In 2017 alone, $5 billion was extorted from businesses using Ransomware, software that encrypts your files until you pay the criminals off. In another attack that took advantage of the Internet of Things (IoT), cyber criminals were able to leverage 10,000 security cameras and DVRs to take down popular websites across the internet. Not scary enough? It is important to acknowledge that none of us are above these attacks and anything connected to the internet is a potential target for hackers.
It is bewildering to me that even the most unsophisticated attacks still consistently work for cyber criminals. Many companies experience the initial breach due to an employee clicking on a link in a phishing email or merely using weak or re-used passwords. You can set up network perimeter guards and put the latest equipment to use in securing your company’s data, but in the end, your users will pose the greatest threat of initial entry.
An excellent information security awareness policy and training program can help mitigate the human factor, but as a starting point, following these suggested best practices can be a good way to start down the road to a secure network environment.
Password Complexity and Protection
Change default passwords on all you network devices. The IoT attack mentioned earlier in this blog was a simple case of the hackers utilizing the password provided by the manufactures to gain access to the devices. These passwords can be looked up very easily, so one of the first things to do when purchasing a new router, for example, is to change the manufacturer's password to something more personal.
In addition, ensure passwords are complex. Passwords like “123456” or “qwerty” are still some of the most common passwords utilized by users. These are incredibly easy to be hacked by cyber criminals. Utilizing a few best practices with password creation like the following should solve that issue:
- Each user should have their own unique password with a 12-character minimum.
- Passwords should contain alpha-numeric, upper- and lower-case characters.
- Arranging passwords in a nonsensical manner makes them more difficult to hack.
Simple, yet easy tricks to keep these intelligent cyber attackers at bay.
Two-factor Authentication is a means of utilizing at least two or more of the following three 'factors' to identify a user: something you know, something you have, and something you are. The common examples are:
- Something you know (password)
- Something you have (a trusted device)
- Something you are (fingerprint, eye scan...)
The first steps for most organizations is to make sure the passwords are good and change often so the 'something you KNOW' is safe. The ‘something you HAVE’ is usually either an app on a physical mobile device like MS Authenticator, or a physical keyfob that changes it's numbers every minute or so.
When selecting new applications, you should ensure they support two-factor authentication and get assistance activating the authentication steps in your existing applications. Stepping up your authentication requirements to a two- or even three-factor environment will help to create a more secure network as they present a challenge to cyber attackers. From personal experience, the use of two- or three-factor logins maintains a sense of security without negatively impacting the user experience.
Having a disciplined approach to applying updates and patches to your equipment is an essential step in creating a secure environment. All major vendors consistently release updates and patches for their software and hardware that not only address security issues, but other defects in performance as well. Remember that if a patch for a vulnerability exists, then the hackers know it exists and can tell if you haven’t applied it. Take the time to apply those patches and to plug the holes in your security posture.
Should I click this link?
One of the top methods for cyber criminals to gain network access is through the good, old phishing email. People fall victim to this scheme at an alarmingly high rate, especially with the increase in the sophistication being used. Ensuring your end users are properly trained provides your organization with yet another line of defense. At SE, we help companies consistently test their users' awareness – including using unannounced phishing tests. Every user should be asking themselves, “Should I click on this link?”
Today, data breaches and identity theft are big factors for organizations and individuals alike. Following the best practices listed above will only help to ensure that cyber attackers are unable to access that data.
If your organization struggles with modern cybersecurity, take the time to talk with one of our cybersecurity experts here at Systems Engineering. To reach out, simply click here or on the button below.
Joe Slone is a Project Manager at Systems Engineering. As a former Petty Officer First Class in the Navy, Joe has 20 years of experience in both IT and Project Management. He retired from the Navy in 2018 and at that time, joined Systems Engineering full-time.