8 tips to improve cyber security in the New Year

Some of the cyber incidents we dealt with in 2014 include malware infections, compromised servers, and ransomware, to name a few. We can expect more of the same in 2015.

00 title copy
Credit: Thinkstock
More of the same for 2015 in the security landscape

While we can—and certainly will—leverage cutting-edge technology to address new threats, we can—and must—leverage human behavior and best practices as a means for shoring defenses. Let’s take a look at some ways organizations can minimize risks.

01 hygiene
Practice Good Cyber Hygiene.

A vast majority of cyber attacks are successful due to the failure to implement basic cyber hygiene, such as patching vulnerable systems. Applying just a few basic hygiene behaviors will mitigate the majority of known attack vectors.  By implementing these critical basics, businesses can free up limited resources to focus on the more difficult cyber challenges.

02  peripherals
Count: Know what’s connected to and running on your network.

Count (inventory) and document the type of device, its location and the assigned owner of your organization’s IT assets. These assets include all your:

  • Computers, laptops, tablets;
  • Smartphones, PDAs;
  • Thumb drives, removable hard drives;
  • Printers;
  • Routers, switches; and
  • Servers.

Develop a written policy that requires the creation and maintenance of a complete and accurate IT asset inventory. Senior executives in your organization should review the inventory at least yearly, reconcile any discrepancies and discuss the security of the assets.

03 gears
Configure: Implement key security settings to help protect your systems.

Identify all types of hardware and applications running within your business. Focus first and foremost on operating systems. Research and select a well-known and trusted secure configuration baseline for each type of hardware and application – examples include the Center for Internet Security’s Benchmarks, National Security Agency’s Secure Configuration Guides and the Defense Information Systems Agency’s Security Technical Implementation Guides (STIG).

 

Configure existing and new IT assets based on the selected secure configuration baseline.

04 no access
Credit: Tanya Hart
Control: Limit and manage those who have admin privileges to change, bypass, or override your security settings.

Implement processes to manage identities and credentials for authorized users and devices. Limit access to information assets and associated facilities to authorized users, processes or devices, for authorized purposes only. Use strong passwords or passphrases to help avoid user accounts being compromised. Closely manage remote access and physical access to assets.

Train and educate users on how to protect their account credentials.

Log all access activities and continuously monitor to detect anomalous behavior such as unauthorized access attempts. Review access permissions, particularly privileged accounts and remote access on a regular cycle (i.e., quarterly) to confirm it is needed.

05 patch
Patch: Regularly update all apps, software and operating systems.

Timely patching is critical to maintaining the confidentiality, integrity and availability of systems and information. Review your organization’s technology asset inventory and identify what software is operating on these assets. Continually review what patches, updates, and revisions need to be applied and then, after appropriate testing, apply them in a timely and systematic process. Enable settings to automatically apply these patches to ensure that you're fixing the identified weaknesses in the applications, especially your operating system, web browser and associated third-party apps.

06 priorities
Repeat: Regularize the top priorities.

The volume and complexity of cyber security threats will continue to evolve and expand, and so too must our readiness and response efforts. Cyber security is an ongoing process that requires constant vigilance. We are never done. Reviewing your ‘Repeat’ list will ensure that each cycle of each individual priority has been appropriately met and that nothing falls through the cracks in your cyber health maturity.

07 human factor
Credit: Steve Baker
Address the human factor.

As more of our activities become Internet-connected, and the line between personal life and work life becomes ever more blurred, it’s critical to understand the role that each individual plays in an organization’s cyber security. Don’t assume that everyone understands his individual responsibility for securing cyber space. A sizable percentage of the workforce does not believe that they are responsible for assisting in the security of their networks.

Addressing the human factor, and making sure employees understand and implement the cyber hygiene best practices will prove to be critical for improving the organization’s security posture throughout 2015 and beyond.

08 collaborate
Recognize the power of collaboration.

Cyber threats impact all businesses, regardless of size, industry or geographic location. The threats are too complex and numerous for any one organization to combat, therefore collaboration with other organizations in both the public and private sectors is important.

Pelgrin is CEO of the Center for Internet Security.