The requirements for cyberliability insurance compliance are becoming more stringent, reflecting increased incidents of hacking, phishing and other attempts to secure and compromise protected data. Times have changed from hackers simply wanting to destroy IT systems—now they want to mine them for identity theft potential or hold your data for ransom.
Here are some simple guidelines that will improve your IT security posture:
Gateway security refers to the outermost layer of your IT system—essentially the spot where your network touches the Internet by way of a router or modem. Most Internet service providers have minimal or no firewall capabilities, and most off-the-shelf routers have little in the way of gateway security.
A robust firewall is recommended, including a security subscription that includes virus scanning, intrusion and hacking prevention. Firewalls of this type run anywhere from $500-$1000, and the security subscription can go for $100-200 per year or more, depending on the size of your network.
The primary avenue for hackers to gain access to data or engage in their nefarious practices these days is email. There are third-party services available that will collect your email in the cloud, scan for and remove emails that are spam, phishing, or infected with a virus and deliver the rest to you. This keeps malicious or infected emails from getting to your network. Costs for these kinds of services run about $2 per mailbox per month. Most industry-standard email systems have these features, but the paid services add an increased level of security.
Two-factor authentication describes a process where, after your initial entry of user name and password, a token is sent to a device, by way of a text to a cell phone or an authenticator app on a mobile device that requires approval by the user.
When it comes to restricting access, two-factor authentication is nearly bulletproof. Without the token, access is denied.
Email two-factor authentication is now built-in to most email providers and simply needs to be activated. In a typical scenario, the user’s cell phone is used to deliver the token and a special app password is generated for Outlook, so that you don’t have to authenticate every time you check your email at your PC.
But if someone attempts to gain access to your email by any other means, your phone will be sent a token. Without it, access is denied.
Two-factor authentication should be available for the software you use to store protected information, like accounting data or customer information. Check with your software manufacturer to see if it is available.
In many cases, 2FA (two-factor authentication) is freely available and just needs to be activated and configured one time.
If application-specific two-factor authentication is not available, you can take the next step and set up 2FA at the PC login level. There are third-party products available (one of the most popular costs about $5 per user per month—meaning you only pay for the user, but can install the security on multiple devices) that sends a token to a cell phone when you logon to your PC, which is great protection for remote workers and portable computers.
Every PC or server on your network should have a resident antivirus program that does both on-access scanning and does a scheduled daily full scan of the hard drive. If a virus is found, the administrator of your network and the affected user should be notified by the antivirus program.
Ransomware is all the rage these days. The news is full of horror stories where hackers encrypted all the data on a company’s server and they had to pay a ransom in cryptocurrency to get it back. Without the decryption code, your data is gone.
Ransomware protection is two-pronged: endpoint detection and response and consistent data backups.
Endpoint Detection and Response
Ransomware is detectable, either at the point it is delivered to a PC, or when it deploys. Ransomware accesses lots of data at once, which sends up a flare to a security program designed to detect it. Endpoint detection involves catching the ransomware at work. The response usually involves isolating the infected PC from the rest of the network before the ransomware can spread, and retaining copies of files prior to encryption so they can be recovered. Costs for this kind of software runs about $4 per device per month. EDR is a great add-on to your existing antivirus program.
Password Policies and Lock Screens
User passwords should be force-changed periodically. Anywhere from 30-90 rotations are recommended. Additionally, PCs, laptops, and mobile devices should be set to timeout after a period of inactivity, after which the password must be re-entered to allow access.
The ultimate defense against ransomware, if all else fails, is a reliable point-in-time data backup.
Most Windows-based servers have a feature called shadow copy, which makes copies of all changed files and stores them in a different location on the hard drive. These can be scheduled to run multiple times per day, depending on available disk space. This feature should be activated on all servers, both for possible ransomware protection and quick file recovery in case of accidental deletion or unwanted changes. Shadow copy is no substitute for regular backups to external, rotated media and/or the cloud.
Servers (or workstations housing critical data) should be backed up to removable media like an external hard drive that is regularly removed from the premises. This is a key component of disaster planning as well as cybersecurity. Backing up to the same hard drive every day puts your data at risk of the backup drive going bad or even something as minor as a water leak or fire. Best practices recommend removable media that is rotated daily or a cloud repository with multiple restore points.
If your data is stored in the cloud by way of Dropbox, OneDrive, Google Drive, or other cloud synchronization methods, they likely include 30 days worth of file copies. You can also do a point in time backup to a hard drive for added protection or engage a third-party backup .
Backups for servers and workstations are inexpensive, usually for a monthly fee. Veeam Backup, one of the most popular server backup programs, costs about $20 per month for standard backups, with a cloud backup option that runs $12 per 100 GB per month. Veeam offers an instant recovery option that can take your backup drive, hook it to another server, and be back up and running immediately. Backups should be encrypted and password-protected.
Cloud backup systems like Carbonite and Crashplan offer cloud-based protection for servers and workstations for small monthly fees.
Backups should be tested by way of periodic restores.
Data and Email Encryption
Data can be encrypted in two ways: at rest and in transit.
Encryption at rest involves encrypting the hard drives where data is stored. In this way, even if your laptop is stolen, the data cannot be accessed. Bitlocker for Windows is an encryption protocol which is built into PC operating systems starting with Windows 10, and there is a server version. Activating Bitlocker creates a recovery key which must be retained. Without it, your data will be unavailable. Major changes to a PC can trigger Bitlocker’s protection, and you will need the recovery key to get back into your system.
Encryption should also be used for any external devices like USB flash drives or hard drives.
Encryption in transit refers to data while it is being moved or transferred, usually through electronic communication like email. If you send and receive protected information via email, like Social Security numbers, driver’s license numbers, medical, tax, or financial information, there are systems available that will encrypt the email so it cannot be compromised in transit. This involves the recipient needing to authenticate through a protected portal where they can read and respond to the email. These encryption systems can either explicitly encrypt an email by way of a keyword or proactively scan the contents of the email and attachments for protected information. If any is detected, the email is automatically encrypted. These services run about $5 per user per month.
More people are working away from the office. Opening your network to your users can also leave a door open for hackers and other malefactors.
Remote access should be secured by a VPN or an industry-standard remote control program like Logmein or GotoMyPC, with two-factor authentication enabled. Devices connecting to your network remotely should have robust antivirus, antimalware, and ransomware protection installed and active.
Policies and Procedures
Written policies can be very helpful in event of a breach. Policies governing the accepted use of the IT system, email and mobile device requirements, remote access policies and others can help support your cybersecurity posture in the event it is challenged.
Putting these policies in your Employee Handbook would help communicate the rules and procedures regarding cybersecurity and establish proper security standards.
Confidentiality agreements with employees and vendors would also be helpful.
Another lucrative tool in for hackers is deception. We’ve all seen the emails from Nigeria asking for money, which are clearly fraudulent. But these kinds of hackers have become more sophisticated, to the point where they simulate an email from the boss to the employee who does the accounting (information which in most cases can be gleaned from the Staff page of most websites) with a request to buy gift cards or do a wire transfer.
Hackers may also use deceptive error messages by way of a website redirection, where a user is persuaded that their computer is infected or damaged and they need to call a number for remedy, which usually involves allowing the hacker remote access to their PC under the guise of technical assistance.
A user also may receive an email with an attachment that leads them to a site where they are required to input their email address and email password. No institution will ask for your password via email.
Making users aware of these deceptive practices will help prevent them.
Alerts and Notifications
All of these security solutions do no good in a vacuum. It is important that you or your IT provider be notified if there is a breach. And it is important that your staff let you know if they get a suspicious email or other unusual event. You should also be notified if they lose their mobile device or laptop or if they suspect that data has been compromised.
The potential damages from a data breach extend to more than just a loss of your data or your customer’s. There is a certain amount of reputational damage as well. Having a response plan in the event of a breach, including notifying affected parties, can help mitigate the damage.
Your email system may have the ability to recall a message sent in error. It may also be able to remotely remove company data from a lost or stolen mobile device. Knowing where your data is stored, accessed and backed up will help with quickly recovering compromised or lost data.
Even a simple plan is better than none at all. Consult with staff and your IT systems provider to come up with a few common scenarios and what your response to each would be. Document the plan and make sure that everyone who needs to know about it does.
While it may seem like the threats are everywhere and the remedies are complicated and expensive, establishing an industry-standard cybersecurity posture can be done easily and inexpensively, using tools and features that are built into your IT architecture and by judiciously adding protection designed to protect your systems from the main threats out there.
You could certainly go overboard in trying to establish your defenses, but at a certain point, through technology, procedures, and education, you can protect your network from most cyberthreats.
The goal isn’t perfection; you should aim for a reasonable, industry-standard level of cybersecurity. Prevailing wisdom says that breaches are inevitable; the methods listed here can minimize their impact or prevent them altogether.
An assessment of your IT system and current cybersecurity posture is key. CSM offers these assessments at no charge; your IT vendor should be able to do an assessment as well.
You may discover that your situation isn’t nearly as dire as you suspect. It may be a matter of implementing controls you already have.