good points. Certainly hard to be certain you have covered everything. Constant monitoring and awareness is needed

Userlevel 7
Badge +8

All of the companies I work with now realise they can no longer just ignore Work From Home users or own Devices and they need to bring them into managed services to protect them. This used to be a harder conversation.

Userlevel 7
Badge +4

All of the companies I work with now realise they can no longer just ignore Work From Home users or own Devices and they need to bring them into managed services to protect them. This used to be a harder conversation.

Too right. WFH and BYOD have been left alone in the past, this cannot be the case any longer. If the have Company data on them or used for accessing company data, they have to be managed and included in security.

Userlevel 7
Badge +4

All of the companies I work with now realise they can no longer just ignore Work From Home users or own Devices and they need to bring them into managed services to protect them. This used to be a harder conversation.

Too right. WFH and BYOD have been left alone in the past, this cannot be the case any longer. If the have Company data on them or used for accessing company data, they have to be managed and included in security.

Secure and manageable BYOD has always been a challenge for us. We always tell our clients that the users need a proper managed company owned device.

Userlevel 7
Badge +25

All of the companies I work with now realise they can no longer just ignore Work From Home users or own Devices and they need to bring them into managed services to protect them. This used to be a harder conversation.

In my experience BYOD is an old issue that has been a thorn in an IT departments side for over a decade or more!  These companies you mention are just now realizing this?

Also I note that many larger companies and even many smaller companies responded to WFH concerns by issuing company machines ( or the machines people used on their desks at work taken home) to users to better control security so that personal machines were not part of the WFH infrastructure. Are you seeing something differently?

In companies that I have been at going back to the early 2000’s, we always created two WiFi networks. One inside the firewall and one outside. Non-work issued devices (BYOD) were required to stay outside the firewall at all times. A violation could cost you your job.  For remote workers even way back then, and we had quite a few, only work issued devices had VPN access. 

 

Userlevel 7
Badge +4

 

All of the companies I work with now realise they can no longer just ignore Work From Home users or own Devices and they need to bring them into managed services to protect them. This used to be a harder conversation.

In my experience BYOD is an old issue that has been a thorn in an IT departments side for over a decade or more!  These companies you mention are just now realizing this?

Also I note that many larger companies and even many smaller companies responded to WFH concerns by issuing company machines ( or the machines people used on their desks at work taken home) to users to better control security so that personal machines were not part of the WFH infrastructure. Are you seeing something differently?

100% agree. Basically anything that you can get Threatlocker on. All about the control, managment and security of devices that enter your business.

Userlevel 6
Badge +1

All of the companies I work with now realise they can no longer just ignore Work From Home users or own Devices and they need to bring them into managed services to protect them. This used to be a harder conversation.

In my experience BYOD is an old issue that has been a thorn in an IT departments side for over a decade or more!  These companies you mention are just now realizing this?

Also I note that many larger companies and even many smaller companies responded to WFH concerns by issuing company machines ( or the machines people used on their desks at work taken home) to users to better control security so that personal machines were not part of the WFH infrastructure. Are you seeing something differently?

This is exactly what we do. Eliminate BYOD altogether. Provide the user what they need to work and manage it accordingly. They can use their own devices for personal matters. 

Userlevel 7
Badge +25

It should be an easy sell. The cost of a number of new or loans machines vs a breach. Seems a no brainer but I’m surprised at how many people I have to keep explaining that too. 😒

Userlevel 7
Badge +4

Opportunity cost is always a great way of showing the value.

Userlevel 6
Badge +1

It should be an easy sell. The cost of a number of new or loans machines vs a breach. Seems a no brainer but I’m surprised at how many people I have to keep explaining that too. 😒

But one thing is for sure.. the second a breach happens they are willing to pay whatever it takes to mitigate the issue. They could save themselves so much pain by just taking the initial advice rather than trying to clean up the mess the results from ignoring it. 

Userlevel 7
Badge +25

Opportunity cost is always a great way of showing the value.

Well, sort of. It usually is an “if only we had done that” scenario and is also almost always a day late and a dollar short. There is so much info on this, it amaze me that people still need to be punched hard to get it. 

Userlevel 7
Badge +4

Opportunity cost is always a great way of showing the value.

Well, sort of. It usually is an “if only we had done that” scenario and is also almost always a day late and a dollar short. There is so much info on this, it amaze me that people still need to be punched hard to get it. 

Yes I was alluding more to the downtime that can be experienced when a breach occurs.

i like this post, this is really good 

Userlevel 7
Badge +6

Thanks for breaking this down. These are good baselines and certainly lots of other items could be listed here as others have noted above.

Reply