The cyberworld is still recovering from the ravages of the first phase of WannaCry ransomware attack, and anxiously waiting for the next wave of attacks. Amid all the hullabaloo, it’s odd that there’s not much talk about how the attack could have been diffused by leveraging strong security practices and tools that have existed for some years already now. This is, unfortunately, a classic trait of enterprise cybersecurity. It’s reactive, at best, and keeps getting shown to be impotent to stop even preventable cyberattacks. It’s enough, really; enterprises have an easy decision to make – get on board the cybersecurity train, or get run over by the cyber-crime juggernaut riding right alongside.
WannaCry aside, is there a need to change?
The answer is a resounding “YES.” Global enterprises, organizations, and mid-sized businesses are witnessing tectonic shifts in the nature, pervasiveness, and leverage of IT. The waves of artificial intelligence, IoT, and BYOD are roaring and splashing past all coasts. Each of these transformative forces is accompanied by security risks, challenges, and gaps. Enterprises can’t adopt the technology without realizing the need to ramp up their state of cybersecurity at the same time. Till now, a cyberattack meant loss of data, reputation, money, and computer access. With IoT in play, enterprises are staring at potential risks to human life and assets because of cyberattacks. Do you need any more reasons to plan?
Let’s focus on what enterprises need to stop doing immediately. This can pave the way for the new and advanced wave of cybersecurity to take over and deliver future-proofing against cyberattacks.
Stop buying tools you’re not convinced you need
It’s unfortunate, but the cybersecurity impetus in the global IT products market seems more focused on the "words" than the "works." This is where enterprises need to be smarter in their purchase decisions. Here are a couple of suggestions:
- Understand what’s causing trouble. Analyze and understand the most obvious attack surfaces within your enterprise IT. Also, understand the financial impact of different kinds of intrusions, breaches, hacks, and infections. This helps you prioritize and purchase cybersecurity products that will efficiently address the riskiest security vulnerabilities first.
- Ask vendors to educate you. The leading IT vendors across the cybersphere realize their responsibility to educate potential buyers of the need, features, and benefits of their products. So, engage them. Create a core evaluation team that can understand the core technology and security mechanisms used in new applications and tools. This core team can consume the education and training from vendors, and use their growing understanding to evaluate and select the right products.
Stop postponing application whitelisting
The time for enterprises to think about company-wide application control whitelisting is here. Only verified and predefined applications can be run on machines under this approach. Of course, application whitelisting consumes resources, time, and testing. However, it works. The key is to start early -- and not wait till everyone in the industry does it -- to implement it in your enterprise.
Windows includes application whitelisting tools such as Device Guard and Applocker within the OS. Alternatively, you could choose one of the several other tools for application whitelisting, such as Carbon Black, McAfee, and Lumension. Remember, application whitelisting can mitigate a significant proportion of IT security breaches.
Stop ignoring social engineering education for end users
You can't prevent your users from interacting with social content, which means the risks of social engineering-based hacking attempts succeeding are huge. So, treat social engineering training needs as an imperative, and devise a process and mechanisms to deliver it to your employees. Phishing emails, shady web pages, or similar baits, as crazy as it might sound, actually work and compromise a lot of enterprise systems every year. A significant proportion of hacking practices involve some degree of social engineering. It’s also imperative to keep on improving the coverage and depth of the social engineering training planned and delivered to workforce.
Stop your over-dependence on passwords
Even long passwords with a mix of characters, numerals, and symbols, unfortunately, are not so secure anymore. Also making things problematic: The average enterprise end user needs to log in to several applications every day and tends to keep the same password for all. This means that one vulnerable application could reveal your password to hackers, which could then enable them to access all other applications as well. It’s time to realize that passwords are not as effective as they once were. More importantly, enterprises need to endorse multifactor authentication for all kinds of data and application accesses. This can not only secure applications, but can also thwart most phishing attempts.
Stop putting off patches and upgrades
Did you know – unpatched software vulnerabilities have been the core reason for data thefts and malware break-ins over the past years? In spite of this information being well known, enterprise IT departments continue to be reactive and not proactive in ensuring that all machine operating systems and applications operate in the most updated state. It’s likely that when you try to evaluate the patch update status of all computers in your enterprise network, you’ll find a double-digit percentage of computers in a compromised state. The solution: Bolster automatic patching practices, tighten time periods of hygiene checks, and make upgrades and patches a key focus in vendor interactions.
Lead, don't follow
We’re in the age of extreme cyber-risk, with implications beyond imagination. Cyberattacks can bring down any business quicker than their worst product and best competitor. Stop being reactive to questions of IT security readiness, and lead the change for your organization. These suggestions will help you change things quickly and align your enterprise’s IT practices for better preparedness.