Just before the end of 2017, we published our top 10 cybercrime incidents of 2017. While it is true that when it comes to cybersecurity nothing is 100% secure, there are certain basic tips that enterprises can implement to reach a reasonable level of protection.
Here is our Security 101 for enterprises.
- The first and most basic one is employee awareness and training. Humans are the most vulnerable resource of a company, and the one cybercriminals use the most to break into systems and information. Every company employee, from no matter which department he or she belongs to, needs to receive information and training about the typical risks when browsing the internet, opening attachments, installing software, etc. It is a great idea to link employee’s performance assessments at the completion of these courses. There are platforms like SmartFense that help to spread security awareness and training among employees.
- Minimization of the resources exposed on the Internet. Things that are harder to reach are definitely harder to penetrate. Remote work is a common practice nowadays that has been proved quite beneficial for many people and companies, and it requires workers to have access to information from everywhere. However, sensitive information systems such as email, software repositories, databases, etc. have to be behind a Virtual Private Network (VPN) and not accessible directly from the Internet. Nowadays it is very easy and user-friendly to set up a VPN and use it with solutions such as OpenVPN.
- Multi-Factor Authentication. You are probably tired of hearing about how easy it is to crack a password via brute force or social engineering. And it is true. We all tend to use similar passwords, and even if they are complicated, modern hacking techniques such as keyloggers, remote camera switches, etc. leave us uncovered many times. The response to this is Multi-Factor Authentication, which consists in basing system access in something the user must know (e.g. a password) plus something the user must have (e.g. its mobile phone to receive an SMS). It might sound complex, but it is not. Google, for instance, has enabled the possibility to use its MFA authentication for any Gmail account, and similar tools are available in almost any corporate IT service today.
- Software Updates. Cybersecurity is a cat-and-mouse game, and servers and computers are complex systems with hundreds of components. Almost every week there are major vulnerabilities discovered and disclosed by security researchers. One just needs to check the activity of the US Computer Emergency Readiness Team. Corporate products are normally patched quickly, even before the vulnerability is disclosed publicly. However, corporations are normally slow when applying those patches, either because of unawareness or fear on having an impact on their operations. It is extremely important to get rid of these bad practices; almost every software vendor today offers automatic updates, so just leave them to do the work. For those who do not, or can not automate for continuity reasons, schedule weekly or bi-weekly update windows. And remember, every device that has a connection with your company network or employees can be vulnerable to some extent, and this includes servers and desktops, but also mobile and IoT devices.
- Deploy SIEM over your network. SIEM stands for Security Information and Event Management, and it is basically a range of products and services that help monitoring your systems and networks in real time, as well as logging security and usage data. If your company is being targeted by cybercriminals, which is probably the case, a SIEM should give you that visibility and stay ahead of the curve. Open Source SIEM solutions such as Ossim could be a good option for Small or Medium corporations. For larger corporations, the investment is worth it, and a good point to start evaluating could be the Gartner Best Security Information Product list of 2017.
As we said, there is nothing that is 100% secure but if your company follows these basic rules the possibilities of being hacked can be definitely reduced. Or put it the other way around, any company that does not is quite an easy target for cybercriminals.
Article written by David Purón, Founder and Chief Executive Officer at Barbara IoT.