Every year the number of cyber attacks against the private and public sectors rises, and their increasing intensity has governments and industries alike concerned. It is important now more than ever for businesses to understand the reality and ramifications of these attacks and make cyber hygiene an integral part of any business success.
Cyber hygiene refers to the policies, procedures and systems — or pillars — that users and organizations employ to keep their systems healthy and secure.
I’ve spoken with a number of our region’s IT experts to help articulate the merits of cyber hygiene. The digital era requires we instill proactive, reactive, strategic and tactical practices in our daily logistics around data security and privacy.
With that in mind, here are seven pillars of cyber hygiene — and comments from area experts — as a guide to the latest thinking around cybersecurity layering.
Roger Mitan, chief technology officer of BlueBridge Networks, said, “Many cybersecurity breaches occur due to unpatched systems. Additionally, many systems failures are a result of a mismatch of patches, where systems patches and software patches aren’t on matching levels, leading to software and systems failures. For these reasons, patching is a vital part of this pillar. The other part of this pillar is properly monitoring systems and their associated patches. A good monitoring suite of tools will provide information on patch levels so systems administrators can stay up to date and avoid the aforementioned issue.
“It is important to utilize a monitoring suite which can quickly alert administrators to systems failures and security breaches. Too often, systems and security issues can go unnoticed until they become much larger and cause global outages or massive private data leaks. The monitoring suite of software which IT organizations utilize can prevent these issues from spreading by immediately notifying and even automatically intervening to stop these issues from spreading.”
Just as important as having a backup is having more than one level of them to rely on. When it comes to most things in IT, I follow the rule of threes, which, in this case, means having at least three layers of backups.
Mitan advises, “The first level is going to have the quickest recovery time and will usually be used the most often. An example of this would be having windows volume shadow copies for file servers or log file backups for sql servers frequently scheduled to run throughout the day. These can be used to recover data quickly in the case of an accidental individual file or data deletion or corruption scenario.
These three levels combine to provide a backup system that supplies the confidence that your organization can recover data no matter the cause or scale of data corruption or loss.
MFA is a form of security that requires a user to provide more than one form of verification to gain access and is becoming a standard specifically when accessing sensitive data or private networks. Examples of authentication methods can be hard/soft tokens, mobile authentication, and biometric authentication, such as retina and fingerprint scanning.
Jeremy Dodge, manager of operations at BlueBridge Networks, said, “This additional layer of security atop of a strong password can significantly mitigate the chances of a breach or compromise of your data. You are seeing its implementation all across the internet, from social media sites, to banking institutions, to personal email. It is good practice wherever your personal data may reside, to check if the option is available and if so, to enable it”.
This is by no means a new concept, but micro-segmentation has been revolutionizing the data center more and more rapidly within the last two years. According to Michael Hudak, account executive at BlueBridge Networks, “By utilizing NSX Micro-Segmentation, you can create security rules that apply directly to each Virtual Machine, which allows you to not only put a specific firewall on each VM, you can put a firewall in-between each VM. You can even put in global policies to encompass your entire environment. These new applied modalities to virtual network securities allows the user more flexibility and options on how they protect their data”.
“Encryption refers to the use of a specific algorithm to secure electronic data in a manner that prevents the data from being accessed and/or utilized by an unauthorized person,” said Michael Stovsky, partner and chair of the innovations, information technology and intellectual property group at Benesch. “The algorithms used to encrypt data are varied as is the strength of encryption employed. And the bar with respect to what is considered a reasonable method and strength for encrypting data at rest and in transit increases frequently. What was considered to reasonable a year ago may not be reasonable today as technological advances and the ease of implementing encryption increase.
“Encryption in some cases is required by law or regulation, but has mainly taken on the status of a best practice in most cases where data protection laws, rules and regulations mandate that appropriate methods be used to protect data,” Stovsky noted. “Also, in some cases the use of encryption to protect personal data can be helpful in reducing legal requirements such as the notice requirement under some data breach notification laws. Whatever your company does, and wherever your company operates, a consideration of whether and to what extent encryption can play a role in effective cyber hygiene should be undertaken.”
Adopting a policy of least privilege — only allowing a user access to the information and programs necessary for their job — minimizes cyber exposure.
Tom Aumiller, director of information technology for Maloney + Novotny, explained, “For a ‘standard’ user account this means granting the minimum rights needed for that user to perform their job duties. Here are two common issue we see during our audits. First, all users have local administrator rights to their desktop/laptop computer. These rights allow them to install software, including malware or virus strains delivered through spam or fake web links. If you remove their local administrator rights, they cannot unknowingly install a dangerous, executable file on to the computer. The second common issue involves users who periodically need ‘superuser’ or administrator privileges to perform their duties. These are often IT support positions. During their normal workday they may not always need these privileges. In these instances, we recommend having two accounts, an “a-“account used only for administrator functions and a ‘standard’ user account with the least privileges policy applied. That way, the administrator account is only used when required, thus lowering cyber risk through least privilege. It is easier to ‘open a window’ when someone needs it, then to run around closing windows and doors once an intruder gains access.”
We live in a data-centric world where as soon as we gather information, we are disseminating it. We find ourselves in the midst of a proliferation of data. It offers tremendous advantages as far as timeliness and efficiency, yet the flip side is security and corporate responsibility. There are 1,001 ways to rob the bank. You only have to come up with 1,002 ways to prevent it. You can explore more on this important topic here, which is one of my favorite resource links.
Article originally published on Crains Cleveland