Technology continues to shift and evolve, and it is critical for today’s organisations to stay on top of changing trends and security issues. Here are 4 cybersecurity resolutions your company should make in 2020 to ensure the security of their data and the integrity of their systems following any potential incidents to come:
1. Commit To A Zero-Trust Policy
As part of their 2020 cybersecurity strategy, companies should commit to a zero-trust policy, which means nothing should ever be assumed as secured until it has been proven as such.
The security of the infrastructures, networks and applications used by the organisation should be assessed and validated by professionals with the help of a Penetration Test or a Security Audit, or both. They should also validate the security of their defense mechanisms, such as network firewalls and web application firewalls, to validate that an attacker could not get around them to perform malicious acts.
According to recent statistics, less than 50% of cyberattacks are detected by antivirus software. Having a Zero Trust Policy gives companies the peace of mind that their organisation is safe from cybersecurity incidents, and also makes it much easier to comply with any security requirements imposed by potential business partners, providers, or customers in the upcoming year. Performing a yearly penetration test is often a requirement for various standards, such as PCI-DSS requirements.
They should also consider everything to be a risk, which means limiting user access privilege to prevent a malicious employee from stealing sensitive data, verifying that a user cannot escalate his own privileges to become an administrator. Even well-meaning employees can pose a risk as more than half of data breaches are the result of human error. Networks should also be segmented as much as possible to prevent that an attack could spread to other parts of the organisation.
2. Educate Your Staff
The biggest cybersecurity risk for most organizations going into 2020, mainly by its easy-to-perform nature, remains phishing attacks. Increasingly, phishing attacks can appear to be harmless and employees can inadvertently put your company at risk of a damaging cybersecurity incident.
Companies should provide cybersecurity awareness training for their employees who regularly process emails and should provide clear guidelines on how to deal with these risks.
- Checking for typos in the websites they visit
- Never clicking on suspicious attachments
- Never submitting their password on unknown websites
- Never using outdated browsers or applications
- Never clicking on pop-ups
- Understanding secure vs. non-secure websites
- Verifying with the IT department when unsure of the legitimacy of a link
This also includes evaluating the awareness of their employees to the risks of phishing, through phishing test campaigns that replicate real phishing attempts to see how many employees are susceptible to these attacks. This should help them provide evidence of the risks to their employees.
Employees must also be trained on the use of trusted software and limited on what they can download on their workstations to prevent infection by malware or ransomware.
Educate your employees about ransomware and be cautious about which employees have access to what. By limiting employee’s access to the programs and platforms they need to perform their tasks, you minimize the risk of a threat that spreads across your organization and causes a disruption in your usual business operations.
3. Develop A Strong Cybersecurity Strategy
Another way for organizations to limit their cybersecurity risks in 2020 is with a strong strategy that contains clearly defined policies and procedures.
Amongst this policy, they should have a defined incident response procedure and some clearly defined steps to follow after an incident. There should also be a software and OS patching policy, forcing the employees to keep their software and operating systems updated at all times. Outdated operating systems and software represent one of the largest vectors of attack used by hackers to gain access to your systems for malicious acts. Most attackers aim to find vulnerabilities within those outdated versions of software and operating systems in order to pivot to your databases or to gain administrative privilege within your critical infrastructure. Some of the biggest incidents in history, such as the Equifax incident, were caused by a lack of software and OS patching, leaving many critical systems and domains unpatched for months and even years, allowing hackers to gain access to their critical database.
Networks, devices and software used at the enterprise-level should have someone specifically in charge of keeping everything up to date as soon as possible to prevent a hacker from exploiting vulnerabilities within those obsolete versions.
This policy should also have a set of guidelines for strong password management. Organisations should force employees to use strong passwords, randomly generated by password managers (such as LastPass or KeePass) which should never be used at more than one place in the company.
They should also set up multi-factor authentication anywhere they possibly can, to ensure that a compromised password cannot allow a hacker to connect into your critical systems. Types of multi-factor authentication include:
- Passcode sent by text messages (least recommended method)
- Security questions
- Two-factor authentication applications, such as Authy.
- Biometrics such as voice recognition or fingerprints
These precautions are essential because, according to research, 73% of online accounts use duplicated passwords and once a hacker obtains a user’s password, it can create a “domino effect.” When these companies are breached and these passwords are leaked, they are generally sold on the dark web and associated with your personal information, which becomes yet another vector of attack for hackers attempting to hack into your company.
4. Take Third-Party Risks Into Account
With technology becoming more global and diverse, many of today’s companies are utilizing third-party affiliations to meet the demands of today’s consumers. However, research shows that more than half – 59% of companies experienced a third-party breach, but only 16% said they effectively mitigated them. According to a recent poll, 75% of organizations believe that third-party cybersecurity incidents are increasing going into 2020.
Organizations should develop cybersecurity strategies, procedures and policies with their various providers and business partners to ensure that their shared solutions have been audited to validate their security. In alignment with the aforementioned Zero Trust policy, a cybersecurity strategy must include third-party risks.
Determine what needs to be protected, identify what you are legally required to protect, and clearly define who manages the security of each given component used by both parties. Each should agree on measures taken to secure their part so that there no grey zones left unsecured.
They should also determine an incident response procedure so they know how to react in the event of an attack/breach. These procedures should be clearly outlined and updated when necessary so everyone stays vigilant and updated.
When possible, organizations should demand that their business partners and providers comply with security standards (Such as SOC, ISO27001, or even their own) to limit the financial impact of a breach for all parties involved.
When it comes to cybersecurity, today’s companies need to be constantly vigilant about risks to their data because of the constant shifts of technology and how quickly hackers adapt to those shifts. Staying ahead of them is imperative to keeping your sensitive data and critical systems safe.