It’s October, which for those in the technology field means it is Cybersecurity Awareness Month.
Since 2004, Cybersecurity Awareness Month has been designated as a time to raise awareness regarding the impact of cybersecurity. Given the devastating impact of cybersecurity attacks, a month does not seem enough. The year 2023 has seen a drastic influx of not only an increase in attacks, but also large payouts to ransomware operators.
No matter the size of an organization, it is a target. No organization is safe from threat actors. Just look at the recent ransomware attacks affecting MGM Grand and Caesar’s Palace in Las Vegas. While these large organizations handle money, casinos are not normally on the list for threat actors until now.
With the increase in attacks and potential costs to organizations, now is the time to focus on basic foundational questions.
Cybersecurity Awareness Month is a popular time for routine tips or practices, but they warrant constant reminders. Traditional guidance holds that organizations should follow several time-tested practices to help protect themselves. They include:
• A safe and secure password.
• Utilize multi-factor authentication when possible.
• Data encryption.
• Routine data backup.
• Keep your devices updated.
• Report phishing attempts.
From a tactical perspective, these practices have a significant, positive impact on protecting an organization. Although important, organizations also need to focus on the foundational aspects of their cybersecurity.
Regardless of size, they should focus on addressing basic questions before undertaking a significant investment in cybersecurity defenses. Not focusing on the basics could cause organizations to spend too much money, incorrectly prioritize efforts and create a false sense of security.
Start by asking questions within the organization itself. The questions should be discussed between information technology staff and business leaders on a routine basis. Asking these questions regularly helps the organization refocus their efforts relative to the emerging threats. Knowing the answers to these questions helps form the foundation of everything that comes next in building and maintaining cybersecurity programs.
Start with a few specific questions along the lines of:
1 . What assets (i.e., computers, servers, data) does the organization possess? The question of an organization’s assets is probably one of the most important. Almost every cybersecurity framework begins with understanding assets. Organizations will struggle protecting themselves if they don’t know how many devices need anti-virus or if they deployed to 100 percent of the device scope. Further, organizations may not detect adversaries creating devices on their network.
2. How important are these assets to your mission? Understanding the importance assists the business in prioritizing efforts to protect those assets. You should start with what matters most because those assets will most likely be a threat actor’s target.
3. How many users are there and what data do they have access to? Understanding who has access to what helps you understand the risk each user presents. Knowing the data required by a user can help organizations set access control rights so data isn’t accessible by unauthorized users.
4. Where is the organization’s data coming from and where is it going? Understanding the flow of data helps determine where an attacker might target or what areas need added protection. It’s also important knowing the data’s path can help spot potential exfiltration by ransomware operators.
5. How are you training and educating users regarding cybersecurity? More and more, education is becoming the best line of defense. This is in large part because phishing remains one of the top entry points for cyber attacks. There are several solutions on the market to help combat phishing, but there isn’t one that stops 100 percent of the attempts. Making sure employees know what to look for in a potential phishing e-mail goes a long way.
6. What is your plan when something bad happens? It’s inevitable. Security tools will be bypassed or someone will click on a phishing email. Organizations need a plan and they need to ensure employees understand it. Having a plan will help organizations respond and recover much faster. Further, it could help avoid reputational harm.
Many solution providers use Cybersecurity Awareness Month as a beacon to sell their products. There is usually an emphasis on how their products can stop threat actors. If only it were that simple. Some providers will also use fear, uncertainty, and doubt to promote their product. The cost of these products can be significant.
Spending an exorbitant amount of money doesn’t guarantee safety. Regardless of where you are in the cybersecurity maturity, you are not alone. There is a tremendous amount of free guidance available online. More importantly, there is a fair amount of free help available with risk assessments, penetration tests, or vulnerability scans. There are four organizations that offer free help.
1. The New York State Cyber Incident Response Team (CIRT) is a division of Homeland Security. CIRT aids with risk assessments, tabletop exercises and phishing assessments. CIRT can also help an organization plan its efforts.
2. The Federal Bureau of Investigations (FBI) offers help at the regional level. Regions across New York State have local FBI offices. The FBI offers a wide variety of guidance. Additionally, the FBI also collaborates with InfraGard to help protect various sectors against cyber threats.
3. The Center of Internet Security (CIS) provides controls and benchmarks to improve and harden IT infrastructure. As a bonus, CIS also offers control mapping to help organizations meet regulatory requirements.
4. The Cybersecurity & Infrastructure Security Agency (CISA) hosts information on its website regarding best practices, threat advisories and a variety of educational tools. Organizations can also partner with CISA for vulnerability scans.
Cybersecurity can be very complex and costly to organizations. This is in part due to the almost constant emergence of new threats. New tools are built in response to the threats, always putting the good ones behind. Offered guidance may also change as the industry changes. The fundamental questions, however, are not likely to change because they form the basis of an organization’s approach to protecting itself. These questions must be routinely addressed before investments are made.