What better time than World Password Day on May 2 to consider how your organization is handling its holistic cyber security approach. Passwords are a key component, of course, because everyday users often gain access to network resources via these passwords. But cyber security is a much broader and deeper endeavor, especially with cybercrime hitting an all-time high recently that will cost the world an estimated $6 trillion annually by 2021. From servers and routers to IoT, mobile and remote access systems, there is a lot of ground to cover and protect. On this World Password Day, here are some tips to keep your team one step ahead of bad actors.
Know the Attack Vectors
First consider how many data breaches have occurred recently, and how pervasive the entry points have become. A recent survey of 1,200 companies reported that 71 percent suffered at least one data breach at some time, with 46 percent reporting a breach in the last year. How extensive were these breaches? The Marriott data breach at the end of 2018 was one of the largest ever, involving as many as 500 million people who made reservations at its Starwood properties on or before Sept. 10, 2018. Those customers may have had their personal information accessed in a breach of the Starwood guest reservation database, according to the company.
Another cyber attack was uncovered in May 2018 involving a botnet affecting at least 500,000 vulnerable routers and network-access storage (NAS) devices located across 54 countries. The malware in this attack granted hackers control over infected devices and exposing user data. Meanwhile IoT attacks increased 600 percent last year, which is forcing companies to add better incident detection into their IoT platforms and find ways to enhance visibility into their extensive IoT networks and devices. One example, comical if not so dangerous, involved hackers compromising a casino’s high-roller database after gaining access to its network via the smart thermostat in a fish tank in the lobby, gaining a foothold into the network.
Develop an Appropriate Incident Response Plan
There are various statistics that point to how unprepared companies are in protecting their corporate and network resources. In one recent study, 77 percent of IT professionals said their organizations do not have a formal cyber security incident response plan in place, and one in four only have an informal plan in place. Even after an attack, the surprising reality is that about half of IT security professionals rarely change their security protocol. You can start by training your IT security professionals to handle the strategic aspects of incident response. The CISSP (Certified Information Systems Security Professional) certification, for example, prepares security managers in architecture, design, management and controls, and how they can create and implement a security plan that protects the entire IT infrastructure. Another certification is CISA (Certified Information Systems Auditor) who is trained to govern and control enterprise IT, particularly in performing an effective and efficient security audit on any IT organization.
Prepare Employees for Better Security
One of the hardest attack vectors to control is an employee who may fall victim to social engineering attacks. Seventy six percent of organization experienced phishing attacks in 2017, as cybercriminals gain back-door access to networks through unwitting employees who unintentionally reveal their access credentials. There was a 300 percent increase in ransomware attacks last year and ransomware “kits” and ransomware-as-a service offerings on the Dark Web have spiked 2,500 percent. Employees must be aware of potential attacks in advance and should never click on suspicious email links, even if it looks like it’s from a trusted source like the CFO. Wired, meanwhile, suggests stronger password policies, including using longer passwords (12-15 characters) to minimize the chance of a brute force attack, using password managers, and employing two-factor authentication, which is now more convenient with mobile authentication apps.
Promote Your CISO
Companies must begin to re-prioritize their cyber security efforts, and that can only be done when senior management makes it a corporate imperative. Be sure you’re employing a Chief iInformation Security Officer (CISO), charged with elevating cyber security strategies. Most these days are commonly a senior corporate role, with 40 percent of them now reporting directly to the CEO.
Learn to Think Like a Cybercriminal
The sad truth is that many cyber security professionals are outmatched by hackers and cybercriminals who spend all day and night thinking of new ways to penetrate corporate networks. Fortunately, today’s cyber security teams can learn to think like hackers with Certified Ethical Hacker (CEH) skills training, where they are trained on the same techniques that hackers use, but without the danger of getting in trouble. They learn to master the advanced concepts of writing virus codes, exploit writing, reverse engineering, and other popular tactics.
We should thank our capable IT security teams for the valiant work they do. And still, on World Password Day, we must keep in mind that the tactics cybercriminals use are ever-evolving, and it’s up to cyber security professionals to up their game to keep their infrastructure truly safe.