With the internet and advances in technology, the world is becoming more connected. This has enhanced our ability to communicate and provide education, as well as do business. Organizations around the globe are both taking and seeking opportunities to connect into this infrastructure. But as the ease of doing business has increased, so has the risk for a breach. According to an FBI report, cyber complaints and losses over the last five years have reached 2.76 million complaints and $18.7 billion losses.1 In the last year, ransomware-related breaches increased by 13% (more than the past five years combined) and were responsible for nearly 50% of all system intrusion incidents. Eighty-two percent of the breaches reported involved stolen credentials, phishing, misuse, or human errors.2 In its report, the FBI identified 16 critical infrastructure sectors, and government ranked fifth as targeted victim of ransomware.
While the internet poses numerous cyberthreats, here are five actions you can take to help mitigate your organization’s cyber risk:
1) Know Your Inventory
Understanding what you have and how it’s used to process data is key. An inventory assessment should be completed to account for physical assets, such as servers, routers, firewalls, switches, workstations, printers, etc., as well as software. An important part of this is the classification of data. Identifying which information is most critical for protection can help your organization classify the systems and databases that support this more sensitive data. It also can help your organization prioritize these systems and better invest in the security budget.
Common levels of data classification:
- Confidential, e.g., propriety, financial, personnel files
- Restricted, e.g., supplier contracts
- Internal use, e.g., organization memos
- Public, e.g., press releases
2) Educate Your Team
Technology isn’t a substitute for employee, board, executive, and vendor education. It’s important to document and distribute your organization’s security and acceptable use policies, inform employees about the risk of shadow IT products, and advise them on how to acquire what they need through the appropriate channels. As part of the information security and cybersecurity awareness program that should be performed with employees each year, management should educate employees on the proper usage of technology assets and systems and end-user usages, including reporting back to management any perceived issues that could compromise the integrity of data. This is usually completed through onboarding and the annual acknowledgement of the organization’s security and acceptable use policies. Furthermore, the organization should provide periodic news alerts regarding security breaches and cybersecurity awareness reminders, as well as evaluate employee understanding. That understanding could be validated through surveys, training courses, and acknowledgements to internal communications. These training avenues also could be used for awareness training of executive management, board of directors, and vendors.
The organization should acknowledge the benefit and risk of shadow IT products (such as cloud services, software, hardware, and personal devices). For example, if personal devices are allowed, the organization should implement acceptable use policies and develop annual acceptance and training for continued usage.
3) Limit Access
The principle of least privilege is crucial when it comes to both physical and virtual access. Organizations should control administrative privileges and limit access to only those functions an individual needs to perform job tasks. Don’t forget to maintain good physical security as well; make sure guests, service delivery personnel, and vendors are properly vetted and escorted when in sensitive facility areas.
The organization should develop access protocols as they relate to the type of individual(s) visiting your facility. For example, guests should have a documented request on file prior to their arrival that includes approval, purpose, and required identification. For vendors, consider not only being able to properly identify them upon arrival, but also having it in their service agreement to protect both entities. Service agreements should consider thorough background checks of vendor employees, applicable cybersecurity and privacy laws, and implementation of an information security program.
4) Plan, Prevent, & Prepare
Consider implementing controls to help mitigate the potential risk caused by your fellow workers, such as locking laptops when they’re away from their workstations and filtering out suspicious emails addressed to employees. This also is a great opportunity to look out for shadow IT products that may exist in your environment.
Another security measure includes developing a cyber incident response program with a policy that’s communicated across the organization.
Incident response programs provide the framework that guides an organization’s response efforts. Fortunately, plenty of guidance is available to assist with this work, including the National Institute of Standards and Technology’s (NIST) Computer Security Incident Handling Guide (NIST SP 800-61) that outlines the four key phases of any incident response effort:
- Preparation: Organizations should build out their incident response programs before disaster strikes, putting policies, procedures, and technologies in place to facilitate an effective response.
- Detection and Analysis: The faster a cybersecurity team can identify an incident taking place, the faster it can swing into action to reduce the impact of a breach.
- Containment, Eradication, and Recovery: The incident response team’s top priority is to contain the damage, limiting the scope of an incident. Once that’s done, it can move on to eradicate the effects of the incident and recover normal operations.
- Post-Incident Activity: After each incident, the team should gather to review lessons learned and improve the organization’s processes before the next incident response plan activation.
Organizations should structure their own incident response programs around this guidance to strengthen the collective experience of the cybersecurity community.
You also can consider cyber insurance if you don’t already have it. Most contractors have seen premiums for cyber policies rise in recent years, and the requirements to obtain a cyber policy also have forced many contractors to improve their IT security practices.
5) Establish Backups
Implement a regularly scheduled backup program that meets your organization’s needs and records retention requirements. It’s recommended that your backups are stored at a different location to provide better security.
There are benefits to using cloud-based backups, such as storage cost, accessibility, improved recovery, and continuous syncing of files. In addition, cloud-based backups could improve mitigation and/or recovery against ransomware attacks. Also, remember to back up not only the data but the applications as well.
IT Risk & Compliance professionals at FORVIS are dedicated to helping public sector entities assess their cybersecurity risks, improve their cybersecurity protections, and respond to a breach. For insights on the dark web and additional recommendations to help you mitigate risk, check out our website.
If you have any questions or need assistance, reach out to a professional at FORVIS or submit the Contact Us form below.