This is a guest post by Stewart Wharton, TAPE VP of Operations.
Mr. Wharton is a cybersecurity expert, having spearheaded the cyber capability at TAPE and serving in a variety of cyber roles, including Defense and Intelligence Cyber Sector Lead, at KPMG and with the Office of the Chief of Naval Operations N6 as the Deputy Chief Information Officer for Information Assurance and Enterprise Architecture.
In Part I of this post, Stewart “Stu” Wharton explained that defining and communicating your company’s cyber risk management regime is central to your company’s overall cybersecurity strategy. He noted that even if you are outsourcing this task, corporate leadership must be aware of the risks.
He has already discussed network security, user education and awareness, and malware prevention. In today’s post he will reveal the rest of his 9-piece plan to diminish cyber risk for small businesses.
4. Removable media controls. Make a policy to control all access to removable media. Limit media types and use. Scan all media for malware before importing onto the corporate system. Removable media bring three main risks:
Data security – Because removable media devices are typically small and easy to transport, they can easily be lost or stolen. In fact, every time you allow an employee to use a USB flash drive or other small storage device, your organization’s critical or sensitive information could fall into the wrong hands. What’s more, even if you encrypt your removable storage devices, you will not be able to recover lost files once the USB flash drive or other device is lost.
Malware – Simply put, when employees use removable media devices, they can unknowingly spread malware between devices. This is because malicious software can easily be installed on USB flash drives and other storage devices. In addition, it just takes one infected device to infiltrate your company’s entire network.
Media failure – Despite its low cost and convenience, removable media is inherently risky. This is because many devices have short life spans and can fail without warning. As such, if a device fails and your organization doesn’t have the files backed up, you could lose key files and data.
5. Secure configuration. Apply security patches and ensure to maintain the secure configuration of all systems. Create a system inventory and define a baseline build for all devices. Web server and application servers are two entry points for configuration vulnerabilities in your organization’s network. According to the Open Web Application Security Project® (OWASP), these security vulnerability types happen through:
Improper file and directory permissions
Unpatched security flaws in server software
Enabled or accessible administrative and debugging functions
Administrative accounts with default passwords
SSL certificates and encryption settings that are not properly configured.
6. Managing user privileges. Establish effective management processes and limit the number of privileged accounts. Limit user privileges and monitor user activity. Control access to activity and audit logs. How can you mitigate the risk of privileged account abuse? To tackle the threat of privileged users in accordance with industry best practices, you need the following:
Efficient privileged account management – Ensure that privileged users in your information technology environment have only the access rights they need to do their jobs.
Control over access to privileged user accounts – Protect your privileged accounts from unauthorized use with strong password management and techniques such as multi-factor authentication.
Privileged user monitoring – Gain visibility into the actions of privileged users to catch abuse or external attacks quickly and limit the damage. Simply letting users know that user activity monitoring is in place can also go a long way toward deterring misbehavior and even preventing accidental misuse, since users are likely to be more careful about their actions.
User behavior analytics – Identify the privileged users with the most suspicious behavior so you can respond in time by discovering and investigating anomalies in user behavior patterns.
7. Incident management. Most small business do not have the means to establish complex incident management processes. Some simple steps to take include:
Establish an incident response and disaster recovery capability
Develop a simple communications plan to ensure to contact all stakeholders
Make sure to include third party vendors as part of your plan
As part of your training of employees, test your incident management plans.
8. Monitoring. Establish a monitoring strategy and produce supporting policies. Continuously monitor all systems and networks. There are a variety of continuous monitoring software available both for on premise and in the cloud. Once you have the monitoring capability you can analyze logs for unusual activity that could indicate an attack. This may seem like overkill for a small company, but consider these eight reasons why small businesses should implement a network monitoring system:
Visually document your growing network
Do more with less
Monitor from anywhere
Troubleshoot issues more easily
Plan for future growth
Improve network security
Track trends without hours of data digging
Improve the bottom line
9. Home and mobile working. Especially with the advent of COVID-19, remote working is becoming more the norm than an exception. Develop a mobile working policy and train staff to adhere to it. Apply the secure baseline and build to all devices. Protect data both in transit and at rest.
I hope these simple pieces will allow you to take the actions necessary to make your small business more secure. I will follow up with a piece on how small companies can achieve compliance with National Institute of Standards and Technology NIST 171 standards and the Department of Defense’s Cyber Maturity Model Certification (CMMC) process.