By Steve Leblond, VP of IS Operations – COO – IS Division, Ochsner Health
Improving an organization’s cybersecurity posture often involves an investment of significant time and dollars. Whether it be a new tool to scan for threats or an off-network backup solution, the capital and operational expenditures often leave organizations struggling to invest in a comprehensive protection portfolio. So, while you are saving up for that next revolutionary cyber tool, here are five “nearly” free things your organization can do to better protect your technology and data assets.
The first thing you should do is move to at least 10-character passwords with complexity (12 would be even better). There are many charts that show how long it takes to crack eight-character passwords with complexity; the consensus is about eight hours. With more computing power becoming available regularly, that shortens every day. My experience with a hacking team I once hired proved the time to decipher an eight-character password from one of our users was 55 seconds. By comparison, a 10-character complex password currently takes four to five years to crack. More characters add exponential time to brute force cracking attempts. Remember, given enough time, all passwords can be brute forced. Your goal is to make that time impractical for your adversary. And eight-character passwords are so 2004. We are all going to end up with longer passwords eventually, so what are you waiting for?
Lack of addressing repeated poor cybersecurity behavior accepts a great deal of enterprise risk.
Secondly, patch your systems. One of the largest components of every organization’s cybersecurity risk is unpatched systems. Research has shown that 60 percent of cybersecurity breaches involve a vulnerability for which a patch is available but not applied. Think about that for a moment—you have the solution in your hand, you just haven’t used it yet. The primary reason that patches don’t get installed in organizations is that the IS team needs to stop an application that your operational employees use to apply the fix, thereby disrupting operations. Creating a patch window for your IS team and telling your operations that there will be downtimes during that window can significantly increase your cyber posture. That window can be after hours if needed. Believe it or not, almost every IS professional will work off hours to do this as they know it is important work and they want to protect their organization. They just need the support and permission to do so.
Third, host an all-employee cybersecurity awareness webinar. It doesn’t have to be lengthy; 30 minutes will do. Employees need to know that they are the front line to protecting the organization. You can no longer think it won’t happen to you. In fact, you should be thinking it will happen to you (because it will). And most likely, it will be one of your employees that enabled it, whether through susceptibility to a phishing email or social engineering. You need employees to refrain from clicking any links from external emails. Also, they should not re-use passwords. Their work password should be distinct from any other password they use in their lives. Next, they should never give their password to anyone, even to their own IS personnel (we don’t need their passwords, ours work for what we need to do). Lastly, if they fall victim, they need to know they should notify their IS and Cybersecurity personnel. After your employees’ cybersecurity webinar, ensure your new employee onboarding process covers the same information. A knowledgeable workforce is an excellent prevention against cyberattacks.
Fourth, reduce your administrative accounts and privileged access. Both local and domain accounts allow users to install software. Some organizations allow all their employees to have these privileges, which is a very precarious position. In that instance, any one of your employees clicking a malicious link will allow ransomware to easily install on your environment. A properly controlled organization will have less than two percent of its employees with these accounts, primarily a subset of your IS personnel. Employees should work with those IS professionals when they need to install software, the extra step to accomplish that software install protects your organization. Also, your IS personnel should know what every one of those local and domain accounts is for and review them frequently to ensure no one creates an unknown malicious account and uses it against you. If they cannot explain every one of them, you are at risk.
Fifth, ensure your Employee Discipline and IS policies reference each other. Your employees need to know that repeated breaches of your IS policies will result in formal discipline. If we harken back a bit, we can all understand that an employee who consistently leaves an unlocked cash box on top of a desk after being told not to would eventually have their responsibilities changed or be disciplined. However, we tend to think that those that repeatedly click phishing emails or install malicious software on company computers are just victims of circumstance. In this day an age the latter creates far more risk to your organization than the former. And while I know disciplining employees for repeated, undesired behavior is never something we look forward to; sometimes you need to either reassign the employee or let them be successful at something else. Lack of addressing repeated poor cybersecurity behavior accepts a great deal of enterprise risk.
So, while clinking coins into your piggy bank for your next big leap forward in cybersecurity, remember these five “nearly” free cybersecurity improvements that you and your team can do to minimize the likelihood that you are the next victim. We all like flashy new tools, but good cybersecurity posture is often the result of good IS practices and good employee behavior.