Just before the 2017’s end, we published our top 10 cybercrime incidents of 2017. While it is true that when it comes to cybersecurity there is nothing 100% secure, there are certain basic tips that enterprises can implement to reach a reasonable level of protection.
Here is our Security 101 for enterprises.
- First and basic is the employee awareness and training. Humans are the most vulnerable resources within a company, and the ones cybercriminals use the most to break into systems and information. Every company employee, no matter which department he or she belongs to, shall receive information and training about typical risks when browsing internet, opening attachments, installing software, etc. It is a great idea to link employee’s performance assessments to the completion of this courses. There are platforms like SmartFense that helps spreading security awareness and training among employees
- Minimization of the resources exposed to Internet. Things that are harder to reach are definitely harder to penetrate. Remote work is a common practice nowadays that has been proved quite beneficial for many people and companies, and it requires that workers have access to information from everywhere. However, sensitive information systems such as email, software repositories, databases, etc. must be behind a Virtual Private Network (VPN) and not accessible directly from Internet. Nowadays is very easy and user friendly to setup a VPN and use them with solutions such as OpenVPN.
- Multi-Factor Authentication. You are probably tired of hearing about how easy is to crack a password via brute force or social engineering. And it is true. We all tend to use similar passwords, and even if complicated, modern hacking techniques such as keyloggers, remote camera switches, etc. leave us many times uncovered. The response to this is Multi-Factor Authentication, which consists in basing system access in something the user must know (e.g. a password) plus something user must have (e.g. its mobile phone to receive an SMS). It might sound complex, but it isn’t. Google, for instance, has enabled the possibility to use its MFA authentication for any Gmail account, and similar tools are available almost any corporate IT service today.
- Software Updates. Cybersecurity is a cat-and-mouse game, and servers and computers are complex systems with hundreds of components. Almost every week there are major vulnerabilities discovered and disclosed by security researchers. One just have to check the US Computer Emergency Readiness Team website’s activity. Corporate products are normally patched quickly, even before the vulnerability is disclosed publicly. However, corporations are normally slow on applying those patches, either because unawareness or just fear to have an impact on their operations. It is extremely important to get rid of this bad practices; almost every software vendor today offers automatic updates, so just leave them to do the work. For those who doesn’t, or you can’t automate for continuity reasons, schedule weekly or bi-weekly update windows. And remember, every device that has a connection to your company network or employees can be vulnerable to some extent, and this include servers and desktops, but also mobile and IoT devices.
- Deploy SIEM over your network. SIEM stands for Security Information and Event Management, and it is basically a range of products and services that helps monitoring your systems and networks in real time, as well as logging security and usage data. If your company is being targeted by cybercriminals, which is probably the case, a SIEM should give you that visibility and stay ahead of the curve. Open Source SIEM solutions such as Ossim could be a good option for Small or Medium corporations. For larger corporations, the investment is worth it, and a good point to start evaluating could be the Gartner Best Security Information Product list of 2017.
As we said, there is nothing 100% secure but if your company follows these basic rules the possibilities of being hacked can be definitely reduced. Or put it the other way around, any company that doesn’t is a quite easy target for cybercriminals.