By Rajesh Maurya
It may feel too simplistic to be talking about cyber hygiene with CISOs. But the lack of consistent cyber hygiene is the largest and most persistent threat inside most organizations. And the risk continues to grow as organizations continue to expand their networks and theresultant attack surfaces without a holistic security architecture or management system in place.
The concept of cyber hygiene is a deceptively simple one: It involves a series of practices and precautions that, when repeated regularly, keep users safe and their devices working as they should be. But that’s easier said than done with distributed networks, IoT everywhere, the adoption of multi-cloud infrastructures, and a growing reliance on SaaS application usage. Add the convergence of IT and OT, and the number of aging devices that cannot be taken offline because they monitor or manage critical systems 24×7, and the risks are greater, and the table stakes are higher, than ever before.
Keeping Remote Workers Safe
One of the most critical places on which to focus cyber hygiene efforts is remote workers. The rapid growth in a mobile workforce and their reliance on personal devices and home networks is just the latest addition to the challenges that IT teams face. Unfortunately, enforcing cyber hygiene for remote workers seems to be low on the list for overworked IT teams – somewhere below keeping the business up and running and ensuring access to business applications and essential resources.
Of course, the challenge is that employees working from home are using unsecured personal devices, from laptops to smartphones to tablets, to stay connected during the workday. And these devices, attached to weaker and far more vulnerable home networks, have created the perfect platform from which cyber criminals can launch attacks on enterprise data.
Over the past several months, cybercriminals have combined social engineering tactics that exploit fears about the Covid-19 pandemic with older exploits targeting unpatched vulnerabilities found in devices deployed in many home networks. They have also modified their strategies, switching from email-based attacks, which many remote users have been trained to avoid, to new browser-based attack vectors. And once the corporate network has been breached, cybercriminals are delivering new, more malicious strains of ransomware and other malware.
Top 10 Cyber Hygiene Tips to secure Remote Workers
Thankfully, despite the continued prevalence of ransomware and the spike in HTML/phishing attacks, there are a number of simple steps organizations and their employees can take to build a stronger barrier against threats. Some of these steps are as simple as creating stronger passwords and performing regular software and application updates. Others may require the addition of newer, more advanced endpoint security software.
It’s also important to note that certain types of business resources are at particularly high-risk for attacks in the current climate. These include financial systems, customer support systems, and research and development resources. Extra measures and precautions may need to be taken beyond the steps outlined below to protect these sensitive, high-priority assets.
- Ensure all employees receive substantial training, both when hired and periodically throughout their tenure, on how to spot and report suspicious cyber activity, maintain cyber hygiene, and on how to secure their personal devices and home networks. By educating individuals, especially remote workers, on how to maintain cyber distance, stay wary of suspicious requests, and implement basic security tools and protocols, CISOs can build a baseline of defence at the most vulnerable edge of their network that can help keep critical digital resources secure. This can involve online training and workshops with experts.
- Run background checks before designating power usersor granting privileged access to sensitive digital resources. By taking this extra step, organizations can make informed decisions that will inherently mitigate the risks associated with insider threats.
- Keep all servers, workstations, smartphones, and other devices used by employees up to date by applying frequent security updates. Ideally, this process should be automated, and enough time allowed for updates to be vetted in a testing environment. Proximity controls, such as cloud-based access controls and secure web gateways, can help secure those remote devices that cannot be updated or patched.
- Install anti-malware software to stop a large majority of attacks, including phishing scams and attempts to exploit known vulnerabilities. Try to invest in tools that offer sandboxing functionality (whether as part of an installed security package or as a cloud-based service) to detect Zero-Dayand other unknown threats. New Endpoint Detection and Response (EDR) tools should be on every CISO’s shopping list as they are not only very effective at not only repelling malware but can also identify and disable malware that manages to bypass perimeter controls before they can execute their payloads.
- Ensure an incident response/recovery plan is in place, including a hotline through which employees can promptly report a suspected breach, even when they are working from home. This way, in the event of an attack, downtime will be minimized, and employees will already be familiar with critical next steps.
- Use secure access points, whether physical or cloud-based, and create a secure segmented network for employees to utilize when connecting remotely. VPNs allow organizations to extend the private network across public Wi-Fi using an encrypted virtual point-to-point connection; this both enables and maintains secure remote access to corporate resources. And a zero trust network access strategy that includes NAC and network segmentation should also be in place.
- Implement a strong access managementpolicy, requiring multi-factor authentication when possible and maintaining strict standards for password creation. Employees should not be allowed to reuse passwords across networks or applications, whether corporate or personal, and should be encouraged to set complex passwords with various numbers and special characters. Consider providing password management software so they can keep track of passwords.
- Encrypt data in motion, in use, and at rest. However, VPN and other encrypted tunnels can also be used to securely inject malware and exfiltrate data. Which means that organizations need to invest in technologies that can inspect encrypted data at business speeds as well as monitor data access, file transfers, and other significant activity.
- Keeping up with the speed and volume of attacks can scale well beyond the limitations of human security analysts. As a result, machine learning and AI-driven security operations are no longer optional. They enable organizations to see and protect data and applications across thousands or millions of users, systems, devices, and critical applications—even across different network environments, such as multi-cloud, and the full range of network edges, including LAN, WAN, data center, cloud, and remote worker edges.
- For security solutions to be as agile as the networks they need to protect (and the cybercriminals they need to defend against), they need actionable updates to keep pace with the shifting threat landscape. This means that even the fastest and most adaptable security solutions are only as effective as the threat intelligence infrastructure and researchers that support them.
In the wake of COVID-19, CISOs have been faced with a seemingly impossible task: Keep enterprise networks secure while employees continue to work from home, perhaps indefinitely. And they have needed to do so on a limited budget, fewer resources, and a team of security professionals that’s already stretched thin. The solution? Enact an organization-wide cyber hygiene protocol, building the remote network security infrastructure from the ground up.
By focusing on training, awarenessand education, employees will be better able to perform basic security tasks such as updating devices, identifying suspicious behaviours, and practicing good cyber hygiene. After that, it is essential that organizations invest in the right systems and solutions – from VPNs to anti-malware software and encryption technologies – that enable clear visibility and granular control across the entire threat landscape. Complexity is the enemy of security, so the best response to an increasingly complicated and highly dynamic digital world is to get back to the basics. And that starts with cyber hygiene.
(The author is Regional Vice President, India &SAARC, Fortinet and the views expressed in this article are his own)