The Time is Now to Fortify Your Cyber Security

Introduction

There’s a mental fatigue that can happen when we are persistently under threat. This unfortunate effect on our psyche can sometimes dull our response to important new developments that would otherwise require an urgent response on our part. This phenomenon can be seen in many organizations as it relates to cybersecurity.?It seems like almost daily we are told of a new and increased level of risk, or worse, we hear of an anecdotal story about a victim of a cyberattack and we breathe a sigh of relief and are glad that it wasn’t us. Despite the obvious and ever-present risk of severe consequences if we get hit by an attack, we still see tremendous vulnerabilities in the United States. The security gap is defined as the distance between where an organization should be with its cybersecurity defenses versus where it actually is. Right now the threat to our data and our livelihood is greater than ever, but you could easily posit that it will always be true. It may always be the case that the game of cybersecurity will be more complex and more difficult tomorrow than it is today. Therefore, any day that you’ve chosen to rest on your laurels puts you a day behind the bad actors that are coming for you.

The dire nature of this topic only adds to the mental fatigue and cognitive dissonance that some executives and technology leaders may exhibit. A good CISO or CIO will make the best tactical choices about what security solutions to deploy using the resources she is given, but a great technology leader knows how to impress upon their organization the terrible consequences of inaction, spurring a sense of urgency. These great leaders are able to close the security gap more quickly, which has two profound outcomes: it makes them a less attractive target for a cyber attack, and it leaves them less vulnerable to severe outcomes if they do get attacked. The former may be just as important as the latter. Consider for a moment that hackers, whether motivated by profit or backed by a nation-state (or both) are ultimately going to try to be as productive as possible. If the objective is to successfully penetrate the defenses of your victim there is no point in attacking the strongest, most fortified organization first. ?In a true Darwinian sense, hackers will naturally select the easiest targets to best and most easily multiply their success. In this regard, many organizations are not just in a fight against hackers but are ultimately in competition with their peers. It’s like the old story about two hikers in the woods who encounter an angry bear.?The first hiker suggests they run to try and escape and the second hiker says “we can’t outrun a bear!” to which the first hiker says “I don’t have to outrun the bear, I just need to outrun you.”?The point is that you don’t want to be the easiest target.?The other factor is how attractive you are as a target in general. Fort Knox has more treasure than an ATM. ?Healthcare, Government, Financial Services, Utilities… these are industries where the stakes are high and because of that, hackers know that the rewards are worth the effort. A hospital that is crippled by ransomware will face the choice of ensuring life-saving care for its patients by paying the ransom or will suffer prolonged downtime that could lead to loss of life.?That’s no easy choice to make in a crisis, and the hackers know it.

The good news is that by closing the security gap within your organization you’ll significantly reduce your chances of having a catastrophic outcome from an attack. The bad news is that it takes money and resources to do it right but like the cliché indicates, the journey of a thousand steps begins with just one, or perhaps in this case, at least 6. ?The following steps are mostly easy to implement and though they do come with a cost, that cost pales in comparison to the clean up and mitigation you’d have to endure if you suffered an attack.

1.????Multifactor Authentication (MFA)

What and Why? If you’re a layperson you have likely already used this many times in your life when logging into an account and receiving a text message with a code to verify you are who you say you are. By providing at least two or more ways to identify yourself you can thwart a significant number (some believe the majority) of attacks. If a hacker has the password to your infrastructure they can login, delete your backups and encrypt the rest of your data to either hold it hostage of just do your organization real harm (i.e. selling sensitive data on the dark web, or making a mockery of your cybersecurity).?If you have MFA activated, even with the stolen password they can’t get past the second or third form of ID that is needed to prove your identity.?That’s when a ransomware or other type of attack is relegated to just an attempt at an attack.

Drawbacks: MFA can be time-consuming and a burden on IT to implement, which is one of the only reasons it’s not deployed everywhere. Users might complain about the extra steps needed to login but they’ll complain harder and louder if their data gets encrypted and access to important applications is locked out for days.?Or it could even be worse if something like a major utility goes dark or a financial system gets taken to its knees.?

2.????Immutable Backups & Insider Protection

What and Why? Almost (but sadly not all) organizations follow the 3-2-1 rule of data backup (3 copies of data, 2 different storage media, at least 1 offsite).?If you’re not doing that, you’re already behind and it’s time to catch up quickly.?However, hackers have grown more sophisticated and realize that organizations can often easily recover from backup as a way of thwarting their attacks. To get around this, a sophisticated hacker orchestrates a coordinated effort by gaining access to backup systems to delete backup files before the launch of a ransomware attack. They may also attempt to encrypt those backup files at the same time they encrypt the primary data. To fight back, organizations should deploy two additional defenses:

• Immutable backups – these backup files are able to be written just once and cannot be overwritten, thus making it impossible for a hacker to encrypt the data with ransomware
• Insider protection – although not aptly named, this feature means that even if someone on the inside (or a hacker from the outside) has access to your backup files and deletes them, a secret and inaccessible storage of those deleted files will be kept for a specified period of time. This ensures a viable backup to recover from even if they appeared to be deleted. ?It’s essentially a recycle bin for your backup files that hackers can’t easily gain access to and likely don’t even know is there.??

Drawbacks: There are very few reasons, besides cost, not to have these basic backup strategies in place as the burden on IT is relatively low and many cloud service providers can help make setup and implementation easy. Even the cost itself is usually modest, especially in comparison to the cost of inaction.?

3.????Cloud-Based Disaster Recovery

What and Why? A security incident is most certainly included in the list of “disasters” that can happen to an organization. Many believe that if their primary data center / cloud site(s) are compromised during an attack that the disaster recovery (DR) site and the data that was replicated will also be unusable, but that’s often not the case and depends upon the technology you’re using.?It’s especially not the case if you take a holistic approach to backup and DR and include immutable backup and insider protection.

Drawbacks: Disaster Recovery is about as fun to think about as spending money on life insurance. Executives who are worried about next quarter’s results don’t have much of an appetite to spend money on something that doesn’t immediately add value to the business.?What they don’t realize is that a failure to adequately prepare for a security incident could very well put the organization into the red for a long time. Today it is possible to achieve a high level of preparedness for a relatively modest cost, so there is no good excuse to forgo an adequate DR solution.

4.???DDoS Prevention & Mitigation

What and Why? A distributed denial of service attack (DDoS) is a collection of bots that are designed to flood your network with so much traffic that your organization can no longer function. The challenge with DDoS prevention and mitigation is that some of the solutions available end up routing traffic to a cloud-based network and that approach can often create performance problems, which after all is what you’re trying to prevent from happening in the first place.?The better option typically involves working with your ISP to determine if they have an offering that can keep traffic routed optimally while still watching and waiting for a DDoS attack.?One cautionary note: many ISPs have DDoS prevention for their network but that will not protect you from an individual attack targeted to you.?Some of these individual attacks become ransomware attempts. The attack stops when you pay the ransom but scrambling to work with your ISP while an attack is underway is infinitely harder than preparing for it ahead of time.

Drawbacks: Most of the work is done by the solution provider or ISP, so the only drawback is an additional cost, but given the importance of Internet and access to users and customers, buying DDoS prevention and mitigation becomes a no-brainer.??

5.???Time to Get SASE (pronounced Sassy)

What and Why? First, prepare yourself for years of pun after pun related to the usage of this novel acronym. It stands for Secure Access Services Edge, and it refers to an orientation of security and network management that is best suited for the modern work environments we see today (hybrid workers, disparate locations, prodigious attack surfaces). To put it simply, it’s a cloud-based way to deliver network and security controls to the point at which users connect to the network. This is in contrast to the traditional model of connecting locations and users through a secure tunnel to a primary data center. The traditional and centralized approach to security creates a chokepoint through a single means of ingress/egress into a secure corporate network, allowing for the easy application of security policies but ultimately erodes the user experience and leaves the door open for shadow IT and other problems that come along with remote locations and users. The new model (SASE) delivers compelling technologies like SDWAN for easier management of wide area networks and DNS protection to help keep users safe from malicious websites that are the source of malware. There are other aspects of SASE that may be right for your organization and the good news is that it’s not an ‘all-or-nothing’ proposition.?You can make incremental progress on moving toward a SASE model, one technology component at a time.?The most important thing to consider is that SASE is a model that requires a holistic approach so as you’re building toward it one step at a time, make sure those parts can eventually work in unison to make managing your network and security easier, and of course to help keep your organization safer from zero-day and other cyber threats.?

Drawbacks: Anytime a new technology replaces an old technology, there will be a burden placed on IT to both understand it and manage it. A true “total cost of ownership” analysis could make a case that it may not be much more expensive than a traditional approach, but some in IT will prefer to cling to what they know before they’re willing to jump into a new model for security.?Still, most CIOs and CISOs in environments that are ideal for SASE are all but certain this is the right model going forward, as it solves many of the challenges they face with the increased use of cloud applications and the difficulty of managing remote locations and users.?According to Security Magazine, 64% of organizations are already using or planning to use SASE this year, and you can expect that number to increase. ?

6.????Security & Awareness Training

What and Why? Since almost all attacks involve some sort of phishing / social engineering element, the best way to protect your organization is to make it harder for the hacker to get anywhere near you. Your employees should be fully aware of what to look for and what to avoid when it comes to these attempts at gaining access. Chances are you think a lot of it is common sense, but keep in mind your organization is only as good as your weakest link.?If someone doesn’t have the same level of sophistication as you, then they might open a door for the hacker to begin an orchestrated attack.?Several companies have created easy-to-use tools to provide training and compliance for users, so implementing this type of training is as simple as it gets. There are also options to test your users with fake phishing attacks, helping you identify some of those that may need a little extra attention and training.????

Drawbacks: Other than the bemoaning of some employees who don’t want to take another training class and the very modest cost of implementing training, there is very little reason not to have this type of training as a routine part of your onboarding and annual employee compliance. ?

Closing the Security Gap

You may be busy putting out fires or trying to create value for your organization through the use of technology, and while those are noble endeavors, remember that even a thriving company can be brought to its knees by a cyber attack. With ever-increasing cyber threats, there are no excuses when it comes to cybersecurity.?Every day that you leave a gap in your protection, you provide an opportunity for a hacker or nation-state to do harm to your organization. And whether you’re big or small, whether you provide critical infrastructure or not, everyone is a target and hackers won’t show you any mercy.?It’s time to step up our efforts and fortify our defenses.

Not sure where to begin??Give us a call, or take our ransomware preparedness assessment to see where you stand. We’re here to help.

(1) https://www.securitymagazine.com/articles/95436-of-businesses-are-adopting-or-plan-to-adopt-sase-in-the-next-year