10 Ways to Protect Your Organization from Cyberattacks
By Ashley Leonard, YPO Member
Many CEOs don’t want to think about cybersecurity. That’s why you hire a chief technology officer (CTO) or chief information security officer (CISO). But cybersecurity is now a board-level issue. While your first line of defense is always common sense, below are 10 actions every CEO should be implementing to secure their organization, with the help of the IT team.
Can we enable two-factor authentication?
If it has a password, make sure it supports two-factor authentication, which is a one-time code that is sent by SMS Text, email or an app on your phone like Google Authenticator (we don’t recommend SMS Text). A password is no longer enough to protect yourself; Passwords can be compromised by phishing attacks (emails asking you to enter your password) or stolen from other websites, where you might reuse the same or similar passwords. Many companies now use Microsoft Office 365 for email and will often synchronize this with local usernames and passwords (Active Directory). If you have a breach in Microsoft Office 365, not only is Office 365 exposed, but now the attacker may have access to your local physical network.
Use products like Duo to allow two-factor authentication when logging on
Today Microsoft Windows and Apple Mac operating systems do not have two-factor authentication to control logons to laptops, desktops, servers, RDP, etc. By implementing tools like Duo (recently acquired by Cisco) you can add a second factor to all your physical and virtual devices. As an added bonus, you can also limit which devices accept a user’s logon.
Use a password manager
It is vital to have different passwords for every system you use. There have been many large-scale hacks of online services like LinkedIn (164 million accounts stolen), Adobe (152 million accounts stolen), Myspace (359 million accounts stolen), etc. This data is being used to create databases of usernames and passwords which can then be used to hack other systems. By having unique passwords for every system, you can protect against this. How do you remember all those passwords? Use a password manager like 1Password.
Make sure you have backups
Backup everything! If your organization has a breach and ransomware is distributed, make sure you have backups of all your data. By far the easiest way to recover from ransomware is to wipe your devices and restore backups of data.
Disable SMB Outbound
The U.S. National Cybersecurity and Communications Integration Center (NCCIC) recently issued advice that all organizations should block outbound Server Message Block (SMB) traffic at the firewall – Ports 137/139/445.
A recent hack has been identified that leverages Windows’ ability to automatically logon to remote devices when connecting to a share. This is very useful when connecting to devices within your corporate network, however, it is a huge security hole when used by a hacker.
Limit access to everything by limiting IP addresses
Many cloud solutions allow you to lock down security by limiting access from only certain IP addresses – for example you might include your office public IP address and home.
Instruct your accounting department to verify instructions to pay or transfer funds by phone.
An attacker sets up an email address very similar to the CEO or CFO and then sends an email directly to the accounting team instructing them to urgently pay an invoice by wire. Implement a policy that all wires require a phone approval before payment. (I’ve actually experienced this exact attack, and because of our voice verification process, the attack failed.)
Buy cyber insurance
This is a relatively new form of insurance and we have seen it being included in Errors and Omissions policies recently. It is vital that your organization purchases cyber insurance. This will cover the costs of investigation, responding to a breach, as well as business interruption and maybe even reputational losses.
Big Tip: If your organization experiences a breach, as soon as you finish an emergency response — like taking devices off the network — contact your insurance company and then a lawyer that specializes in IT security and let them hire all the IT security investigators. By letting your lawyers hire the IT security investigators, the results of the investigations become privileged information, legally limiting who can access details about what happened.
Encrypt confidential data
Many organizations use services like Dropbox to share and back up data. While these services are great and typically encrypt the data in the cloud, this data can still be decrypted by them. Also, services like Dropbox might sync the data across multiple devices, essentially creating local unencrypted versions of your data. One approach to protect your data is to use full disk encryption, but you would need to make sure this is enabled across all your devices. Hint: IT management tools like Cloud Management Suite will tell you which devices do not have BitLocker enabled. However this still leaves your data at risk if Dropbox has a breach. Products like BoxCryptor offer the ability to put an extra layer of encryption on the content, which protects your confidential data in the cloud and on local devices.
Approximately 80 percent of breaches occur because IT has not kept up with software updates. You need to patch all devices, operating systems and applications, and more recently, IoT devices. You might think this has nothing to do with the CEO, but recently the CEO of Equifax was fired after an unpatched application led to a massive data breach.