By: Pillar Technology Partners Incident Response Team 1
Top-of-the-list Cybersecurity for 2021
Business Email Compromise threats (phishing, malware, ransomware etc.) are at all-time highs. The pandemic, the holidays approaching and so many working remotely have created a perfect storm for cyber criminals. Their tactics are every evolving, take advantage of holiday and confusing times, and their intent is absolutely malicious.
There has never been a more critical time for smart cybersecurity practices. If funding security is a low priority in your 2021 budget, here are some reasons to reprioritize.
Funding cybersecurity doesn’t have to feel expensive. You can create a prioritized approach that fits your budget. Start by identifying your highest risks and spend there first.
No security strategy is the worst security strategy.
in some variation, almost every breach response we’re involved in centers around poor cyber hygiene, either within IT and security operations or on behalf of users. Here are common blind-spots that we see recurring,
1. Conflicting cyber culture (No ownership and/or leadership support for security)
2. Lack of MFA, password management and patch management
3. Poorly configured cyber tools (or no configuration)
4. Inconsistent or no vulnerability management
5. Unenforced security policies and procedures
These are textbook risks that make it very easy for cyber criminals to ruin your holidays. But keep in mind, most breaches can be prevented with some basic best practices.
If you don’t want to be the next cyber victim, you can’t wait any longer to develop your strategy.
Let’s take a closer look at these risks.
1. Conflicting cyber culture (No ownership and/or leadership support for security) There are a lot of moving parts in cybersecurity. It can be overwhelming and feel like
cybersecurity should be driven by IT. It’s technology, right? Kinda, but not completely. Cybersecurity is an enterprise risk. It impacts people, process and technology. A technology-
only approach creates a culture of dependence that IT can never live up to or fully support.
Operationally, IT is trying to keep the lights on and support the technology that runs the
business. Protecting the data most often gets de-prioritized. Cybersecurity is focused on protecting information assets (data). It is most dependent on
employee behavior. How are they protecting their information and the company’s
information? Cyber criminals are mounting social attacks, and IT is building firewalls. This
misalignment creates blind-spots and undetected breaches. When the executive leadership team does not recognize where real cyber risks exist, the
organization will not understand it either. Smart cybersecurity begins with priority from leadership and developing a culture of
awareness that is both visible and important to the organization.
2. Lack of multi factor authentication, password management and patch management Cyber hygiene is about basic discipline we need to be practicing both personally and
organizationally. Our biggest enemy is convenience. We want quick and easy access to information. But, we
don’t want to perform basic practices because it requires a little set up and a couple extra
clicks. Busyness creates an illusion of inconvenience and false security. Personally, cyber hygiene means enabling MFA (Multi-Factor Authentication) on all your email
accounts, bank/investment accounts and your social media accounts to start. Secondly, it
means use a password manager. Never reuse passwords. It gives the cyber criminals easy
access across your digital footprint. When they learn one password, then they have access to
your entire digital portfolio of accounts. Organizationally, you should also deploy MFA as well across the enterprise, know what your
critical assets are and where they live, create a patch management process and perform
regular vulnerability scans and remediation.
Cyber hygiene is as fundamental as blocking and tackling. Technology is becoming smarter.
However, it can’t think for us and manage our behavior. We MUST develop clean cyber habits,
and MFA is a great place to start.
3. Poorly configured cyber tools (or no configuration) Utilizing security tools is an important technology component of your cyber strategy.
However, it’s more than plug-n-play. Protecting your email is a major focus for your security tools. The migration to o365 has
presented major security risks. Microsoft makes a great productivity tech suite, but
cybersecurity blocking, alarming and adjustment to meet user behaviors is very difficult for
The most important thing to think about is defense-in-depth. What does that mean? It means
that you have must multiple tools configured and tuned to protect effectively in different
ways. This starts with understanding your environment, your architecture (on-prem, cloud, hybrid),
your data flow, identity & access management. There are many different security tools. And, each one seems like a silver bullet. Harmonizing
the tools in your environment involves a lot more than reading the instructions on the box.
4. Inconsistent or no vulnerability management Protecting your data requires a very dynamic strategy. Technology’s changing, threats are
changing, new technology is emerging. But, developing, maintaining and maturing your cyber
strategy means you have to know your environment. To protect a dynamic environment, you have to develop a dynamic strategy. One that’s
continuously monitoring and remediating your risks and vulnerabilities. Creating a vulnerability management program is a proactive approach to keeping your
environment updated and protected from emerging threats and changes in risks and
vulnerabilities. Don’t wait to react to a breach. Be proactive and prevent or block attacks. Breach prevention
is MUCH cheaper than breach response.
5. Unenforced security policies and procedures To drive the importance of security throughout an organization, there has to be guidelines
that are both executable and enforceable. In short, this is security governance. If the people don’t understand what security means for the organization and how to comply
with the rules, there is great security risk. Don’t leave security to guesswork. Make it clear, important and enforceable.
These are some of the basic principles for a secure organization. Practicing these fundamentals will not eliminate all your risk. However, these are foundational to building a solid program without breaking the budget.
Security begins with the right culture. Don’t ignore the risk because it feels expensive. Many aspects of good cyber hygiene do not require additional investment. If you don’t know where to start, find an expert that can guide you.
Your people and your business are worth your investment in security.
Pillar Technology Partners is an experienced cybersecurity consulting firm. We focus on simplifying cybersecurity and helping organizations understand and remediate their cyber risks.