The conventional wisdom on cyber-security is to play defense and respond quickly to breaches. But can your organization be proactive?
This article is from FRA's sister company, Compliance Week.
Perhaps it is extreme to pay “white hat” hackers to probe vulnerabilities in your organization’s computer network. Or to pay for a monthly report that tells you whether any of your employees’ passwords or personal information is being bought and sold on the “dark Web.” Or to ask “hard questions” of each and every one of your third-party suppliers.
But these are not normal times. Implementing proper “cyber-hygiene” in the era of coronavirus is important as companies tighten up their cyber-security protocols for their remote workforce, according to the Cyber Threat Alliance (CTA), a group that facilitates information sharing among cyber-security professionals.
Some tips include not reusing passwords and making them complex; using multi-factor identification wherever possible; installing reputable anti-virus software with real-time protection; and keeping all operating system software up-to-date, the CTA suggests.
ABD Insurance & Financial Services (ABD), a California insurance broker, moved its entire workforce onto a virtual desktop system a few years ago. A virtual desktop is much more difficult for hackers to access, said Brent Rineck, ABD’s chief information officer.
Once employees are logged into the company’s virtual desktop, nothing they input on their remote access point is saved on the remote device.
“Once you’re in (the virtual desktop), it’s as if you’re in the office,” he said.
ABD also has all employees sign a remote worker agreement, which requires workers to acknowledge the company’s cyber-security protocols and to check in with superiors or colleagues several times a day. Employees also pledge that someone else is not doing their work.
Rineck says it’s one more way for a company to reinforce work-from-home standards.
The best way for companies to protect themselves from cyber-attacks is to properly train their employees, said Keith Wojcieszek, a managing director in Kroll’s Cyber Risk practice and a former head of the Cyber Intelligence Section within the United States Secret Service Criminal Investigation Division.
Help your employees not only learn how bad actors will attempt to infiltrate your company’s inner workings, but also help them understand the risk.
“If people are still clicking on bad links, the majority of technical security measures you put into place are going to be completely ineffective,” he said.
There are more proactive measures to examine, as well.
Companies should consider installing endpoint monitoring computer software that monitors every endpoint—every laptop, every server, anything that is connected to the internet—to watch for potential attacks.
“Knowing what is on your system will really help you mitigate attacks like these,” Wojcieszek said.
Kroll is one of many companies that offers comprehensive threat and vulnerability assessments to its corporate clients.
Another option is crowdsourced “white hat” hackers that can help companies identify and fix vulnerabilities.
Bugcrowd, a California startup, uses “a remote workforce of highly skilled researchers … [that] can provide pen tests, attack surface assessments, and staying ahead of the bad actors,” said Bugcrowd CEO Ashish Gupta.
As for dark Web reports, there are lots of vendors out there. Rineck says ABD’s provider, Rigid Bits of Colorado, is “relatively cheap” and, every so often, finds something of concern.
Cyber-attacks only getting worse
Last year saw a significant rise in the number of cyber-attacks, cyber-security professionals say, especially against public and nonprofit organizations.
“This was the reality before COVID-19. Things have become considerably worse in the months since,” wrote a coalition of business, technology, and cyber-security groups in a recent letter asking Congress to dedicate more funds to help state and local entities strengthen their cyber-defenses.
Having so many people working remotely has increased opportunities for hackers and other bad actors to launch cyber-attacks. That goes for third parties as well.
“You may have your house in order, but your greatest vulnerability may be in your supply chain,” said Colin Zick, partner at Foley Hoag and co-chair of its Healthcare and Privacy and Data Security practices. “You’re only as good as that next level down and the next level after that.”
Limit third-party access to only those portions of your network and database that they need to do their jobs, he said.
Compliance professionals are increasingly worried about cyber-security risks among third-party suppliers, according to a recent poll of 145 practitioners by the advisory firm Gartner. Over half (52 percent) of those surveyed said cyber-security and data breaches are “the most-increased third-party risk their organizations face.”
“Remote working has been hastily adopted by suppliers to keep their business running, so it’s unlikely every organization or employee is following best practices,” said Vidhya Balasubramanian, managing vice president in the Gartner Legal and Compliance practice. “The most progressive companies have approached this crisis as an opportunity to clarify and streamline compliance obligations, strengthen current relationships, and focus their risk management efforts on the most critical, urgent risks.”
Zick says the best defense against cyber-breaches within your company’s supply chain is to use reliable and trusted third parties that have answered hard questions about their virtual work environment and the limits of their insurance coverage.
“Does it seem like a lot? Sure, it does,” he said of the probing questions. “But compare that to what it would cost you if there was an incident.”