Category

Data Protection

construction-company-cybersecurity

Everything Your Construction Company Needs For Cybersecurity

By | Data Protection, Security

As a construction company, you may be surprised to learn that hackers are increasingly targeting the construction industry. One study performed by security vendor Sophos found that out of 203 construction companies, 68% had suffered a cybersecurity attack in the past year. There was even one instance where hackers were able to take control of a crane remotely. 

Some construction companies may not be interested in cybersecurity, as they want to focus mostly on what they do best. Many owners may downplay potential cybersecurity threats, but they should be paying attention to these threats. Even if your construction company does not want to actively focus on cybersecurity, there are a few reasons why you should care about cybersecurity. There are also some cybersecurity essentials that you need to have in order to properly protect your business. 

 

Why Should A Construction Company Care About Cybersecurity?

Cybersecurity is important no matter what industry you are operating in. There are a few reasons that your construction company should care about cybersecurity. The most important reason may be data. 

 

Data

Your organization is responsible for all of the valuable information and data that it holds onto. Hackers want this information and will do nearly anything in their power to gain access to it. Your company has to do everything in its power to prevent this from happening. The loss of competitive data, such as bidding strategies, can hamper your ability to do business. 

A hacker could gain access to valuable blueprints and designs, which could compromise an entire project. A hacking breach can result in the loss of trust between your company and a fantastic customer. You could lose valuable customers if you suffer a hacking incident. Hacking incidents can also make government contracts harder to win against a competitor who has not had similar issues. 

 

Downtime

Hackers can create serious headaches for any organization. One way that they can cause huge problems is by taking down machines, systems, and computers in an organization. Once a hacker gains access to your network, they can take systems offline and bring your entire company to a screeching halt. 

This can lead to multiple hours where employees cannot properly perform their work. If this happens multiple times each year, it can lead to millions of dollars in lost productivity. No organization wants to lose countless hours to get machines back up and running from a hacking incident. 

Now that we understand the importance of cybersecurity for construction companies, let’s discuss how your company can mitigate these risks. 

 

4 CyberSecurity Essentials For Construction Companies

Every construction company should at least have these basic cybersecurity essentials, which will give your business a comfortable level of security and protection. 

 

Firewall Protection

One of the most basic essentials that any company should employ is a firewall. A firewall is a network security system that monitors that incoming and outgoing internet traffic that can protect your construction company. The newest firewalls bring together a combination of security measures in order to keep your construction company safe. 

Firewalls can help prevent hackers from stealing valuable data and keep your systems free from any viruses. Most incoming potential threats will be blocked when it is detected by the firewall. Overall, a firewall should improve your cybersecurity outlook and prevent potential data loss. 

 

Email Security

Email has become one of the primary methods for communication for nearly all businesses. Ensuring that this line of communication is secure is key to any cybersecurity strategy. Having a dedicated email security software solution can help your company stay safe and build trust with customers. 

Email security solutions can scan outgoing and incoming emails to identify any potential threats and alert users to these threats. Two factor authentication can also help ensure that you are sending potentially sensitive documents to the right party. Email security will help keep your data safe, if employees are properly trained and educated. 

 

Education

Phishing scams are one of the most common ways that hackers utilize that enable them to breach an organization. Even the most educated, senior employees could fall for a sophisticated hacking scam. Consistent and thorough education will help employees make the right decisions when performing their daily activities and encountering phishing scams. 

Organizations should ensure that employees are educated about the latest phishing scams that are likely to impact safety. Employees that are educated on phishing can identify them and forward them to the appropriate team member. Your company can alert other employees to the scam to keep the hackers out of your organization. 

 

Backup and Recovery

Even the most robust cybersecurity strategies can fail at times, which is where backup and recovery comes into play. According to some estimates, more than 50% of all small and medium businesses do not have adequate back and recovery strategies in place. That is precisely why construction companies need to have backup and recovery systems in place for when something does go wrong. 

A proper backup and recovery system will ensure that your data will still be accessible if the worst happens. Construction companies can selectively choose which critical data will be backed up in a separate medium. You can rest easy at night knowing that your data has been backed up, if anything disastrous happens. 

All of these initiatives are not easy and require a certain level of knowledge. Most construction companies do not have the necessary expertise to ensure that these essentials are taken care of. Cybersecurity companies can help construction companies fill these knowledge gaps. BACS regularly works with construction companies in order to help them with cybersecurity projects. 

 

BACS Can Help You Construct Your Cybersecurity Defense

BACS has helped plenty of construction companies develop a customized cybersecurity defense strategy that can help your company fend off any potential hackers. Our team will work closely with your key leaders to understand your business and give you everything that you need. Your business can use our expertise to keep your data safe and secure. 

Reach out today to learn more about all of the offerings that BACS has. Our team is more than happy to answer any questions that you may have regarding cybersecurity. We can develop a customized cybersecurity solution for your construction company. Your team can focus on building your next project, instead of building your cybersecurity defense. 

 

Safe Harbor laws

Safe Harbor laws: Mitigating the impact of a data breach

By | Data Protection, Security

Today’s cybercriminals have become increasingly more sophisticated in their ability to exploit weaknesses in security defenses. When a data breach does occur, the biggest losers, of course, are businesses who must explain the impact to stakeholders and shoulder the cost of recovery.

To help minimize damage resulting from a data breach, most states have enacted Safe Harbor (Against Data Breach) laws, which are often linked to existing IT governance and security frameworks such as the National Institute of Standards and Technology (NIST). To be eligible, however, Safe Harbor rules require businesses to implement best practice security protocols and procedures as part of a clear, well-defined data security framework.

 

Safe Harbor advantages

The goal of safe harbor laws is to impel businesses to take proactive measures to protect sensitive and confidential data. When a data breach occurs, a notification requirement is triggered where the business must notify the compromised parties regarding the details of the breach. Depending on the jurisdiction, some laws may also require the business to notify credit bureaus and local government agencies.

Safe harbor laws provide businesses with two distinct benefits. First, they can help ease the level of scrutiny from regulators and reduce fines and penalties for data breach violations. The rationale is that if a business is following sound security practices, why should they be punished to the same degree as an organization that has invested little into data protection and security?

Second, the law provides a natural incentive for businesses to voluntarily improve their cybersecurity practices, which is a benefit for the marketplace overall.  What’s more, implementing robust security measures is a smart business strategy, particularly in light of today’s escalating cybersecurity threats.

 

Reaping the benefits of data encryption

Many safe harbor laws include a provision that rewards organizations that have implemented sound data encryption technology, allowing them to classify a data breach as an “incident” rather than a “breach.” The advantage of this classification is that it can exempt companies from the expense and (potential reputational harm) of having to comply with breach notification requirements.

While encryption offers an effective way to reduce risk, not all encryption will get you off the hook from notification. To fully protect your business and achieve safe harbor status, you must employ robust, role-based encryption and implement effective encryption key management techniques, including the protocols and procedures of how keys are generated, distributed, stored, and replaced.

Avoiding a breach altogether is always the better option, even if notification is not required. Understanding your current security posture and building an effective data security framework is more than managing a checklist of tools and policies. It requires a holistic approach that takes into consideration your unique data protection and access needs, regulatory and market pressures, and long-term business goals.

The good news is that with the right mix of technology, engineering know-how, and smart policies, building a solid data breach defense is possible.

 

Building a solid security foundation

While implementing the right technology, like strong access controls and user authentication methods, is important, it’s not the whole solution. The users who interface with IT systems must also be educated and instructed in how to perform their tasks. And, the policies and procedures that define the actions must be properly designed and consistently enforced.

Additional proactive measures can provide an extra layer as part of a comprehensive security strategy.

 

  • Create a culture in which people talk about data protection and security, and make security a clear priority. Teach users about secure online practices such as how to recognize potential threats and phishing attempts. Check their security awareness with in-house hacking checks and interactive security activities.
  • Simplify and streamline security with solutions that consolidate authentication, encryption and advanced threat protection into a single security suite. Compared with point tools, these integrated systems require a fraction of the IT resources required to maintain effective threat protection.
  • Deploy updated anti-malware to help prevent malicious software such as ransomware and viruses from sneaking into your network, and make sure your anti-malware software is consistently updated with the latest definitions
  • Define policies and procedures. Usage policies define what behaviors are and aren’t acceptable. Work with your internal team to define and implement policies and practices based on your usage preferences and requirements or mandates specific to your particular market.
  • Keep patches current―make sure your practices include automated patching to help enforce policies and keep systems up to date and enforced with the latest software patching.
  • Make backups of all your data and software on a storage device that is not attached to your network or computer. Confirm that all your backups are operating properly and test them on a regular basis to make sure they will perform when you need them.

 

Without a clearly defined plan and ongoing commitment to effective data protection and oversight, your organization may fail to meet the standards needed to reap the benefits of Safe Harbor protection.

Some important points to keep in mind:

  • Safe Harbor statutes can help minimize costs and potential reputational damage arising from data breach lawsuits.
  • Cybersecurity insurance can help ease the cost of recovery from a data breach incident.
  • Following data security best practices is the best way to leverage the benefits of Safe Harbor laws.
  • Building your security strategy around a framework like NIST can help ensure alignment with current security practices and techniques.

 

Combining technology with the right expertise

As cybersecurity becomes increasingly more complex, many organizations lack the resources and knowledge they need to create an effective strategy. That’s why you need a trusted security expert who not only understands the latest security trends, but can accurately define your business requirements and implement a plan that aligns with your current and long term needs

Safeguarding your vital IT infrastructure is not just a security concern; it is a fundamental business issue. It requires an intelligent investment in resources to meet an increasingly complex threat landscape. Ultimately, the cost of recovering from a breach will always be more exorbitant than any expenses incurred in safeguarding data with the right expertise and technology.

 

 

CCPA Privacy Act

What California Businesses Should Know About the CCPA

By | Data Protection, Security

The California Consumer Privacy Act (CCPA), which became effective January 1, 2020, grew out of a need to protect the privacy of consumer data at a time when data breaches involving the personal information of consumers are becoming commonplace. The state of California has the most data breaches and the most data records exposed (1700) in the U.S. That’s according to findings by Comparitech of data breaches between 2005 and 2020. During this time, California had a total of almost 5.6 billion records. It makes sense that the state would be the first in the U.S. to adopt strict regulations to protect the privacy of consumer’s personal information. Are you a California business wondering how the CCPA affects your operation? You should view the CCPA privacy rights as outlined in their entirety on the State of California Department of Justice website. The website provides all the information you need to determine if the CCPA applies to your business, what actions the business must take, and the penalties if the business does not obtain compliance.

The following are nine key takeaways from the CCPA for California businesses:

  1. The CCPA grants consumers specific rights regarding their personal information.
  2. The CCPA includes definitions of consumer and personal information.
  3. The CCPA impacts specific businesses.
  4. Businesses impacted by the CCPA have responsibilities regarding the personal information of consumers.
  5. Some personal information is excluded from the CCPA.
  6. The CCPA includes requirements for selling the personal information of children.
  7. Non-Compliance of the CCPA is enforced by the Attorney General.
  8. Consumers have legal recourse for business non-compliance of the CCPA.
  9. A security breach could become more costly.

1. The CCPA grants consumers specific rights regarding their personal information.

The CCPA grants consumers the following four rights regarding their personal information:

  • The right to know what personal information about them is collected, the purpose of collecting the information, and the reason collecting the information is necessary.
  • The right to request the deletion of their personal information collected by a business or service provider.
  • The right to opt-out of the sale of their personal
  • The right to not be discriminated against because they choose to opt-of sharing their personal information.

2. The CCPA includes definitions of consumer and personal information.

The two key concepts addressed in the CCPA are “consumer” and “personal information.” These terms are defined by the CCPA:

  • The CCPA defines a consumer as a natural person who resides in California, even if the person is temporarily outside of the state.
  • The CCPA defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.” The CCPA includes a long list of categories by which personal information can be identifiable.

3. The CCPA impacts specific businesses.

There are three questions that businesses can ask themselves to determine if the CCPA applies to their business:

  • Is your business a for-profit business that conducts business in the state of California?
  • Is your gross annual revenue more than $25 million?
  • Does your business “buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices”?
  • Does your business “derive 50% or more of their annual revenue from selling California residents’ personal information”?

If your business answers “yes” to any of the above questions, the CCPA applies to your business.

4. Businesses impacted by the CCPA have responsibilities regarding the personal information of consumers.

Businesses that are impacted by the CCPA must do the following:

  • Advise consumers that they collect personal information.
  • Inform consumers of the types of personal information they collect.
  • Inform consumers of their purpose for collecting personal information.
  • Reveal any third-party businesses to which personal information is distributed.
  • Provide a method for consumers to submit a request to access their personal data.
  • Provide consumers an opt-out option to selling their personal information. If a consumer later chooses to opt-in, the business must make the request and confirm their opt-in. The CCPA allows businesses to offer consumers who have not opted-out, a financial incentive.
  • Include a privacy policy on their website that includes the information stated above.

5. Some personal information is excluded from the CCPA.

The CCPA references the following exclusions:

  • Medical information that is governed by the Confidentiality of Medical Information Act (CMIA) or health information that is protected by the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 are not covered by the CCPA.
  • While employers are required to inform employees and potential employees about the personal information they collect and its purposes, the personal data collected and stored as part of being an employee, an employee’s emergency contact, or personal information used in processes for benefits is not protected by the CCPA.
  • Any aspect of the CCPA that prevents an impacted business from complying with other federal, state, or local laws is excluded.
  • Information that is available to the public is not covered by the CCPA.

6. The CCPA includes requirements for selling the personal information of children.

The U.S. federal government enacted the Children’s Online Privacy Protection Act (COPPA) in 1998 for the purpose of protecting the online privacy of children. The CCPA includes the following requirements of impacted businesses that extends that protection by giving parents and teenagers additional control over the personal data of minors:

  • Impacted businesses are prohibited from selling the personal information of consumers that are younger than 16 years old without prior authorization from a parent, legal guardian, or the minor consumer (when the consumer is age 13 or over).
  • The consent to sell personal information of minors must be verifiable using “reasonable methods” that are in line with the recommended methods stated in the CCPA. An impacted business must have knowledge that a consumer is under the age of 16.

7. Non-Compliance of the CCPA is enforced by the Attorney General.

The CCPA is enforced by the California attorney general. The attorney general has the right to bring a civil action against an organization that has been informed that they are not in compliance of the law and have not come into compliance within 30 days of being notified of the noncompliance. Violators of the CCPA may be hit with fines of up to $2500 for each violation and up to $7500 for each intentional violation.

An impacted business that chooses not to inquire about a consumer’s age is considered “willful disregard” of the CCPA and may result in a non-compliance violation.

8. Consumers have legal recourse for business non-compliance of the CCPA.

If a consumer’s personal information is involved in a data breach, the CCPA allows the consumer to bring suit against the organization.

There are three checks for this to apply:

  • The personal information must be a combination of the consumer’s first and last name and one of the items outlined by the CCPA.
  • The personal information must have been stolen, accessed without authorization, or disclosed.
  • The personal information must have been in nonencrypted and nonredacted form.

9. A security breach could become more costly.

The average cost of a data breach will likely increase with the CCPA in force. According to a report by IBM, the average cost of a data breach is $3.86 million. Since 2003, California law has required organizations and state agencies to report data security breaches involving the unencrypted personal information of any California resident by an unauthorized person. Under the CCPA, an impacted business is required to pay a maximum of $750 for each data breach incident.

Next Steps

According to a report by the global computer security software company McAfee, only 31% of organizations in the U.S. have a plan to prevent IT security incidents. While the CCPA does not require that impacted businesses implement specific security methods, it’s a good plan for these businesses to take steps to obtain compliance.

The following are general steps that can help you obtain compliance with the CCPA:

  • Review the CCPA in its entirety and stay informed of any updates.
  • Understand the personal information of consumers that your business collects and stores.
  • Create or update your privacy policy to include the information required by the CCPA.

If you’re not sure where your business stands regarding the CCPA or need assistance obtaining compliance, BACS can help. BACS is a firm that provides IT security solutions. Compliance is one of the core areas of expertise of the firm. The professional staff has expertise in analyzing the security needs of organizations and developing a comprehensive and strategic plan that includes adherence to applicable regulations.

Managing-Passwords-What-a-Small-Business-Can-Do-to-Minimize-Risk

Managing Passwords—What a Small Business Can Do to Minimize Risk

By | Data Protection, Security

A network that is not adequately protected may be vulnerable to unauthorized access from competitors, government entities, and other malicious players. After someone gains access to your company’s network, that person could potentially use the information obtained to undermine your trade secrets. There is also a chance that malware, ransomware, or other dangerous software will be uploaded to a vulnerable server. Your organization must take network security seriously.

How Easy Is It to Hack Systems Protected By Weak Passwords?

The biggest problem with quality passwords is that they are hard to remember. Your employees may choose to create codes that they won’t forget, such as 123456, password, or birthdates. Unfortunately, most hackers know the weak passwords typically used to secure corporate servers, and they may be able to access your firm’s network without the need for fancy software.

It’s important to note that a hacker might gain access to a server through any device that connects to it. So, it’s essential that company smartphones, tablets, and computers have strong passwords.

What Can Small Businesses Do to Safeguard Their Networks?

Any passwords used to protect your company’s network should have a mixture of letters, numbers, and symbols. This practice makes it harder for passcode-cracking software to guess the sequence of characters needed to access a server. Plus, it is a good idea to change a passcode at least once every 30 days.

In addition to strong passwords, businesses can take other steps to prevent unauthorized access to their networks. For instance, it may be a good idea to require separate passcodes to access especially sensitive data such as customer data or trade secrets. These passcodes would only be given to top executives, certain classes of shareholders, and others who have a right to view this information.

It will also help to create server restart points every few minutes to ensure that information isn’t lost in the event of a ransomware attack. If such a scenario were to occur, you could take the server offline, find the breach’s source, and then roll the server back to the last secure restore point. It can also be worthwhile to create multiple virtual copies of your server’s data to ensure that it can’t be lost, damaged, or stolen.

Ideally, you’ll keep a physical server in a secure room that can only be accessed by members of your IT team. A server room may be secured by a lock that only opens if it recognizes a person’s fingerprint, retina, or other unique identifiers. Additionally, your firm should have a log of all the people who enter or exit the server room. If a security breach occurs, the log can be used to identify the person who may have gone rogue quickly.

How Can Employees Help?

There are several easy actions that employees can take to prevent a data breach from occurring. For instance, workers should refrain from using personal devices while on company property. Although a corporate network may be adequately protected from viruses, malware, or other exploits, personal devices secured by weak passwords may create a vulnerability that a hacker could exploit.

It’s also crucial for employees to refrain from using a company phone, tablet, or computer at home since their networks may not be as secure as those they use while on the job. This difference makes it possible for devices that were healthy when they left the office to return with viruses or malware.

Employees are also encouraged to follow best practices for creating strong passwords for any devices they use to complete work tasks. It also helps to use a password management program designed to create strong protection against those who may try to access their devices.

How Do Authentication Protocols Work?

Authentication programs require those who are attempting to access your company’s network to enter a one-time code in addition to the typical passcode that protects it. This code will be sent to a user’s smartphone, tablet, or another mobile device in most cases. If the unique code is not entered within a specified period of time, the person trying to access the server will not do so.

The Potential Consequences of a Data Breach

If customer information is obtained because of a data breach, a company may be held liable for any damages those individuals incur. It isn’t uncommon for thieves to use this data to commit identity theft, destroy a person’s reputation online, or otherwise cause long-term harm.

A data breach caused by an insufficient network security plan may also cause customers, investors, and others to lose confidence in your brand. This loss of trust could result in lost revenue, a significant decrease in your company’s share price, and other problems that might harm its ability to operate efficiently.

Depending on the circumstances of a given incident, there is a chance that members of your organization might face criminal charges after a breach occurs. This consequence may be especially true if a leak puts someone in danger of physical harm.

Now Is the Time to Create an Action Plan

If your company doesn’t have a network security plan, it’s essential to create one as quickly as possible. First, you’ll want to develop policies that ensure that your workers will create strong passwords, only use approved devices at work and follow other security best practices.

Next, you’ll want to provide training to your employees to ensure they understand these policies’ importance. These training sessions should go over the basics of what makes a strong passcode and why they need to be changed regularly. They should also introduce password management programs, authentication tools, and other technology that your employees may need to interact with regularly.

It’s generally a good idea to have refresher courses every few months to ensure that your employees comply with these rules. These courses can also be helpful because new threats are constantly emerging, which means that you’ll likely have to update your policies every few months.

Finally, you’ll need a system that measures how well employees comply with the rules you have implemented. For example, those who are seen using their personal devices might be given a written warning. Conversely, those who are seen adhering to the new protocols should be given bonuses, time off, or other rewards.

Strong passwords can be the foundation of a network security plan that keeps your business safe from sensitive data breaches. An IT professional will help you better understand the importance of implementing such a plan and how to do so correctly.

and resistance to cyberattacks.

Security Protocols

Mitigating Potential Threats with Sound Security Protocols

By | Cloud, Data Protection, IT Support, managed It services, Networking, Security
Cloud Migration Free Resource

As cybersecurity becomes increasingly more complex, many organizations lack the resources or knowledge they need to create an effective security strategy. That’s why you need a trusted expert who not only understands the latest security trends but can accurately define your business requirements and implement a plan that aligns with your current and long term needs.  This is especially critical as companies move toward more hybrid cloud environments.  

 

One of the biggest advantages of the cloud―flexible data access―can also be a major weakness if security isn’t effectively factored into the equation. Safeguarding systems and assets against rising threats is crucial, but levels of protection should be carefully balanced against your unique business objectives.  

 

Technology plays a critical role, but equally important is the need to work with an experienced security expert capable of creating and maintaining effective security practices. Bad actors and cybercriminals s are continuously exploring new ways to penetrate your defenses, which underpins your need to develop and implement sound policies based on defined user preferences and your unique business needs.

 

Your managed service provider should be capable of implementing advanced security techniques and practices, including strong access controls, the latest malware protection, and proactive security scanning. You’ll want to make sure the provider you work with can adapt to change and growth and remains on the cutting edge of technology innovation.  

 

Your service provider’s security operations team should be able to clearly demonstrate the practices and processes it uses to safeguard vital business assets. To protect sensitive data, IT policy controls should be automatically enforced through technical elements, such as authorization, authentication, access controls, password complexity, alerting, and system monitoring. 

 

Your security provider should be clear about its procedures for keeping you informed about the ongoing performance and support issues. Your service provider should be able to clearly outline and define its response capabilities. What is the expertise level of support staff? What is the standard response time? What are your protocols for data access? 

 

Most managed security teams operate 24/7, with staff working in shifts to continually track and record activity and mitigate potential threats. Among the core operational protocols and security responsibilities include: 

 

 

Manage access. 

 

Strong application controls like encryption and authentication can help safeguard information across networks and on endpoint devices, helping to thwart attackers from transferring or copying critical business data. Your cloud provider should be able to provide documentation that shows a separation of duties for administrative functions, disclosing the level of access that each user has and how those levels are maintained. 

 

 

Define policies and procedures

 

Usage policies define what behaviors are and aren’t acceptable. You most likely have some protective measures in place to address internal threats. To help bolster this vital layer of defense, your security provider will work with you to define and implement policies and practices based on your usage preferences and requirements or mandates specific to your particular market.

 

Data protection. 

 

Data encryption is critical for organizations operating in a cloud environment, helping to make sure critical data remains protected while in use, at rest, or in transit. For even greater protection, consider full-disk encryption, which it encrypts the complete hard drive, safeguarding the data as well as the applications and operating system.  

 

Manage deleted data. 

 

Within a typical cloud environment, sensitive data can easily find its way into uncontrolled and hidden systems and services. When it’s time to delete confidential data, or remove resources storing sensitive data, it’s important to consider the potential spread or replication that often occurs during normal IT operations. Your service provider will analyze your cloud environment to determine where confidential data may have been cached or copied and decide the proper steps to help ensure successful deletion of the data.   

 

Preventative measures

 

To help potential threats, effective security protocols include preventative measures designed to keep team members up to date on the latest cybersecurity trends, recent advances in security techniques, and updates on new emerging threats. This knowledge can help shape your security roadmap and improve disaster recovery planning, helping to guide and prioritize your response in the event of a data breach. Preventative measures and protocols also include actions to mitigate potential, including regular updates to existing systems; modernizing firewall policies; identifying and correcting vulnerabilities.

 

Continuous monitoring

 

Security controls define the methods and protocols used by the operations team to monitor the network to identify anomalies or suspicious activity. Continuous network monitoring helps ensure your security team is immediately informed of potential or impending threats, putting them in the best position to prevent or mitigate impact. Continuous monitoring enables security teams to strike and optimum balance between proactive and reactive measures as any abnormality in activity is immediately detected.  

 

Effective recovery. 

 

In the event of a disaster, security protocols will be executed to recover systems and restore compromised or lost data. Actions may include wiping endpoint devices, reconfiguring and testing security systems, or implementing effective backups to circumvent the attack. Effective recovery execution will return your cloud infrastructure to its original state. Procedures and steps should also be in place to figure out what happened and how it happened. The security team will use event and log data to track the problem and identify the source.

 

Ensure compliance

 

Many cloud security processes are shaped by established protocols and best practices, but some are guided by compliance requirements. Your managed service provider is tasked with regularly auditing of enterprise systems to help ensure consistent regulatory compliance. Following regulatory protocols not only helps safeguard confidential data, it can also protect your organization from legal challenges and reputational damage resulting from a data breach.

 

A strategic approach to cloud security

As with any IT investment, migrating to the cloud comes with certain risks. Minimizing those risks and capitalizing on the full potential of cloud requires a strategic, pragmatic approach, evaluating essential infrastructure requirements, security protocols, risk factors, performance needs, and cost considerations.

Reasons Your Cybersecurity Is Broken

3 Reasons Your Cybersecurity Is Broken (And How to Fix It)

By | Data Protection, Security

Fixing cybersecurity problems in your organization should be a priority. As the tactics of cybercriminals become more advanced and the number of attacks increases, fixing cybersecurity problems narrows the opening by which these malefactors can pass through. An incident that occurred at the close of 2020 and hammers home the importance of strengthening cybersecurity is the FireEye data breach. A cybercriminal was able to infiltrate the top security firm’s network and steal tools it uses for testing customer security methods. By all accounts, the security firm did everything right to prevent an attack. The unauthorized access in this incident was characterized as one that was custom designed to infiltrate FireEye’s specific data security system. If an experienced security firm can encounter a cyber incident, it can happen to any business.

The FireEye data breach has undoubtedly become a wake-up call for many organizations to fix the broken aspects of their cybersecurity. Unfortunately, there is no one-size-fits-all guide for resolving cybersecurity weaknesses. If you aren’t sure where to start with fixing cybersecurity issues, addressing the following three common problems can help to mitigate your organization’s cybersecurity risk:

 

1: Unpatched Security Flaws

2: Inadequate Access Controls

3: Human Error

1: Unpatched Security Flaws

Neglecting to patch flawed security is a significant problem because cybercriminals are aware that organizations often neglect to patch security flaws in a timely matter and search for these vulnerabilities to exploit them. A popular example of the consequences of unpatched software is the Equifax data breach. Equifax used third-party software for a consumer-based service (credit disputes) and were notified by the company that a security vulnerability existed. Just two months later, Equifax still hadn’t patched the software and cyber criminals gained access to internal servers containing customer data. Nearly 150 billion of Equifax’s U.S. consumer base was compromised. The unpatched security vulnerability ended up costing Equifax more than $500 million which includes their settlement to mitigate the damages caused by the incident.

Here are five tips for addressing unpatched security flaws:

The obvious first thing you should do is make sure all security patches are applied. According to a report published by Project Zero, a group of Google security analysts, 25% of the 0-days detected in 2020 could have been prevented by patching software.

Keep an eye on critical security vulnerabilities that may impact third-party organizations that have access to your network. One of the regular activities of the Cybersecurity and Infrastructure Security Agency (CISA) is to publish a list of Current Activity related to “high-impact types of security” that affect the U.S. While the listing includes basic information, vulnerabilities requiring software updates are most prevalent.

Patching software can be a tedious task, especially when you have multiple systems to update. Consider using a patch management tool that allows you to remotely deploy a software update to several systems at once from an interface that you can set up with your organization’s specifications.

If your organization is concerned about potential problems that a software update can cause, implement a patch evaluation process that consists of first testing patches on non-critical systems and monitoring the final deployments for any disruptions.

Another option for automating your patching efforts is to consider a cloud patch management service. These services usually consist of scanning systems for known vulnerabilities and deploying software updates, as necessary.

2: Inadequate Access Controls

You should know all the people, devices, and systems that are able to access your network and implement adequate access controls. How important is controlling access to your critical data? The notable Capital One security breach is an example of what can happen when there are insufficient access controls. A singleton cybercriminal (eventually discovered to be a former Amazon employee) was able to gain access to their server hosted by Amazon Web Service (AWS). The criminal obtained personal information for more than 100 million Capital One customers. Capital One estimated that recovering from the incident would cost the company about $150 million.

Implementing adequate access controls not only protects your organization from external intruders but also internal malicious attacks. According to recent research performed by Ponemon Institute LLC that was based on interviews of IT security professionals around the globe, insider breaches cost organizations as much as $871,686 and has tripled in frequency since 2016.

The following are five ways you can improve access to systems and data within your organization:

Create an inventory list of all the employees, resources, and data in your organization that have access to the network. Determine the level of access each of these requires. For example, specific individuals in a financial department require access to the company’s accounting information.

Develop an access control policy that specifies the employees and resources that are granted access to critical systems and data. Make sure you store the information in a safe place.

Implement an authentication system that verifies the identity of employees accessing critical data. To complement this step, consider investing in monitoring software that analyzes access to your network for unusual activity.

Prohibit employees or third-party vendors from connecting to your organization’s network using unsafe public Wi-Fi networks. As an alternative, consider implementing a virtual private network (VPN), which uses an encrypted virtual tunnel to connect to a network, for remote access users.

Hopefully, you already backup all data to a central server or cloud service and all employees know to use strong passwords. In case a system or device that is used to connect to your network lost or stolen, consider installing software on these systems that is capable of remote access that allows you to locate it and prevent unauthorized access to its data.

3: Human Error

If your organization’s cybersecurity plan is focused primarily on protecting the network from outside intruders, you likely have a critical weakness in your system. According to a Verizon Data Breach Investigations Report (DBIR), 34% of the more than 40,000 security events they analyzed were committed by internal actors. There are many data breaches that have exposed the importance of addressing human error. In September 2020, the U.S. Department of Veterans Administration (VA) suffered a security breach due to cyber criminals obtaining access to a financial system used by the organization. In addition to attempting to divert funds from the VA, the cyber criminals were able to access the personally identifiable information (PII) of nearly 50,000 veterans. Modifications to how the VA performs its financial operations are projected to cost $2.5 billion. The VA security breach highlights the consequences of social engineering. The cybercriminals were able to access the VA system using social engineering to trick employees into providing their credentials.

The types of social engineering include smishing (phishing via phone calls or text messages), harpooning (phishing by impersonating executives and using information from social sites), deepfakes (editing a legitimate video or voice clip for the purpose of acquiring personal information), and vishing (impersonation via phone calls or voice message).

The following are five tips for addressing human error in your organization’s cybersecurity plan:

Continuously train employees about social engineering, including, how to identify and report suspicious email, neglecting to provide personal information requested via email, and refraining from clicking a link in an email unless you are 100% sure it is from a legitimate source (contact the sender via phone or other means besides email to confirm).

Use network and email security solutions such as firewalls, antivirus software, antimalware software, anti-phishing solutions, and email spam filters.

Implement a multifactor authentication (MFA) system to add an additional method of validation.

Use SSL digital certificates to encrypt all data flowing to and from your network.

Create an accepted list (also referred to as a whitelist) of applications and email addresses that employees can access. Review this list regularly and make any necessary changes.

Next Steps

Hopefully, the FireEye data breach mentioned earlier doesn’t cause you to relinquish the quest to fix the problems with your organization’s cybersecurity. While such custom cyberattacks occur, they are not the most prevalent. Practicing due diligence and fixing cybersecurity problems that are impacting your organization will strengthen your defense system and help to prevent security incidents that can negatively impact your business and the relationships with your customers. If your cybersecurity team doesn’t have the resources to fix the critical problems mentioned above, it’s a good idea to partner with an experienced cybersecurity team to ensure all the cybersecurity problems impacting your organization are addressed.

BACS is a team of consultants with a full range of IT security experience. We are equipped with the tools necessary to perform comprehensive infrastructure analysis to determine where vulnerabilities exist and develop a comparable plan to resolve the issues and establish a robust foundation. We also offer assistance with developing a thorough cybersecurity training program to educate employees and help fix security issues associated with social engineering.

Multi-Factor Authentication

Increasing Security with Multi-Factor Authentication

By | Data Protection, Security

Multi-factor identification (MFA) involves additional security measures required when logging in to an online account. While it is true that every website requires the user to sign in with a password, MFA adds additional security.

Indeed, a website may require two or three MFA classifications, including identification via a face scan, the user’s voice, or optical recognition. Alternative MFA types include bank cards, keys, and secret tokens. For instance, an ATM user has a debit card combined with a Personal Identification Number (PIN).

Bank and investment websites use MFA technology to protect account owners from hackers. You have most likely already used MFA software to log in to your online checking account or other financial services firms when you provided numerical codes in addition to your passwords. A Multi-Factor Authentication verification works as follows:

  • MFA software calls the phone number associated with your account.
  • MFA software may send your cell phone a verification text instead of a phone call.
  • You answer your phone and receive a numerical code.
  • Alternatively, you may receive the code via a text message.
  • Next, you enter the code into your online account via the website or an app.

A website views your phone as a trusted device. Consequently, receiving the code on your cell phone or landline phone indicates that you are not an impersonator attempting to hack into someone else’s account. MFA might also use your fingerprint as a form of identification. If you lose or forget your password, MFA is sometimes used to verify that you are the authentic account owner. Once verified, you can proceed to change your password.

Websites may require users to answer several security questions before they can access their accounts. Nevertheless, answers to security questions do not constitute the most secure types of MFA authentications.

 

Why is MFA Needed?

MFA is needed to ensure that both the small business owner and the consumer receive protection from people who want to steal identities or funds. MFA requirements protect small businesses from having to deal with identity theft issues. Furthermore, MFA provides an invisible protective wall surrounding the user or account owner. Think of MFA as a moat that defends your account from the malicious intents of ne’er-do-wells.

Unfortunately, hackers get their entertainment from observing users who choose weak passwords. MFA is needed because people often choose insufficient passwords that are too short or lack sufficient letters, numbers, and characters. In addition to selecting an inferior password open to security breaches, a user may enter the identical password on 100 different websites.

Using the same password numerous times can send alert signals to potential hackers. Hackers delight in finding users who continue to use the same passwords for months or years. Many users continue to use the same passwords for multiple applications and store them in insecure locations. Using software to store passwords also presents problems. Using a password manager to store one or more passwords is not always a good idea because of possible security vulnerabilities.

 

What are the advantages of using MFA?

If you manage a small business, you may think it unnecessary to ask customers for MFA authentications. You may worry that your clients will regard receiving and entering numerical codes as heavy burdens on their time and patience. Nonetheless, your customers will thank you if your requirement to use MFA software results in protecting their identities and accounts. Benefits of using MFA software include:

  • Providing clients with additional account protection
  • Protecting a business by offering clients ways to defend themselvesdata-security
  • Preventing a breach of trust
  • Keeping clients happy because they feel secure

Using MFA technology as additional security measures can protect businesses, customers, and employees from hackers. Gaining access to valuable information, an accomplished hacker can wreak all kinds of havoc for everyone involved in the attack.

Hackers can steal medical records, social security numbers, and physical addresses. While the mere thought of a hacker gaining access to confidential account information may send shivers up and down your spine, your use of MFA technology can help prevent this type of situation from taking place.

 

What are the disadvantages of using MFA?

An account owner may not want to spend additional time verifying their account. It is already somewhat of a nuisance to enter a username and password for verification purposes. Receiving an email, voicemail, or text with a numerical code is an extra burden. Plus, the person then needs to take the time to enter the code before they can access their account.

A user may receive the dreaded message implying that the website does not recognize their computer. Lack of recognition may result from using a junk file cleaner. While deleting unnecessary information, a private usage data cleaner may also eliminate a trusted site verification. An updated browser can also cause a website to require additional identifiable information from the user.

A person may not have their phone within proximity. Perhaps someone recently stole the person’s mobile phone. If MFA requires receipt of a unique code via a voicemail, this can cause an issue. In this case, a user will not have the ability to access their online account.

MFA software is not 100% foolproof. A hacker can figure out how to mimic a person’s voice or even their iris. Yet utilizing MFA technology makes common sense because the authentication adds extra security.

 

How does MFA work?

Multi-Factor Authentication occurs when a person wants to log in to their online account. A one-time password (OTP) is a common requirement before an individual can access their online data. The code only works for a short time. Once the allotted time expires, the user will need to obtain a new OTP and enter it into the website.

A website that does not require the user to enter an OTP may ask the person to answer one or more security questions. As stated earlier, security questions are not foolproof because a hacker may have the ability to ascertain the correct answers.

Another method involves recognizing a person’s trusted device. In this scenario, the individual would have already granted the website permission to use the same cell phone or computer. Providing ample evidence constitutes the best way to describe how MFA works. A person who provides two or more pieces of evidence demonstrating correct identification can access their online account.

Even though requiring the use of MFA may cause a person to have a minor inconvenience, the benefits far outweigh any disadvantages. Scrambling to find a cell phone to obtain a numerical code is worth the slight hassle if it means protecting the person from identity theft.

Small businesses benefit from using MFA software because the authentication method offers extra protection for their clients, resulting in satisfied customers. Every business owner knows that keeping a customer happy is a vital aspect of growing a company.

Business owners should familiarize themselves with Multi-Factor Authentication software before they choose a system. It is useful to determine if they can get support and whether the software is easy to use. Providing clients with an extra measure of safety, a small business owner has the satisfaction of going the extra mile for their customers.

cybersecurity trends

TECH TALK: 7 Trends You May Have Missed About Cybersecurity

By | Data Protection, Security

At any given point in time, there are numerous trending topics in cybersecurity. Change is one aspect of technology that we can always depend on, and that’s a good thing. We’re able to do more in less time than ever before. Of course, advancements in technology goes together with the cybersecurity landscape. As someone who has a key role in IT, keeping up with changes in technology and cybersecurity should be a routine task. However, there trending topics that are just beginning to emerge that you may not yet be aware of.

Here are seven cybersecurity trends you may have overlooked:

1: Bring Your Own Device (BYOD)

2: Internet of Things (IoT) Devices

3: Fifth Generation (5G) Technology

4: Social Engineering

5: Bitcoin Ransomware

6: Smart Contracts

7: Insider Threat

New call-to-action

1: Bring Your own Device (BYOD)

 

BYOD programs that allow employees to use their personal devices to access business assets on the job have been accepted by IT programs for a while now. They can be a bit unwieldy in terms of control, but the benefits to production and costs are difficult to ignore. Unfortunately, the security concerns are increasing. The main concerns with allowing personal devices to access a corporate network is that IT personnel are usually not aware of their connection to the network, there is usually minimal security features, they are easily stolen or misplaced, it is difficult to control how employees use them (they can easily download apps).

History has proven that the concerns listed above are serious. In 2017, the cryptocurrency firm Bithumb experienced a data hack that was traced to an employee’s home PC. That data breach exposed the personal information of 30,000 of the Korean company’s customer base.

If your organization supports a BYOD program, you can mitigate your risk by first developing a policy that outlines the requirements for use in the organization. It is a good idea to add controls to your organization’s Wi-Fi. These are often easily accessible by anyone who knows the password. There should be an acknowledgement before a device can connect to the organization’s corporate network. This could consist of requiring employees to register any device they want to connect to the network and implement security safeguards such as multi-factor authentication. You might also consider implementing a Mobile Device Management System (MDM) that functions like a global positioning system (GPS). These toe a fine line to privacy infringement, but there are MDM systems available that are less invasive.

 

2: Internet of Things (IoT) Devices

 

Wikipedia defines Internet of Things (IoT) as a “network of physical objects—’things’—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the Internet.” While IoT devices include many of the popular smart devices that individuals use on a regular basis (watches, fitness trackers, alarms, biometric scanners), there is a growing use of these by organizations. For example, the healthcare industry uses IoT-connected sensors to improve the services they provide to patients.

The main security concern for IoT devices is the amount of data that is shared among interacting devices. According to a report by KPMG, 84% of IoT adopters have experienced a security breach. The advisory and audit firm offers the following three best practices for securing IoT devices:

  • Asset management – know the devices that connect to the organization’s network and the path they travel once they are outside the organization’s network.
  • Device Security – In addition to granting only authorized users access to business data using IoT devices, make sure these devices are protected by antivirus and encryption software, are kept updated with the lasts security software, and are monitored for suspicious activity.
  • create a vulnerability management program – “identify and fix weaknesses with a device”

 

3: Fifth Generation (5G) Technology

 

The growing use of IoT is stressing our mobile capabilities. The good news is fifth-generation wireless technology has arrived! Just as with its predecessors, this advancement in mobile communication offers faster download speeds, decreased latency, and more network capacity. The transition to 5G is just beginning and is predicted to reach full evolution by 2022.

Many of the cybersecurity risks associated with 5G networking will be addressed through the network’s builders. However, there are more responsibilities of IT departments. The increase in bandwidth that 5G provides also increases network monitoring tasks for IT departments. With data traveling much faster on the network, new strategies for monitoring the traffic will be necessary. 5G also transitions from a network that is based on hardware switching to one that relies on software digital routing. IT departments that are unable to keep up with the 5G advancements can expect an increased threat of distributed denial-of-service (DDoS), man-in-the-middle (MiTM), and botnet attacks.

 

4: Social Engineering

 

According to Verizon’s 2019 Data Breach Investigations Report, social engineering threat actions in data breaches have increased significantly more than any other type of threat in the past seven years. In the past, phishing (pretending to be someone else to persuade an individual to disclose their personal information) has been the most used form of social engineering.

The social engineering threats that are trending now include the following:

  • Smishing – Phishing via phone calls or text messages
  • SIM Swap – Fraudulently switching another individual’s mobile account information to gain access to bank and credit card accounts
  • Harpooning – Phishing by impersonating executives and using information from social sites
  • Pharming – Fraudulently installing malicious code on a PC or server. The code redirects any click to another fraudulent website without the user’s consent.
  • Deepfakes – Editing (using advanced AI technology) a legitimate video or voice clip for the purpose of acquiring personal information.
  • Vishing – impersonation via phone calls or voice message

Hopefully, your organization has already implemented email safeguards to detect and block suspected phishing communications.

Social engineering involves human interaction. The best safeguards are educating employees about the different types of social engineering tactics and how they should be cautious before responding to any type of communication, even if it appears to be from someone reputable. If possible, employees should use an alternate method to verify suspicious communications.

 

5: Bitcoin Ransomware

 

Using malevolent software for the purpose of blocking access to another’s system and requiring payment to unblock it is referred to as ransomware malware, or ransomware for short. This type of attack is often carried out by someone clicking a bad link that installs the ransomware on the system. The sophistication of the ransomware can vary. The most advanced types use encryption to prevent access to systems or files and require a decryption key. The latest form of requested payment for ransomware attacks is bitcoin because it is a digital currency that is quickly exchanged.

Ransomware is a serious problem. This was highlighted with the 2017 WannaCry ransomware attack that involved computer systems all over the world that had not applied a Microsoft software patch. Unfortunately, the trend is continuing. The most significant ransomware attacks as of June 2020 cost the victims more than $100 million to recover from the incidents.

Network and security monitoring software maker NetFort recommends the following five tasks to protect and recover from ransomware attacks:

  • Back up your data regularly
  • Make sure all systems that connect to the network have the most recent security updates
  • Implement anti-intrusion detection systems
  • Monitor network traffic for unusual activity
  • If a system is infected with ransomware, disconnect it from the network immediately and rebuild it

 

6: Smart Contracts

 

Blockchain, the technology that powers bitcoin, is being used in a variety of methods of exchange. Smart contracts are one of those. A smart contract is a daisy chain of encoded actions that are saved within a blockchain and digitally self-executing without the assistance of a third party such as a bank or attorney. Smart contracts are gaining popularity because of their transparency, speed, permanency, and non-editable characteristic. Although smart contracts are inherently secure (the data they contain are encoded), they are comprised of program code that is susceptible to vulnerabilities. The main security concerns with smart contracts are access control and undiscovered bugs in their programming code. One of the most newsworthy incidents occurred in 2017 when the code of a multi-signature wallet was exploited by a user by accident. The incident caused users of the wallet to lose more than $280 million because they were unable to withdraw funds from the digital wallet.

The best way to mitigate your risk with smart contracts is to:

  • Make sure the smart contract is 100% encoded (every record from start to finish). Access via private key should only be distributed to specific users.
  • Don’t lose your private key! Even better, your organization should consider engaging in smart contracts that use multi-access so that there is more than one point of failure.
  • Ensure the underlying code is bug free. This means to test, test, and test some more to make sure there are no vulnerabilities that malicious actors could take advantage of.

 

7: Insider Threat

 

An unfortunate trend that is increasing is that people who have or previously had legitimate access to an organization’s data may intentionally or unintentionally cause destructive actions. Insider threat occurs through multiple methods. An example of the significant damage an insider can cause is the ex-Cisco employee who caused $1.4 million in damages. The criminal left the company in 2018 and shortly thereafter installed malicious code from his old Google Cloud Platform account and subsequently deleted the nearly 500 virtual machines hosted by Cisco WebEx applications. Within two weeks, 16,000 WebEx accounts were deleted. In this case, the ex-employee somehow managed to maintain his access to Cisco’s cloud infrastructure after he left. It is not known how.

The Insider Threat Mitigation Guide  published by the Cybersecurity and Infrastructure Security Agency provides the following tips for establishing an effective inside threat mitigation program:

  • Identify and focus on those critical assets, data, and services that the organization defines as valuable
  • Monitor behavior to detect and identify trusted insiders who breach the organization’s trust
  • Assess threats to determine the individual level of risk of identified persons of concern
  • Manage the entire range of insider threats, including implementing strategies focused on the person of concern, potential victims, and/or parts of the organization vulnerable to or target by an insider threat
  • Engage individual insiders who are potentially on the path to a hostile, negligent, or damaging act to deter, detect, and mitigate

 

Conclusion

 

Is your IT department equipped to address the emerging cybersecurity threats? If you’re unsure, now is the time to determine your level of vulnerability and implement the necessary safeguards to ensure your organization’s assets are fully protected.

If you require assistance with assessing your needs and implementing the “right” IT security solutions for your organization, BACS can help. We are an experienced team of IT service professionals that work closely with clients to assess, develop, and implement security solutions that offer an ideal level of protection.

The Anatomy of Great Cybersecurity

The Anatomy of Great Cybersecurity

By | Data Protection, Security

If security professionals were asked to define the anatomy of great cybersecurity, it would likely be significantly different than a few years ago. IT departments are allocating more resources to improve their cybersecurity outlook. This is due in part to the large number of security breaches that have exposed critical data. The developers of the  Norton anti-virus software report that of the 3,800 publicly disclosed security breaches reported in the first six months of 2019, a record number of 4.1 billion records were exposed (more than a 50% increase over 2018 for the same time period). There is probably a lot more that are not publicly disclosed. While there isn’t a single “right” way to implement a cybersecurity strategy, there are areas of importance in which you should direct your focus.

Here are three key tale-tale signs of effective cybersecurity:

1: Leadership Buy-In

2: A Comprehensive Cybersecurity Framework

3: Security Awareness

Leadership Buy-In

As a security professional, your ideas about the best cybersecurity strategy for the organization are important to leadership (typically includes the board of directors, executive team, and security officers and managers). The weight that an organization places on cybersecurity begins at the top. This is because the top executives usually have the final authority to approve the cybersecurity budget that is appropriate for an organization’s needs. However, it’s not enough that you have the knowledge and a good picture of your organization’s cybersecurity stance. You must also effectively communicate this information to leadership, often for the purpose of persuading them.

Here are ideas to help you communicate your cybersecurity plan to leadership and obtain their buy-in:

  • Focus on providing metrics instead of explaining technical jargon.
  • Outline your recommendations. Make sure you provide multiple effective options that vary in cost. Explain the pros and cons of each option.
  • Explain how increasing the cybersecurity budget fits in with the organization’s goals. Focus on revenue cost savings, ROI, and customer satisfaction.
  • Emphasize any weaknesses that your analysis or an expert’s assessment has uncovered and the potential threats that your organization could become victim to if the weaknesses are not addressed.
  • Highlight security breaches of organizations that are similar to yours and the devastating results. If your organization isn’t one of the top organizations that are threatened most often (financial, healthcare, manufacturing, or government), leadership may not worry about security as much. Do your research and point out an organization that is similar to yours that has experienced a devastating breach. For example, if your organization is a gaming company, you could point out the data breach of mobile gaming producer Zynga that resulted in 218 million records of customers (the largest data hack of 2019).

Once you’ve prepared your list of ideas, make sure you also prepare answers to questions that leadership may have. Think of the pros and cons of the ideas you present to them and any other questions that may come up. It’s also a good idea to communicate with other cybersecurity professionals who have successfully obtained leadership buy-in and how they obtained it.

New call-to-action

A Comprehensive Cybersecurity Framework

A cybersecurity plan must address the methods of protecting information assets. Since this involves a variety of components, a comprehensive cybersecurity framework is the best choice. When you are considering your framework, you should focus on how you want to handle potential threats. You want a framework that helps you understand your organization’s needs (assessment and analysis), provides components for implementing and managing risk controls and enables you to continually monitor your progress.

When you are considering the cybersecurity framework to implement in your organization, you should also check if there are any regulations specific to your organization or industry. An example is  the Healthcare Insurance Portability and Accountability Act (HIPAA) that provides security requirements for healthcare organizations.

To implement a comprehensive cybersecurity framework, you will likely combine multiple systems and controls. Here are five notable cybersecurity structures that are available for organizations:

 

National Institute of Standards and Technology (NIST) Cybersecurity Framework

This framework was developed specifically for organizations that manage critical systems in the United States but identifies five elements that any organization can use for managing and mitigating their cybersecurity risks. The five elements include Identify, Protect, Detect, Respond, and Recover. NIST provides the framework as downloadable files from their website. They also provide additional resources.

 

Center for Internet Security (CIS) Controls

These 20 controls are prioritized best practices that CIS has developed to help organizations prevent cyber attacks. The controls are prioritized as basic, foundational, and organizational and are downloadable in their entirety in PDF or Microsoft Excel format. CIS provides information for implementing the 20 controls as well as other cybersecurity resources on their website.

 

Information technology — Security techniques — Information security management systems — Requirements (ISO/IEC 27001)

This compliance specification, which provides requirements for managing information management systems (IMS), was officially adopted into the International Organization for Standardization (ISO) in 2005 and has been modified over the years to address the advancements in cyber threats. Organizations can choose to simply follow the requirements or request an audit to become ISO 27001 certified. Meeting these requirements can help organizations develop a cybersecurity framework. Companies that meet the rigorous requirements can choose to request an audit to become ISO 27001-certified organizations. This is an added benefit that provides proof to leadership, customers, and partners that a company has met a high standard for cybersecurity and is serious about protecting its information assets.

 

Federal Deposit Insurance Corporation (FDIC) Cybersecurity Framework

In 2016, the FDIC announced this framework to provide guidance to banking organizations for mitigating cyber risks that are specific to the industry. According to a report by the Keeper Security firm, of the thousands of IT professionals they surveyed, two-thirds of the financial organizations experienced cyber-attacks. This framework identifies four areas of focus to reduce cybersecurity risks: Corporate Governance of Cybersecurity, Threat Intelligence, Security Awareness Training, and Patch-Management Programs.

The FDIC also lists other cybersecurity resources on their website. In January 2020, the FDIC issued the Joint Statement on Heightened Cybersecurity Risk document to “remind supervised financial institutions of sound cybersecurity risk management principles.” The document outlines six areas of focus: Risk Management, Identity, and Access Management, Network Configuration and System Hardening, Employee Training, Security Tools and Monitoring, and Data Protection.

 

Plan-Do-Check-Act (PCDA) Methodology

Wikipedia defines PCDA as “an iterative four-step management method used in business for the control and continuous improvement of processes and products.” It was part of the ISO 27001 compliance standard for many years and has been incorporated in a variety of other cybersecurity frameworks. Organizations can use this system to improve their security implementation by using four steps: Plan, Do, Check, and Act.

Security Awareness

Security awareness refers to the ability to identify a potential threat and take appropriate action to alleviate it. An effective cybersecurity strategy would be incomplete without a plan for establishing awareness in employees. According to a study by the information security firm Shred-It, employee negligence poses the greatest information security risk to organizations. If employees in the organization do not understand security risks and make bad choices, leadership buy-in, and implementing a comprehensive cybersecurity framework will have a limited effect. Creating an environment characterized by employees having security awareness involves providing employees the information they need to understand the cybersecurity landscape and educating them on the behavior that is best in that landscape.

The following are the ways your organization can increase security awareness:

  • Develop a training program that identifies the types of cybersecurity threats and provides best practices for preventing security issues (recommended behavior when using email, social media, and company assets). The training should be mandatory for all employees and should be repeated and updated on a regular basis.
  • Make security policies (part of your cybersecurity framework) easily accessible by employees. Adding hardcopies to new hire packages is a good idea.
  • Send regular reminder notifications about cybersecurity best practices via email and text messages.
  • Hang up posters and security reminders in common areas of the organization.
  • Incentivize good employee behavior. For example, reward an employee that comes across a potential phishing email and performs the steps outlined in the training manual or security policy.

Next Steps

Developing and implementing an effective cybersecurity strategy can be a daunting task. Not only does it require resources, but it also requires an understanding of your organization’s needs in relation to the current cybersecurity environment. Developing an effective cybersecurity strategy shouldn’t be a singleton task. Engage your security team and other members of the organizations to perform specific tasks. If you decide to reach out to a security firm for assistance, choose one that is experienced in all facets of cybersecurity.

BACS specializes in providing a full spectrum of IT services to companies of all sizes. They can help you assess your security requirements and develop the most effective strategy to mitigate your organization’s security risks.

data protection - IT security services

TECH TALK: 3 Steps to Developing an Effective Cybersecurity Strategy

By | Data Protection, Security

Has the task of developing an effective cybersecurity strategy landed on your To-Do list? As the average worldwide cost of a data breach is estimated as $3.92 million (from The Cost of a Data Breach Report for by Ponemon Institute), it’s an important responsibility for all organizations that manage digital data. A cybersecurity strategy can be defined as a set of policies that outline your organization’s plan for mitigating the cyber risks to its assets. The key then to creating an effective strategy is aligning the plan to the specific needs of your organization. You can scour the Internet for a model to use for your organization’s strategy, but know that for it to be effective, you’re going to have to make it very personal to your organization. How do you do that?

Here are three basic steps:

1: Define Your Threats

2: Inventory Your Assets

3: Outline Your Protection Measures

New call-to-action

1: Define Your Threats

The first step of developing a successful cybersecurity strategy is to identify the threats to your organization. If you’re not sure what the threats are, consider the general threats to all businesses, threats common to your industry, and the threats that are currently gaining momentum.

  • General Cyber Threats to Your Business

The technology company Cisco acknowledges the following six types of cyberattacks:

Malware

Malware, formally known as malicious software, refers to a group of computer software that cybercriminals design to gain access to a system and cause havoc, usually in the form of damaging or disabling the system. The most common types of malware are adware, ransomware, viruses, worms, and spyware.

Phishing

Cybercriminals use phishing attacks to obtain sensitive data such as social security numbers, credit card numbers, and passwords. This type of attack occurs via email or any other means of digital communication.

Man-in-the-Middle (MitM)

Just as it sounds, a MitM attack occurs when a cybercriminal gets in the middle of an exchange of data between two parties, such as a computer and a server, for the purpose of performing malicious acts.

Denial-of-service

One of the most dangerous types of threats to businesses is a distributed denial-of-service attack. A cybercriminal commits this threat by gaining access to a system, often by exploiting a vulnerability, with the goal is to overload it to the point of blocking people (your employees and/or customers) from accessing the system.

SQL injection

A SQL injection attack refers to malicious SQL code that is created to access and cause havoc to a vulnerable SQL database.

Zero-day exploit

A zero-day exploit is a cyber threat that is designed to exploit a vulnerability that has not yet been discovered and patched by the designer.

DNS tunneling

The domain name system (DNS) protocol is a legitimate method of exchanging data across the Internet. Cybercriminals can manipulate the DNS protocol to create a path or “tunnel” for infiltrating a network and exposing sensitive data.

 

  • Threats to Your Industry

You should also consider cyber threats that are specific to your organization’s industry. The following are common industries and the threats that they often face.

Financial

Organizations that handle financial transactions are big targets for cyber criminals. Insight, a cyber intelligence company, reported findings of  that malware attacks in 2019 were targeted more often in a specific area—financial institutions (25.7 percent). Malware isn’t the only threat to these organizations. According to a report by technology consulting firm Mindsight, the top three cyber threats to the financial industry are web application attacks, DDoS attacks, and backdoors and supply-chain attacks.

Healthcare

Healthcare companies are a common target for cyber criminals because of the large amounts of personal data they manage. The Fact Sheet of the Cybersecurity Act of 2015 lists the following as common threats to healthcare organizations: Ransonware, email phishing attacks, loss or theft of equipment or data, internal, accidental or intentional data loss, and attacks against connected medical devices that may affect patient safety are common threats to these industries.

Government

The IT systems of governmental organizations, federal agencies in particular, are responsible for managing critical infrastructures and are often targeted by cyber criminals. According to the U.S. Government Accountability Office, the Department of Homeland Security received more than 35,000 security incidents reports from federal executive branch civilian agencies in 2017. Of those incidents, the largest number (31%) were from an unidentified source. The remaining incidents were from improper usage (22%), email/phishing (21%), loss or theft of equipment (12%), web-based attack (11%), multiple attack vectors (2%), and attrition, external/removable media, and physical cause made up 1%.

Manufacturing

The infrastructures that are critical to keeping countries moving smoothly require manufacturing operations. Cyber criminals know this and have been increasing their threats on this industry. According to a study by Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI) nearly 40% of the surveyed manufacturing companies were affected by cyber incidents in the prior 12 months, and 38% of those impacted indicated cyber breaches resulted in damages of $1 million or less.

The National Institute of Standards and Technology (NIST) identifies the following threats to manufacturing: Identity theft, phishing, spear phishing, spam, and compromised webpages

 

  • Trending Threats

As the world changes, we see old cyber threats improve and new ones emerge. Sometimes, we see threats increase on the radar of cyber intelligence trackers because of specific events. In 2020, for example, the COVID-19 global pandemic was associated with the following three significant cyber attacks, as reported by MonsterCloud:

Corporate ransomware attacks

Large corporations are often the target of ransomware attacks. During the COVID-19 pandemic, cyber criminals have been threatening doxware (extortionware), which is a type of ransomware that involves a cyber criminal threatening to sell or publish sensitive data.

Research and vaccines

As companies are in the midst of developing a vaccine for COVID-19, cybercriminals are increasing their attacks to obtain information to sell to other companies and governments wanting it.

Social engineering (Twitter)

In the summer of 2020, a teenage hacker managed to scam high-profile Twitter users out of more than $100,000. He was arrested, but not before obtaining $100,000 from his victims.

An additional threat that many companies neglect to acknowledge is within their organization. In the article “The Biggest Cybersecurity Threats Are Inside Your Company” , insider threats account for 60% of all threats to an organization.

2: Inventory Your Assets

Once you understand the threats to your organization, you should then understand your assets that could be threatened. The plan you develop will be effective only if you understand the assets you need to protect. The best way to learn this information is to perform an inventory. The National Initiative For Cybersecurity Career and Studies (NICCS) defines an asset as “A person, structure, facility, information, and records, information technology systems and resources, material, process, relationships, or reputation that has value.”

Here are a few examples of common assets within an organization:

  • Data that flows through your organization. This includes personal data (sensitive data about employees, vendors, and third-party companies and the work data the organization obtains or produces.
  • Physical assets or endpoints that employees use connect to your organization’s network.
  • Network that employees connect to.
  • Infrastructure resources such as databases and servers that store your data.
  • Software that employees use in the company (note the identifying information as well as dates).

A simple spreadsheet is a good way to manage the assets, but it shouldn’t be a laundry list of your assets. You should include details that help you determine the critical value of the asset. This includes adding information about its intended use, how it is accessed, by whom is it accessed, and an assessment of its value. You should devise a system for noting those assets that are critical to the business.

3: Outline Your Protection Measures

Once you understand the threats to your organization and the most critical assets you need to protect from those threats, you are ready to specify how your organization plans to protect its assets from cyber threats.

The following are examples of types of cybersecurity protection methods referenced in an effective cybersecurity strategy:

  • Training to develop cybersecurity awareness among all employees.
  • Security policies for every type of asset (examples listed below):
    • Perimeter security such as network security includes firewall and anti-virus protection, and encryption
    • Endpoint security that protects the systems that connect to your network
    • Application security methods such as sandboxing and encryption
    • Password security that requires employees to use strong passwords
    • Email security measures such as multi-factor authentication and email security gateway protection
    • Remote access security measures such as virtual private networks (VPNs) and end-to-end encryption
  • Insurance that protects your organization from liability should you suffer a cyber attack

Next Steps

The information presented above will help you develop your cybersecurity strategy. Keep in mind that your cybersecurity strategy is not a document that you develop and forget about. It should be a dynamic document that you revisit often to ensure it is up to date.

Seeking the assistance of a cybersecurity expert is a good plan of action to ensure that your cybersecurity strategy addresses all the needs of your organization. BACS is an IT services company that partners with organizations to help them solidify effective security strategies that are based on in-depth analysis.