Cybersecurity Best Practices

As circumstances surrounding WannaCry, Petya/Goldeneye, the Shadow Brokers and exposed voters’ records have shown, cybersecurity events continue to cripple companies no matter their size or industry.

An analysis of CNA claims data from 2012-2016 shows that the following are the most common causes of claims:

  • Human error – 34%
  • Hacking – 24%
  • Theft of laptop, tablet or other device – 12%
  • Violation of privacy statutes – 10%
  • Malware and ransomware – 8%
  • Phishing – 6%
  • Fraudulent transfer – 4%
  • Other – 13%

Any industry can be a target for hackers or be vulnerable to a cyber incident but, certain industries have emerged as particularly vulnerable. According to the Verizon 2017 Data Breach Report, the following were the most likely victims:

  • Financial organizations – 24%
  • Healthcare organizations – 15%
  • Retail & accommodation (combined) – 15%
  • Public sector entities – 12%

Although cybersecurity is broad and complex, some best practices can help prevent hackers from successfully infiltrating your customers’ operations, as well as your own. The most common cause of a claim – human error – can be lowered by educating employees on what to look out for when accessing e-mails or websites. A mature cybersecurity program relies on a layered security approach: – meaning that no single control is the only source of protection for a corporate asset. Three controls that make up a layered security approach are secure password practices, multi-factor authentication and security awareness training.

Secure Password Practices

For many people, it’s difficult to remember unique, complex passwords for every website – a complication that leads to password reuse. Unfortunately, cyber criminals recognize this as a normal occurrence. When your credentials are compromised on one site, hackers will take that username and password and try it other places, with success.

As a solution, use a password manager tool. These services ask you to remember one master password and, through a browser extension, will automatically log you in to all of the websites you visit using a longer, more complex password that you don’t need to know. What’s the advantage? If a company, such as your bank, is compromised, the stolen password only allows access to your bank and nowhere else.

Steps to Multi-Factor Authentication

Multi-factor (or two-factor) authentication (MFA or 2FA) is more straightforward than it may seem. It combines two of these three factors:

  1. Something you know: A piece of information that you have memorized, such as a password.
  2. Something you have: Historically, this was a physical token that displays a 6-digit number, which changed every 30 seconds. Today, this method uses an app on a smartphone. In either case, it’s not necessary for the owners to memorize the nulit-digit code, provided they have the device or app with them when logging in.
  3. Something you are: Biometrics, such as a smartphone’s built-in fingerprint reader.

When MFA is used, it becomes much more difficult for an attacker to gain unauthorized access to an account. Not only would the attacker need to steal your password, but the criminal would also need to physically steal, or hack into, your token device or biometric data, both of which are far more difficult tasks.

An additional best practice is to use MFA on all remote connectivity and for any activity requiring administrator-level access.

Creating Security Awareness

Your customers can be their companies’ strongest security assets or weakest links. Employees who click on malicious links and open attachments can easily bypass other cyber protections. Phishing attacks, situations in which an employee receives a legitimate-appearing, but actually malicious e-mail, are one of the top causes of data breaches.

These days, attacks are much more sophisticated and are timed with current events, such as business transactions or tax day. Attackers also take time to create “spear phishing” attacks, in which a specific person or company is targeted, using information from a user’s LinkedIn page or other social media accounts to appear plausible.

When individuals receive an e-mail from either a known or an unknown source, steps should be taken to confirm its legitimacy before clicking a link or downloading an attachment. Is the e-mail address correct? Can the identity of the sender be confirmed? Is the e-mail poorly written? Does it create a sense of urgency to act?

Your customers should regularly conduct security training for employees that includes regular communications on current security events and in-house phishing campaigns performed on a frequent basis. The in-house campaigns test employees with seemingly realistic phishing e-mails that, thankfully, are anything but.

Criminals will always be thinking of new ways to attack businesses and consumers, which forces businesses to constantly evolve their cybersecurity practices. It is only through constant vigilance that we can continue to protect ourselves in this ever-escalating environment.

Article By: Nick Graf

Source: Property Casualty 360