Cybersecurity Resolutions for 2020
By: Lewis Brisbois' Data Privacy & Cybersecurity Team
A new year is once again upon us, which means people across the world will resolve to exercise more, eat healthier, eliminate financial debt and, most importantly, enhance their cybersecurity practices over the coming year. Good luck to all in this time-honored annual quest!
As compared to the typical New Year’s resolutions, improving your individual and corporate cybersecurity defenses can be easier to achieve and sustain. With that in mind, here are a few cybersecurity resolutions to add to your new year’s list, and a few tips for achieving them in 2020:
1. Remain Vigilant in Your Digital Environment
One of the biggest threats in the cyber landscape to individuals – and their employers - is phishing scams. With each year that passes, phishing attacks become more creative, complex, and sophisticated. These are not the traditional “spam” email messages. The phishing emails that pose the biggest threats are nearly indistinguishable from legitimate emails sent by your supervisors, coworkers, or customers. They often result from the compromise of an email account of someone in your contact list, so the message may replicate content from a message previously sent by a customer or a vendor. It should be noted that the concept of phishing is not limited to emails; it can take the form of SMS messages or even phone calls purporting to be from vendors or government agencies. The only way to avoid falling victim to phishing scams is to remain extra vigilant and be “uncomfortably cautious.” For example, if you receive an email invoice from a vendor requesting payment by a new method, use a trusted telephone number to verify the request. When your Chief Financial Officer requests a master PDF containing the employee W-2 images for the annual corporate tax review, personally verify – in person or with a trusted telephone number - that she actually made the request. Authenticating these requests personally may sometimes be a bit outside your comfort zone, but they will stop fraud 100% of the time.
2. Embrace Your Role As A Human Firewall
No matter how much a company invests in cyber defense, a well-educated and attentive workforce is the best tool to reduce risk. Make sure you are fully aware of your company’s cybersecurity policies and recognize that you are a target of hackers who are continually looking to steal personal information from computer networks. If you are a corporate executive, or if you work in either your company’s human resources or finance department, understand that you are at a heightened risk of being targeted because of the information you can access. No matter what your role in the company, immediately report any suspicious activity you notice to the appropriate personnel, such as unusual activity on your computer or within your email account.
3. Use Unique and Complex Passwords
The password you use to access the company network should be different than the one you use for online shopping. The one you use for online shopping should be different than the one you use to access financial services, etc. The most important factor for password security is length—each additional character increases password strength exponentially. Each separate password should be a minimum of 12 characters consisting of random letters, numbers, upper and lower case letters, and symbols. The best practice is to change passwords every 90 days. Other than password management software, one of the easiest ways to keep track of complex passwords is to take the grammar and first letters of a phrase and turn it into a password: “I bought oatmeal raisin cookies for my dog, Spot!” becomes a password of “Iborc4md,S!”
4. Deploy Multi-Factor Authentication
Beyond your regular password, the best way to protect your online identity is to use a secondary verification method to confirm it is actually you when you are accessing a company network or social online account. Online services like Google, Microsoft Office 365, and others have features you can activate to send one-time text message codes or telephone prompts to your cell phone. These codes and/or prompts must be entered alongside your regular password to successfully log into the service. These features require something you know (your password) as well as something you have (your phone), making it exponentially more difficult for unauthorized individuals to access your account. If your company currently does not use multi-factor authentication software, it is worth researching available products to see how this technology can help limit cyber risk.
5. Deploy Endpoint Monitoring
Although this is clearly an organizational resolution, consideration should be given to deploying a robust endpoint monitoring tool. As encryption has become weaponized through sophisticated ransomware attacks, one of the strongest elements of a layered defense is the use of endpoint monitoring, with strong data analytics used in a heuristic manner. New variants of ransomware are deployed daily with the intention of locking up critical data to extort money from the victim business. Since the malware is increasingly “zero day,” or a previously unknown malicious code, a sophisticated endpoint monitoring tool that identifies behaviors that appear to be malware, is one of the best defenses to these attacks. If your company does not use endpoint monitoring, it may be worth your while to ask whether it is something to be considered.
6. Make a Data Map (Register)
Both the European Union’s General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), which bestow upon their residents certain privacy rights, are now law. Other U.S. states are expected to enact similar laws in the coming years. Before a company can properly implement a data rights management system that complies with these types of laws, it must first identify where the relevant data resides on its internal network. Creating a data map is the best way to start that analysis. It will also identify how data is processed internally, how it is secured, and how it can be deleted in compliance with internal document retention policies and the various data privacy laws. A data map can also streamline your company’s ability to respond to and investigate any data security incidents that may arise.
7. Update Your Devices/Maintain a Patch Management Program
When we are busy, there is nothing worse than seeing an update notification that our machine needs to reboot in order to install critical updates. When we are tweeting or texting, we often repeatedly hit “remind me later” when our smartphone wants us to download the latest OS patch. However, these patches can often highlight and publicize known security vulnerabilities, so you may create opportunities for hackers to exploit your unpatched device every time you hit that “remind me later” button. Keep in mind the machine you are using is often the portal to your entire digital world! Adopting updates and security enhancements as quickly as possible helps to ensure your digital information stays private. From an organizational perspective, patch management is a critical aspect of a layered defense. Ensuring that patches are updated in a timely manner will reduce the vulnerabilities available to the attackers.
8. Review Your Privacy Settings
Speaking of privacy, it is a good idea to annually review the privacy settings of your various online accounts, including those related to social media. Settings and options change all the time as developers add new features. Hackers pay close attention to these changes in order to potentially exploit them for personal gain. You need to be diligent as well. For example, verify what information about you is shared publicly in each application or service that you use and restrict information you do not wish to be viewed by others. Even the most seemingly mundane information can be of use for hackers—common security questions may include your mother’s maiden name, which high school you went to, or the name of your pet, all of which could be readily available if your social media profiles are public.
9. Draft an Incident Response Plan
Do not wait until your organization has a cybersecurity event in order to determine how to best respond. Plan ahead to ensure that all the appropriate internal resources are aligned. The incident response planning process will help to identify appropriate internal and external responders, and their roles and responsibilities. The last thing your organization wants is to lose valuable time in responding to an incident because of confusion over these factors. A good incident response plan should also involve an assessment of whether the organization has appropriate cyber insurance coverage to meet the evolving online threats.
10. Be “Securious”
The digital security landscape shifts almost every day, making it difficult for companies to navigate and plan effectively, let alone stay ahead of the curve. Researching and learning as much as you can about potential trends, threats, and defenses will help your company make fully educated decisions. Keep up with cyber trends by subscribing to cybersecurity podcasts and cyber-focused blogs, such as our Digital Insights Blog.
We regularly provide clients and prospective clients with broad cybersecurity insight about all these topics from our team of professionals. If you haven’t already subscribed to our Digital Insights Blog, you can do so by clicking here.
We wish you good luck with achieving your cybersecurity resolutions as well as a safe and digitally secure new year!