:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/HN7Q46SPHT733C4QI2IKJJRTKY.jpg)
:fill(white):background_color(white)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/BHJJYYB5LSPCRVJO4X42HE22GA.png)
It may not be possible to make an organisation completely cybersecure, but there is a lot that can be done to make life difficult for the hackers.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/AKPGPWENSLIZQI35XUFKBTUAAA.jpg)
How can organisations assess their vulnerabilities and determine their cyber risk exposure?
1 Embed a security culture into the organisation
Security consciousness at all levels is a prerequisite for best security practice, according to Eamonn Larkin of ITAG Skillnet, the business network for companies of all sizes in the technology sector in the west, north-west and mid-west regions. “You need to build a culture of security into the organisation,” he says. “This involves awareness building and training on the modes and vectors of attack for employees at all levels. This is not a checkbox activity. Organisations need to understand their training needs. It might not be major programmes or events and it may be more about doing little things more often. Social engineering and phishing are the attack vectors of choice for cyber criminals at the moment and people must be educated about how to spot them.”
That culture should also involve an alignment of security strategy with business priorities, according to Carolyn Drury of Hewlett Packard Enterprise. “By understanding the gaps between business and cybersecurity priorities, your board or executives can align both strategies to ensure key priorities are focused, and resources and budgets are allocated accordingly.”
2 Trust no one
Zero trust is a concept increasingly being applied in the network security world. It means people are only allowed access to a network for a specific activity and nothing else. If they try to do anything else or access a restricted area they are locked out. “You don’t know where an attack is going to come from or what is going to be targeted,” says Huawei senior security adviser Colm Murphy. “At Huawei we have the ABC mantra – assume nothing, believe no one, check everything. In a world of cloud, an organisation’s systems and data are not in one place anymore. Some are in cloud, some on premise, some in people’s homes. The attack surface has grown, and the hackers have more things to target. A zero-trust approach means that you don’t fall into a false sense of security.”
3 Layer on the authentication
Most people are by now familiar with the strong customer authentication (SCA) security layer being applied by banks. It requires an additional piece of identity verification before allowing a transaction to go through. This is known as multi-factor authentication and it should be incorporated in all networks, according to Eamonn Larkin. “It means that when someone wants to get into the network there are multiple layers of authentication to go through. They will need a username, a password, and another, like a text to a mobile device, a fingerprint or another piece of biometric information. That makes sense.”
4 Back it up
There is no excuse for not regularly backing up data and systems. “It’s not if you get hacked, it’s when you get hacked,” says Edgescan chief executive Eoin Keary. “Organisations need to understand that it will happen. Mistakes happen so they need to back up their data. The big issue is the frequency of backups. If you back it up every 12 hours you are in a very good position. Some organisations are not really backing up at all and their exposure is very high.”
"The standard recommendation for backups is to follow the 3-2-1 method: three copies of the data, using two different systems, one of which is offline – and test your ability to perform a restore," adds Sophos enterprise account executive Brian Murray.
5 Test, test and test again
You will only know the true strength of your cyber defences when they are put to the test. “Know your attack surface and fix vulnerabilities before a hacker finds them,” says Carolyn Drury. “Cyber vulnerability analysis, also called security testing or pen testing, is a process of testing to assess your organisation’s security posture and identifies your vulnerabilities before an attacker has the chance to exploit them. This process provides insights into the risks that organisational assets are exposed to, from external and internal perspectives. It can also help to identify potential security gaps prior to formal compliance assessments or audits.”
6 A patch in time saves a bunch of trouble
Organisations need to apply new security patches for operating systems, web browsers and software on devices as soon as they become available. "This is a must," says Ciara O'Reilly of Three Ireland. "It is covered by most traditional mobile device management and unified endpoint management systems. Ensuring a device has the latest security updates and patches can be controlled and enforced using these systems."
Eoin Keary points out that most hackers are looking for vulnerabilities people have known about for years but organisations are not fixing them quickly enough. “If you do a pen test and get a clean bill of health today you can find that you are not secure the next day because of a new vulnerability announced. Nothing has changed in the system but there is a new vulnerability, and you must apply the update to fix it.”
7 Watch out for the weakest link
It’s not only the technology that needs testing. People need to be put through their paces as well. “Companies should run simulations where they send out fake emails and see how staff react to them,” Eamonn Larkin says. “And they shouldn’t ostracise or punish people for getting it wrong. They need to create the psychological safety for people to make mistakes and admit to their lack of knowledge.”
"Conducting these simulations provides staff with the training and awareness they need to spot a potentially genuine attack and over time strengthen an organisation's security defence," adds Sarah Hipkin of Mazars. "If a staff member falls for the test, they receive an instant 'teachable moment'."
8 Ensure strong passwords throughout your organisation
No, your date of birth or your childhood nickname is not a good password. “We recommend users adopt a strong password that is not identifiable to that user and is unique to other passwords,” says Ciara O’Reilly. “Hackers or bad actors often use identity attacks to break passwords. They gather this information from social media on users which helps them build a profile. A phrase, a lyric from a song or sentence from a poem are advisable.”
9 Close off the access routes
With the massive shift to remote working lots of people are using remote desktop protocol software to access the workplace networks. Brian Murray of Sophos says that this should only be allowed to access the network and nothing else. “Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks. If you need access to RDP, put it behind a VPN or ‘zero-trust’ network access connection and enforce the use of multi-factor authentication. Remove devices and accounts from the network when the employee using them leaves.”
10 Be ready when it does happen
The odds are stacked heavily against an organisation avoiding cyberattacks in the long run. That means they need to have strong resilience and recovery plans in place. “It’s going to happen at some stage,” Eamonn Larkin says. “Everyone in the organisation needs to know what to do when it happens. You need a playbook to guide you through, which tells you what to do in the event of a breach, who is doing what, who is dealing with media, customers, regulators, and so on.”