Best Practices for Cybersecurity Threats

As computers have become more powerful and more embedded into our day-to-day activities, the risks for cyberattacks have become more pronounced and more sophisticated. To counter those risks the federal government created the CISA (Cybersecurity & Infrastructure Security Agency). As a dedicated source for cybersecurity it is a primary source for this article. https://www.cisa.gov/.

OVERVIEW

Nationally, the CISA is organized into nine regions covering the entirety of the US. Each headed by a regional office. CISA exists to provide information on cybersecurity best practices and to help individuals and organizations understand and implement preventative measures that help manage cyber risks. The CISA understands that small business owners do not have the same level of resource availability as larger businesses. One glaring example is the rise of ransomware. Also, due to limited resources it is difficult for small businesses to stay on top of the latest development in cyberattacks and defensive actions. In response to this gap in resources they have dedicated sections of their web site to the specific needs of small businesses.

Cyberattacks usually follow patterns so you can improve your response to potential cyberattacks by organizing your company to deploy your resources in an organized and strategic way. The following positions each have a role to play. There is, first and foremost the Chief Executive Officer (CEO). The next level is the Security Program Manager and then the Information Technology (IT) team. Following this structure is intended to lay the groundwork for an effective security program.

CEO - Cybersecurity is a way of thinking about protecting information. This speaks to the culture and commitment of the company, and it comes from the top - and a culture of security must come from the top.

Security Program Manager (SPM) – Owner and manager of the security program. This person is the axis of communication throughout the organization. Their role is not only to maintain communication but to act as a manager for any of the cybersecurity initiatives.

IT Lead – Their role is to maintain best practices, educate individual users and stay aware of best practices.

Each of these roles is critical and is explained in more detail below.

Role of the CEO

Most organizations assume that the IT team is responsible for security. In reality, it is up to the CEO to establish and nurture a culture of security. CEOs can accomplish this as outlined below.

• Establish a culture of security. Talk directly about cybersecurity and its importance to the organization. Provide regular updates on security initiatives. When setting goals, include security objectives that are aligned with business goals. Make security an everyday activity. One of the simplest steps is to commit to the consistent use of multi-factor authentication. Another might be to commit to regular data backups.
• Select and support a Security Program Manager. This person doesn’t need to be a security or an IT expert. Their primary role is to ensure that the organization maintains good “hygiene” when it comes to security practices. This manager should report on progress and impediments at least once a month.
• Review and approve an Incident Response Plan (IRP). The SPM creates a written record of an event as a record for review and improvement. The IRP should contemplate what may happen before, during and after a security incident. Gather inputs from across the organization, not just security and IT.
• False Alarms. Break out the IRP even when you suspect a false alarm. Such events are great learning opportunities.
• Participate in tabletop exercise drills (TTXs). Not all companies would have the resources to mount a simulated attack, but if you can then your company can start developing the readiness reflexes to respond to a real live incident. On line resources can help with organizing a TTX exercise. Make sure that all members of the company participate.
• A note on MFA and FIDO. A typical MFA requires an authentication code, often an SMS text message which the user must enter before gaining access to an application. This makes it more complicated for the attacker to gain access making your data a less desirable target.

Phishing is consistently a cost-effective way for attackers to compromise systems, and the only widely available phishing resistant authentication is called “FIDO authentication.” If an attacker tricks you into trying to log into their imposter site the FIDO protocol will block the attempt. FIDO is built into the browsers and smartphones you already use. Financial services companies are most commonly the ones targeted with a phishing attacks.

Role of the Security Program Manager

The Security Program Manager drives the elements of the security program, and informs the CEO of progress and roadblocks.

• Training. All staff must be formally trained to understand the organization’s commitment to security. This includes things like enabling MFA, updating software, avoiding clicking on suspicious links, and how to escalate suspicious activity.
• Write and maintain the IRP. The IRP spells out what the organization needs to do before, during, and after a security incident. It will include roles and responsibilities for all major activities and an address book for use should the network be down during an incident. This should be approved by the CEO and other leaders. Review it regularly and after every security incident, even a “near miss”.  The CISA has an IRP BASICS guidelines with advice on what to do before, during and after an incident.
• Host tabletop exercises (TTXs). A TTX is a role-playing game where the organizer presents a series of scenarios to the team to see how they would respond. Many kinds of cyberattacks can be simulated. CISA has Cybersecurity Tabletop Exercise Tips to get you started.

In addition to the advice here, CISA has information and toolkits available from their Cyber Essentials series.

Role for the IT Lead

The main tasks for the IT lead and staff include:

• MFA enforces via technical controls. There are often MFA gaps for a variety of reasons. Recently onboarded staff or people who have migrated to a new phone recently are two examples. System administrator accounts are especially valuable for an attacker. Be sure to pay close attention to people with that level of access.
• Patches. Many attacks succeed because the victims were running vulnerable software when a newer, safer version was available. Keeping your systems patched is one of the most cost-effective practices to improve your security. Be sure to monitor CISA’s Known Exploited Vulnerabilities (KEV) Catalog, a list of the vulnerabilities we see in real attacks. Prioritize the vulnerabilities in the KEV. Also, where possible, enable auto-update mechanisms.
• Perform and test backups. Many organizations that have fallen victim to ransomware either had no backups or had incomplete/damaged backups. It’s not enough to schedule systems to have a regular backup. It’s critical to also regularly test partial and full restores. Choose a cadence for regular back-ups. Also write a plan for the restoration. Some ransomware attacks take significantly longer than expected to restore.
• Remove administrator privileges from user laptops. A common attack vector is to trick users into running malicious software. A user laptop that lacks administrator privileges cannot install software, and this type of attack won’t work.
• Enable disk encryption for laptops. Modern smartphones encrypt their local storage, as do Chromebooks. Windows and Mac laptops, however, must be configured to encrypt their drives.

Common hardware and operating software used across a number of devices leads to common vulnerabilities. There has been a movement by manufacturing companies to configure their products through a process known as “Secure by Design”. As implied by the name, enhanced security is taken into account at the earliest stages of design. It remains to be seen how these principles play out in the real world, but it is a step in the right direction.

On premises vs cloud

Managing for security of data requires a fair amount of time to manage well. Small businesses may not have the resources to stay on top the demands of updating software, enforcing MFA and so on.

One major improvement that will drastically reduce the time commitment without compromising security is to move all of the “on premises” devices to the cloud. Eliminating all services that are hosted in your offices immediately reduces the number of potential entry points for malware.

On top of that, cloud services these days have a vested interest in keeping their servers secure and up to date with the latest software protections. And they can afford to keep up with current security standards at an attractive price point. It is a fairly quick and straightforward way to quickly reduce your cyber vulnerabilities.

Secure endpoints

Operating system vendors work to continuously improve the security of their products. However,  two manufacturers stand out as being “secure by design,”. Specifically these are Chromebooks and iOS devices like iPads. This effectively reduces the “attack surface,” making it much harder for attackers to get a foothold. If the user has kept their data primarily in a secure cloud service, the severity of the attack can be reduced further still.

Additional Sources

For more information and resources for Small and Medium-sized businesses,

Visit: Small and Medium /businesses | Cybersecurity and Infrastructure Security Agency CISA

and our Small Business Week page: cisa.gov/small-business-week.

www.cisa.gov/topics/cybersecurity-best-practices