It’s no surprise that large as well as small- and medium-sized businesses (SMBs) are struggling to protect their digital assets from cybercriminals. Since the beginning of the COVID-19 pandemic, we have seen a significant increase in cyberattacks and intrusions. According to a University of Maryland study, a hacker attack is attempted on average every 39 seconds, which equates to 2244 attack attempts each day. Damage due to cybercrime is estimated to exceed $6 trillion annually in 2021 (Cybersecurity Ventures). Businesses are buying security technologies at a record pace, with the information security market expected to reach $170.4 billion by 2022.
In 2020, I was asked about several breaches experienced by schools and small businesses. One in particular, the Blackbaud breach, impacted a large number of schools and organizations, which generated numerous questions on what schools and organizations can do to protect themselves.
Over the last few years, cybercriminals have shifted their focus from Fortune 500 companies to third-party service providers that host data for hundreds, if not thousands, of schools and companies. In addition, there has been a surge in security events and breaches targeted directly at our schools over the last couple of years, mainly because they are considered soft targets. Third-party breaches have become very common due to a misconception that a service provider you are paying must be secure and doing their due diligence in protecting your data. This assumption has the potential to be devastating to your organization. It is critical that any third party or vendor be held to the same security standards to which your customers hold you. A list of best practices has been compiled below to help schools and SMBs reduce their exposure. These recommendations should not be regarded as an alternative to implementing a formal security program but as the first step in establishing an initial set of effective security controls.
- Perform a Risk Assessment – The saying “you don’t know what you don’t know” is very applicable. Whether you perform an in-house risk assessment or contract a third-party assessor, understanding what security vulnerabilities currently exist within your organization as well as the potential cyberthreats is critical. Ideally, a quantitative risk analysis should be included in the assessment. This analysis measures the financial impact to the organization for each risk and helps leadership prioritize mitigation expenditures. This assessment should cover governance, policies, operations processes and procedures and the technical infrastructure.
- Back Up Your Systems – Although backing up systems and data is common practice, additional considerations should be examined to protect against threats such as ransomware. Organizations should consider cloud or off-site backup strategies and ensure the backup files cannot be directly accessed from the internal network. This can be accomplished with administration access control and multi-factor authentication.
- Create Incident Response and Business Continuity Plans – Building an incident response and business continuity plan will help your team understand what steps need to be taken and who needs to be notified in the event of an incident.
- Segment Your Network – It is critical that you segment your WIFI and unsecured networks (such as student or user network systems) from the administrative systems. These segments should be protected by firewall rules and intrusion detection to ensure unauthorized access or malware injection attempts across networks are detected and stopped.
- Secure Endpoints – The easiest way to secure endpoints is to ensure you have a good antivirus/antimalware software installed on each device. In addition, locking down non-administrative endpoint devices (i.e. workstations and mobile devices) by preventing the installation of software will go a long way towards preventing malware and ransomware attacks. This does present a problem for personal devices(BYOD) that are being used, but it is a good practice for all devices that are owned by the company. EDR (Endpoint Detection and Response) technologies have greatly helped protect endpoint devices, but these solutions can be expensive to acquire and manage.
- Keep Software Patches Up To Date – Breaches due to unpatched applications or systems is quite common. Implement a process that checks regularly for patches for your operating systems, firewalls, network devices and applications. Make sure patching is performed frequently to stay current. It is always good to consult your vendors to understand the impacts of the patches before you install them.
- Conduct Regular Vulnerability Scans – Every time you make a change to your network or update/add a new piece of hardware or software, you potentially introduce a new vulnerability into your infrastructure. Regular vulnerability scans should be performed at least monthly. In addition, you should consider having penetration testing performed at least once a year or after a major application or system change. The penetration test is different from a vulnerability scan since it focuses on identified vulnerabilities that can be exploited. If you do not have experienced penetration testers on staff, make sure you partner with a penetration testing firm that utilizes manual testing as well as automated scans and tools. Standards such as PCI have strict guidelines on how a penetration test should be performed.
- Train and Educate Employees, Customers, Students, Parents and Donors – More than 80% of all breaches include human error. An educated and aware staff is the best way to protect your digital assets. Since most attacks begin with a phishing attack via email or by phone, it is essential they understand how to recognize a potential phishing attack and not click on a link or open an attachment from anyone they do not know. Phone phishing is a social engineering tactic that is being used to get additional personal information. Employees and end users should be suspicious of any callers asking for personal information or asking them to go to a specific website to enter that information. Whether you create your own training or purchase a security awareness software product, you will need to monitor and confirm all users have taken the training.
- Verify Vendors and Third Parties are Secure – Many of the breaches in the news came through a third-party vendor. Organization must request proof from vendors and third parties that they have a security program in place. This proof can be an attested report, such as an ISO certification, a SOC 2 report, a PCI Report on Compliance or other certification documents. If this is not available, the vendor should be required to complete a questionnaire that describes how they are handling and protecting your data.
- Encrypt All Portable and Mobile Devices – It is mind-boggling why, in today’s cyber climate, so many companies are not encrypting their portable and mobile devices. The cost to do this is minimal but it does require some effort to install and manage the encryption process. Almost half of healthcare breaches were from stolen laptops and mobile devices that contained patient data. This is an easy fix and every business should do it.
- Use Multi-Factor Authentication for Remote Access – Cybercriminals today are extremely effective at acquiring credentials, usernames and passwords. Implementing multi-factor authentication can make it significantly more difficult for the bad guys since remote access requires something you know (username and password) and something you have (i.e. cellphone authentication code or a token).
- Ensure You Have Your Email Security Set Up – Many organizations are moving their email to the cloud using services such as Outlook 365 or Google Mail. Unfortunately, companies have not set up the security and left the default settings in place. This can expose your email system to hijacking and lead to phishing and eventually identity fraud and financial theft. Review security recommendations from your vendors and make sure your email systems are properly configured.
- Monitor Who and What Data is Going In and Out of Your Network – If you don’t know who and what data is going in and out of your network, you have probably already been breached. Threats can come from outside or from inside your organization (intentional and unintentional). If you do not have the capability or expertise to monitor your network, it is recommended that you partner with a firm offering these services.
- Know Who to Call – You should prepare a list of contacts you can call to assist you or provide guidance in the event of a breach or security. This list should include the following:
- Breach Response Expert
- Cyber Legal Resource
- Cyber Insurance Resource
- Law Enforcement Contacts – Local, FBI, Secret Service
- Internal Contacts – Executive, PR, Legal
Preparing for an event before it happens and having the right resources as well as understanding when to engage them helps the process go smoothly.
As stated above, these steps are only a good starting point for securing your organization. They do not replace implementing a formal security program based on a standard such as ISO 27001 or NIST CSF. Find a good partner who can guide and advise you through this process.
If you have questions about these steps or anything else covered in this article, please contact the author, Jeff Brown.