July 20, 2021
Good morning, everyone!
This week’s critical vulnerabilities:
Patch All the Things!
Important new online resources
CISA has launched a new website stopransomware.gov with a significant collection of interagency ransomware defense guidance. Good stuff there! Read and share.
CISA has also partnered with the FBI and the NSA to produce a great read, providing excellent information on tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors, along with mitigation strategies and defense techniques to protect your organization against these types of attacks. Fascinating stuff. Good info.
Breaking down those “best practices” from ERISA
Last week I introduced the first-ever official guidance on cyber security from the US Department of Labor. I said I liked their list of cyber security best practices so much, I would be talking about it in detail in future newsletters. So let’s look at a few today!
Have a formal, well documented cybersecurity program.
I saw most of you roll your eyes just now! I know, the word “documented” strikes terror into the hearts of many people, especially small business owners. Just remember that your documentation, like the formality of your procedures, should be commensurate with the size and complexity of your organization. If you have only 10 employees, you don’t need (and shouldn’t bother producing) a 50 page network security plan. You can just write a bulleted list of things like:
- Installing antivirus software on all devices and keeping it up to date
- Turning on auto-update for operating system and software applications
- Employee training to guard against things like phishing attacks
- Simple policies for portable media, personal Internet use on company resources, etc.
If you have an IT vendor that manages your network for you, they should provide you with a list of tasks that they perform on your behalf, with information on how often it is done. Some reports would be nice too.
Conduct prudent annual risk assessments.
What exactly is a risk assessment? Basically, it means asking yourself these three questions:
- What could happen?
- How bad would that be?
- How likely is it to happen?
Apply these three questions to your information systems. What kind of data do you store? How important is that data to cyber criminals? What are the industries at highest risk and are you in one of those industries? What about something like ransomware that is happening in all industries?
Understand your own risk appetite, because that will impact your answers (especially to number 2) and your response plan. If you aren’t sure, look at your car insurance. How much is your deductible? $250? You have a low appetite for risk. $5000? Your risk tolerance is pretty high. Now go look at that cyber risk assessment
Have a reliable annual third party audit of security controls.
Because you can’t grade your own homework, right? It’s hard to catch your own mistakes. It’s impossible to catch them if you don’t have enough knowledge and experience to properly do things you don’t know how to do, or possibly didn’t even know you should be doing. This happens All. The. Time. That’s why it’s critical to have an independent third party assessment – this means an individual/entity who is not responsible for installing,configuring or maintaining your information system.
How often should this be done? I like to use the standard of the PCI DSS: after every major change to your system, or at least annually. Get a new firewall? Have an independent third-party verify the configuration settings. We once found one that had accidentally been set to “allow all” instead of “deny all” so that every single protective rule in place was nullified by that one mistaken checkbox. Get a new server? Bring in an outside expert to help you verify groups and permissions, network segmentations, etc. Haven't made any major changes in a year or so? Time to bring in that third-party for a periodic review. It may be that some of your devices have reached end-of-life and need to be replaced, or an employee may have installed a rogue device that has opened up a security hole behind your firewall. It pays to be on the safe side. Ransomware is epidemic right now and you don't want to catch it.
Enough for this week? I think so!
Talk to you again soon!
Security Awareness Training Goes Live Again!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Thankfully, live training is making a comeback! So wherever you and your employees may be, I can deliver a fun and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺