Unfortunately, the answer to this question is no. Determined hackers will eventually get in. The latest SolarWinds hack proves that. If you haven’t heard about this breach, hackers inserted malware into a software update that was pushed out to SolarWinds customers. It was an elegant solution to focus resources on a single target, with the purpose of gaining access to a litany of businesses that the target serves, including the U.S. government.
The good news is that we can deter and reduce the impact of breaches. In this two-part blog series, we will discuss what small and medium-sized businesses (SMBs) can do to be more cyber-resilient. Without access to the budgets of larger companies, SMBs can still be nimble and increase cyber-resilience by implementing deterrence-based, preventative controls. The blog posts in the series will cover deterrence-based tactics.
The best place to start with increasing cyber-resilience is to focus on your users and email security.
- Multi-factor Authentication (MFA) is a must for businesses utilizing hosted email solutions such as G-Suite or Office 365. MFA implementations require a second authentication “factor” (other than your password) when signing into your inbox. For increased security, MFA should require the use of an application for verification instead of using a text message as the ability to spoof mobile phone numbers has become commonplace.
- Make phishing training more fun. We need to move away from shaming users who repeatedly get phished in workplace simulations. Instead, we should reward employees with praise and celebrate those who successfully avoid phishing attempts. We should also reward employees that report legitimate phishing attacks to IT. For employees that get phished, it is important to send these individuals a summary of what they should look for in the future to stay vigilant. Gamifying phishing and general cybersecurity training with positive reinforcement have shown increases in employee cyber-vigilance.
- Report as phishing buttons should be made available in your email client for employees to more easily report phishing attempts. The old “think before you click” mantra can be put into action by providing the “right click” to use!
- Implement email pre-filtering to remove or quarantine spam, junk mail and other common email attacks before they get to your inbox. Additionally, consult with your pre-filtering provider to determine if link validation is available. Link validation can provide added protection as this feature tests every link you click in a “clean room” for safety. While link validation isn’t perfect, it is another piece of your cyber-vigilance armor.
- If emails originate from outside your company, say so! The addition of verbiage to emails generated from outside of your SMB can run the gamut from a simple statement of “EXTERNAL” to lengthy paragraphs. At a minimum, go with the simple “EXTERNAL” statement and change the font to orange or red. That will alert users of the risk while not impacting message preview or consuming your reading pane.
Go Beyond the Cybersecurity Questionnaire
It is essential that SMBs use cybersecurity assessments as part of their deterrence strategy. Cybersecurity assessments will always begin with a questionnaire to assist with documenting what cybersecurity controls are believed to be in place. Often the staff members filling out these questionnaires are over-tired and over-worked IT team members who are balancing security with keeping everyone productive. They likely don’t have time for yet another task. That can leave with you a questionnaire based solely on inquiry that was completed quickly and may not accurately reflect your environment and its configuration.
To validate that your security is as expected, consider going beyond the questionnaire and implementing “targeted” reviews of controls believed to be in place. These reviews include reviewing the actual design and implementation of any of the areas identified above as well as others like password configuration, number of administrators, wiring configuration, firewall rules, etc. You can help defray the cost by doing targeted/mini reviews over a period of time, which will also assist with getting your SMB into the cadence of assess, remediate, validate and repeat.
Where to Go From Here
These suggested tactics to build cyber-resilience leave you with a lot to consider. It’s good to know that most of the items we covered above and will cover in our blog series are reasonably priced (or are already included in what you are paying for) and relatively easy to implement. The goal is to deter the predators and push them to more susceptible prey. Supplementing the items listed above with cybersecurity insurance is another best practice to research and implement. Be “safe” out there, and stay tuned for part 2 of this blog series, where we will discuss other key pieces of cybersecurity armor in your road to cyber-vigilance.
Jon Powell, CPA, CITP, CISA, is a Partner in Moore Colson’s Risk Advisory & Compliance Services Practice. In addition to leading the cybersecurity initiatives, Jon leads the IT audit practice for the firm, including Sarbanes Oxley initiatives, internal audit co-sourcing partnerships, SOC audits and other compliance engagements.