A cybersecurity guide for IT professionals interested in learning the basics. BACS provides security solutions that help organizations of all sizes implement the best security foundation that fits their needs.
In organizations of all sizes, IT professionals play an important role in implementing and managing cybersecurity. If this is a new role for you, attempting to learn everything at once may seem like a good plan. A better and less daunting approach is to focus on understanding the basics that will prepare you to assist your IT department in the protection of your organization’s assets.
A good place to start your training is to understand the key components of cybersecurity. The National Institute of Standards and Technology (NIST), created by the U.S. Department of Commerce, provides a Cybersecurity Framework for organizations to implement that is based on five functions: Identify, Protect, Detect, Respond, and Recover. The framework is in-depth and comprehensive. Presented below is an abbreviated guide that encapsulates the five functions identified by the NIST.
Understanding cybersecurity consists of grasping the following four basic topics:
- Cybersecurity Defined
- Types of Security Threats
- Types of Security Protection
- Best Practices for IT Professionals
1. Cybersecurity Defined
You may hear people refer to cybersecurity in different ways. According to Wikipedia, “cybersecurity is the protection of computer systems and networks from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.” The underlying message of this definition to new IT cybersecurity professionals is simple: learn how to protect your organization’s assets from unknown threats. What are these potential threats? Let’s discuss them next.
2. Types of Security Threats
Cybercriminals use a variety of methods to attack organizations. Learning the tactics that cybercriminals use will help you understand how to implement the best defenses against them.
There are four basic types of threats that you should know:
- Distributed-Denial-of-Service (DDoS) – Considered the first cyberattack, the Morris worm started as an innocent program designed to determine how many computers were connected to the Internet. The huge number of responses from the computers ended up overloading the target server, the classic sign of a distributed denial-of-service (DDoS) attack. These attacks can be costly (time and money) to recover. In the case of the Morris worm, 72 hours and more than $100,000 was spent to undue its damage.
- Malware – The term malware is a combination of the words malicious and software to describe an attack using software for malicious purposes. Malware has a long history and continues to advance. According to anti-virus software producer Malwarebytes, the term is used to refer to a variety of attacks. Ransomware, viruses, adware, spyware, trojans, rootkits, and keyloggers are just a few examples. The common thread of these attacks is that they require an action before they can do their misdeed. This action may be an employee clicking a link in an email or downloading software from the Internet onto an organization’s computer. The malicious software can be programmed to do several tasks. For example, it may, unknowing to you, secure a comfy spot on your computer and steal credentials, prevent you from accessing a computer without first remitting a payment, or simply overload your display with annoying ads.
- Social Engineering – According to Verizon’s 2019 Data Breach Investigation Report, phishing was the number one cause of data breaches. This type of attack can be referred to as a scam to trick someone into providing personal information. It is most often carried out via email but can also come in the form of a text message, instant message, or over the telephone. In an organization, a phishing attack can have a cascading effect and lead to a security breach. If your organization is hit with a phishing attack, it is a good idea to report the incident to the Federal Trade Commission (FTC). Types of social engineering attacks include phishing, vishing, and smishing.
- Data Theft – Theft can occur from someone outside of the organization that gains access to data by stealing an asset, such as a laptop, or from the inside by someone who has access to personal data. Data theft can ruin a company’s reputation, interrupt normal business operations, or cause a company to shut down immediately.
3. Types of Security Protection
How your organization attempts to prevent the attacks listed above will depend on the systems you employ and your chosen method of security protection. The following are the most common types of security protection and the challenges that are related to them.
- Identity Management – This area is associated with how users are identified on the network and how you manage that information. This also addresses how users access the network.
- Network Security – This type of protection involves securing a network, including its associated data, email, and wireless connectivity. Among the most common types of network security are firewalls, anti-virus software, behavioral analytics, intrusion prevention systems (IPS) and network segmentation.
- Application Security – Protecting the software that your organization uses is critical. At a minimum, this involves making sure that you keep all the applications that your employees use up to date. The main challenge in this area is that applications are constantly being updated, and sometimes updates can cause problems with existing software.
- Endpoint Security – This type of security protection involves protecting assets that are remotely connected to your organization’s network. Implementing a Virtual Private Network (VPN) is a good idea, but how you choose to set it up requires some research to understand is best for your organization.
- Mobile Security – Mobile devices such as tablets and cell phones are easily portable and allow employees more flexibility with performing their work tasks. The challenge with protecting these systems is that it is impossible to develop a one-size-fits-all security plan when so many different types exist.
- Cloud Security – If your organization chooses to offload data to the cloud via a product managed by the organization or a third party, you should still be involved in the security of that virtual data. Data that is stored in the cloud is challenging to protect because you can’t see it and it is usually managed by a third party.
- Recovery Management – Your organization should have protection in place that defines the actions that are taken when there is a security incident. The challenge with this type of security protection is being prepared for the unknown.
- User Education – Users provide a measure of protection because they are often the first line of entry. Educating users is an important step in your organization’s security protection
4. Best Practices for IT Professionals
An effective security plan will be specific to your organization’s needs. The organization looks for the IT department to make sure that everything is protected. This can seem a bit daunting, but there are some basic best practices that you can do now that will help to create a good defense.
- Inventory your organization’s assets.
This should be the first step in your security plan. This consists of tracking all the hardware and software in your organization and noting the employee responsible for each, as well as any specifics such as license expirations. At a very minimum, you could track the assets in a spreadsheet and make updates, as necessary. If your security budget allows, investing in asset tracking software such as UptimePM and Asset Panda can provide additional benefits.
- Apply patches and updates regularly.
Software improvements are inevitable. When a software provider discovers a security flaw in their product and notifies you about it, make sure you apply the patch as soon as possible. If the provider has discovered it, there’s a good chance that cybercriminals know about it and are looking for organizations that have implemented it so they can take advantage of them.
- Backup data regularly.
Your security plan should include a method for recovering your data if a security incident occurs. It’s a good idea to create a schedule and back up your most critical data more often than data that is not as essential. To protect your backup data, it is a good idea to encrypt the data (make sure you store the keys in a safe place) and create multiple copies that are stored using different methods.
- Contribute to user awareness.
Implementing the security protections and best practices listed above without training employees about cybersecurity is like adding a security system to your home and leaving the front door wide open while you sleep. According to a security awareness training survey conducted by Enterprise Management Associates of more than small to medium-sized 500 organizations, awareness training was not provided by more than half the respondents. Of the business that do provide training, 18% of them do not measure the effectiveness of the training, while 34% had no clue if they measured the effectiveness of the training. Hopefully, your organization has implemented training for employees that teaches them the behaviors to exhibit to protect the organization’s assets. You can contribute to user awareness by setting an example and by sending employees regular messages about security via email to keep security on their minds.
Cybersecurity has become an important aspect of doing business—regardless of size or industry. Organizations have a lot to consider when it comes to implementing cybersecurity. As an IT professional, you play an important role in the implementation and management of security. Learning about the types of threats and protection and common best practices will equip you with the basic tools you need to help protect your organization’s assets.
Partnering with BACS is a good plan because we have experience assisting organizations of all sizes and needs. We provide security solutions for organizations that get them up and running for the long term. Our solutions are designed to help you obtain the most from your technology so that you can focus on what your organization does best.