COVID-19 made 2020 terrible and may equally impact 2021. Aside from wearing masks, washing hands, and following the health advice du jour, there remains little anyone can do to exert control over the effects of the pandemic. Like any good psychoanalyst will explain, it is important to focus on what you can control. Whether barely surviving the pandemic financially or booming in the virtual marketplace, 2021 resolutions for any business must include a commitment or a renewed commitment to cybersecurity.
The old saying used to be “only two things are certain in life: death and taxes.” This axiom needs to be written to add a third certainty: cyber incidents. Consider the following events this year: the massive SolarWinds hack, which included entities like the Department of Justice, Department of Defense, and Microsoft; the Marriott breach that exposed 5.2 million records; the MGM Resort breach exposing data on 142 million guests; and Home Depot’s agreement to a $17.5 million settlement for a 2014 breach. Each affected entity was highly sophisticated and employed a healthy information technology staff. Despite these investments, their flags were (at least temporarily) captured.
The lesson is that breaches, hacking incidents, cyberattacks, ransomware, cybercrime, and cyber espionage can and will happen to anyone. The only question is how much damage is caused. That scope of damage is mitigated by the proactive measures taken by entities before they become victims (which we all do). That said, make it your business’s 2021 resolution to examine, reassess, or undertake these proactive cybersecurity measures – because your business WILL eventually become a victim of a cyber incident.
1. Back-ups: How is your data being backed-up and how often? Is this function being performed through a cloud service or on actual hardware? If it is occurring on a cloud, when was the last time that your entity confirmed that its subscription/licensed was current? Also, is your current data content exceeding the allowable space offered by the storage provider? Time to reassess the status of your back-ups or arrange for back-up data services – and do not forget your emails!
2. Insider Threat Analysis: With the growing and permanent workforce, the likelihood that a teleworking employee will cause an accidental breach by opening a phishing email or entering his/her credentials into a spoofed portal is strong. The alternative, darker, scenario is that an employee may steal and sell company data (like intellectual property). Therefore, many organizations need to consider implementing checkpoints within their networks to detect nefarious activity through 24/7 monitoring of firewalls, access controls, and extremely limited utility of administrative credentials.
3. Replace/Patch Legacy VPNs: The substantial and quick increase in the use of VPNs by companies to accommodate the telecommuting workforce attracted the attention of cyber criminals. And with businesses previously only purchasing a limited number of VPN licenses, which were largely unmonitored for patches and updates, cyber criminals enjoyed this exercise in exploitation. Time to evaluate your entity’s current VPN provider, patch if possible, or move to a zero-trust network access.
4. Remote Locking/Wiping/Locating: As more employees shift to working on laptops, tablets, and off smart phones from their homes (as opposed to secured office spaces), the opportunities for theft and misplacement increase. Consider licenses for software that remotely locates, locks, and wipes devices to prevent data compromise and theft.
5. Forensic Scanning: Have your network and devices scanned for threats. This is an investment in the health of your business. Malware, which may carry ransomware, often lurks within a network for up to 2 years harvesting data and credentials like a parasite. Once the parasite (cyber-criminal) depletes the marketable assets from its host, it will encrypt the data for one last heist. The only way to find out if malware is silently lurking and stealing data from your network is to have a forensic analysis conducted. These analyses are NOT just a sales tool by MSSPs.
6. Hire a MSSP: If you do not have a Managed Security Service Provider or employ one in-house, get one. Frankly, it would not be unsurprising for insurance carriers to insist on the retention of a MSSP for any entity subject to state or federal data regulations prior to the issuance of cybersecurity insurance.
Good luck to all in 2021!