Defending Against Cyber Attacks:? Where to Start ?

Protecting your organization from cybersecurity threats can seem overwhelming.? As a fractional CIO, I’m often asked, “Where should I start to protect my organization?”

?Start with making a list of what your company has that you consider valuable. If you think something is valuable, chances are that cybercriminals do too. Consider liquid or monetary assets, physical assets, employee and customer data, IP, and trade secrets.

Here’s a quick overview of how to think about three of these asset classes and where you can start today to protect each of them.

1.???? Monetary Assets

To gain access to your monetary assets, bank, or credit accounts, criminals target the people and systems that have access, control, and authority over your money. Typically, cybercriminals gather intelligence that helps them target, manipulate, and trick people who have access to your accounts (e.g., CEOs and CFOs and their assistants, accountants, and accounts payable staff, etc.). To trick people into divulging account information or process transactions, cybercriminals need to appear authentic. To do this, they spy on your employees online and root around your systems (often for months if they are able to gain access), gathering intelligence so they can look and sound exactly like you or one of your employees. Cybercriminals frequently make fake emails, text messages, phone calls, and websites to trick people. They’re sophisticated – after all, this is their business and how they make their living.

Tip:? Protect your monetary assets by doing regular and ongoing training with employees who have access to your monetary assets. Aside from ongoing education, use secure transmission channels to communicate sensitive information (not email), have established procedures for verifying identity that might include a secret question or pre-established contact information, and use a two-person verification process before providing account information or issuing a transaction.

2.???? Physical Assets (e.g., office buildings, machinery, equipment, and computers)

Cybercriminals sometimes try to gain access to your workplace or other physical assets to execute another type of attack (e.g., gain password information to get the bank account information), disrupt operations (to demand a ransom), or cause other harm to your company. The value of your physical assets and how they might be attacked and for what purpose largely depends on your industry but gaining access to physical assets always poses a security risk and concern.

Tip: ?Protect your physical assets by establishing tight physical security controls for your offices and buildings. Badges and swiping (and the procedures that support this) are a good place to start. Consider testing your physical security by using secret shoppers or actors (aka a “Red Team” in the cyber world).? Virtual access should include strong passwords and two-factor authentication. With most physical assets communicating with the Internet, protecting your network infrastructure is key because access to your network means access to virtually everything that runs your business.

3.???? Employee and Customer Data

Your company’s data may exist in paper files but is most likely housed on the hard drives of computers, external devices, servers, and in the cloud. Some data is more valuable than others and requires extra vigilance. For example, anywhere company usernames and passwords is a high-value target for cybercriminals because access to this data can unlock the “keys to the castle” and enable all of the other types of attacks. Likewise, usernames and passwords for customers allow cybercriminals access to customer accounts.? Usernames and passwords, as well as personally identifiable information on your employees and customers are readily sold on the black market and used for identity theft.

Tip:? Training in safe handling of all types of data is important, but especially for usernames and passwords.? Password “vaults” are also helpful but master passwords to these vaults must also be protected.?