Uncle Sam Wants YOU!
“The federal government can do a lot but cyber defense starts at the desktop. 85% of cyberattacks start with somebody clicking on a phishing email… Government is doing a lot but individuals have to do it too… Conflict normally is something you think of between armies and navies. In this case, the target space is in the private sector… The private sector needs to step up and develop a defense over the next week.”
Senator Angus King (I) -March 2, 2022
Senator King sits on the Committee on Armed Services and the Committee on Intelligence. Politically, he’s Independent. On March 2nd, he was on the major cable news programs delivering the message quoted above. On March 1st, the Senate passed a cybersecurity bill that will require all American businesses to report every cyberattack to the Federal government.
Back up just one week. On the same day that Russia invaded Ukraine, the largest semiconductor manufacturer in America was breached by a cybersecurity attack. CNN was reporting about the breach of Ukraine’s border and CRN (a leading IT technology and security news source) was reporting the cybersecurity breach at Nvidia.
Nation-state border wars are fought by armies. Cybersecurity is fought one employee at a time inside every business that is connected to the Internet. The new Senate Bill and the message from Senator King are trying to press all of us to understand how connected this is.
Cybersecurity Essentials Checklist
We are not writing this article for giant corporations that can afford the protections of Nvidia or nation-states caught in the crosshairs of international cyberwar. But leaders of all organizations need to understand that one mistake by one employee is all it takes for the trouble to start. Your business may be physically located in a nice neighborhood, but your data lives on the world wide web.
Here are the five essential best practices that every company needs to implement:
- Multi-Factor Authentication (MFA) – A cyber attack often starts with a stolen username and password. But with MFA a bad actor needs more than just credentials to access an organization’s network or critical data. MFA is a quick and easy way to add an essential layer of security—EO Advisor recently dedicated a whole article to MFA.
- Password Complexity – Hackers use brute force computing power to try millions of passwords in a matter of minutes. More complicated passwords explode the demands on a brute force attack exponentially. Billions of possible password solutions are much better than millions. Incredibly, simple passwords remain a major vulnerability today.
- Vulnerability Scanning and Remediation – This is software that conducts a detailed scan of servers, workstations, and network equipment, searching for vulnerabilities. The scans identify possible vulnerabilities such as out-of-date software, blank passwords (i.e., for printer configuration), and general misconfigurations that can create a back door for hackers. Digital Defense provides high value for organizations looking to up their game.
- Security Awareness Training – Phishing is very sophisticated. Smart employees make mistakes. The US government estimates that 85% of cyberattacks begin with phishing. Formal training using an independent 3rd party like KnowBe4 provides a safe way to educate team members about phishing attacks. Explaining the problem is not sufficient. Software that generates fake phishing attacks uncovers employee lapses and provides immediate feedback in a safe context. This training technique makes a critical difference.
- User Permissions (The Principle of Least Privilege) – Not everyone needs access to everything. Universal access is easier to administer, but it makes life easy for hackers to move through the entire network. For example, hacking a new employee in the HR department can let a bad actor worm their way into a server where financial accounting data is stored. Exercising the practice of Least Privilege provides a roadblock that can stop a hacker from gaining access to everything.
Click here to download our single-page checklist based on the above.
We hope readers of EO Advisor can utilize these essential best practices as a checklist to make sure that these initiatives are up to date. If you are reading this and your company has not implemented all five of these, please treat this as an urgent priority.
A company that is too small to be in the S&P 500 can be forgiven for thinking that its corporate security and national security are two different things. When it comes to cybersecurity, they are connected more intensely than ever before.