Large organizations have the benefit of large security budgets, which brings with it, experienced security professionals combined with expensive security tools. Not all organizations have this luxury, yet, have the same vulnerabilities and security needs. When planning a security posture, make the most of your money by identifying the most critical areas of exposure, and applying the most sensible technologies possible.
Anti-Virus – considered the most common and easily affordable check mark on your security check-list, anti-virus up to date and active on all end devices such as laptops and servers is a very necessary first step in achieving an effective security posture.
Next-Gen Anti-Virus – 10 years ago traditional anti-virus solutions covered around 90% of the threat landscape. Today, this legacy understanding of endpoint security gets a lot of security professionals in trouble. Traditional anti-virus covers about 30-35% of the threat landscape, leaving an extensive gap in your security posture if not addressed. Next Gen Anti-Virus solutions act as a machine learning or behavioral based engine designed to spot malicious activity, while traditional anti-virus monitors only for “known” malware. This solution is however not always a plug and play solution. There are however managed outsourcing options available for those with little security experience or time.
Enforce password hygiene – Hackers love a good “12345” password protecting a user’s laptop, or admin level credentials with “Admin” left as default for escalated permissions. There are many ways and solutions to easily force good password hygiene, however none fare as well as getting the team involved with good cyber security practices.
Vulnerability Scanning – Every time a new technology, device, or patch is placed into the network, a possibility for a new access point is created. The burden of vulnerability management is that an assessment done today, does not guarantee the security of the same architecture tomorrow. New exploits and vulnerabilities are found and created daily. The only way to ensure your network isn’t an easy target due to bad architecture is to conduct regular scans of your IT topology. Additionally, companies holding critical PI or data of clients and customers should have third party penetration testing done annually at a minimum.
Have a plan for the unplanned – If you’re not a security professional, you’re not a security professional. Always know who to call in the event of a cyber incident or breach. In the event of a panic attack, it’s always best to have a panic button to press, as opposed to a panic employee to harass. If the budget permits, have an incident response firm on retainer, and if not, at a minimum, familiarize yourself with an incident response firm and understand the steps necessary to engage them if necessary when the time arises.
This list certainly does not guarantee your success against all cyber criminals, however familiarity with these simple concepts makes you a hardened target, and more often than not, cyber criminals are like high school bullies, if you’re not an easy prey, they will move on to the next possible victim.