7 Security Practices

What if I told you that it’s been reported that 10% of security professionals paid ransomware demands at some point, and another 35% have admitted to circumventing company security policy?

It’s no surprise that humans are the leading cause of security leaks and data breaches. We’re constantly ignoring popup reminders to update software, clicking on unsafe emails and links, using open networks—the list goes on.

What is surprising is that IT and security professionals are among the top culprits when it comes to engaging in bad practices. What is a firm to do?

Sometimes it’s simply the better business choice to pay a small ransom. If a firm has neglected its backups they are at the mercy of, on the one hand, hackers, and on the other hand, data forensic experts. Sometimes, the nominal $300 or $600 requested is literally $10,000 cheaper than forensics.

Is it unethical to pay? Personally, I should think not. Is it unethical to hand over your wallet in an armed robbery? The real question when it comes to ransoms is – how can we prevent them? Here are 7 security best-practices that work like magic.

Automatic Updates

For IT managers, the first step involves only notifying firm users when important security updates are available for their devices. The less popups a user gets indicating that he or she must update software, the more important these notifications will seem.

Firms like Accellis work hard to make sure updates are handled automatically, so clients don’t even have to click and install them.

Single Sign On

Another step is incorporating a single sign on system. These allow users to employ ridiculously complex passwords while only having to remember just one.

Password Policy

Password policies should no longer be viewed as optional or cumbersome. Every firm needs a mandatory 90-day rotation for strong passwords. It’s easier than changing the oil in your car, and takes a fraction of the time.

2FA

Another must-have for critical systems is dual-factor authentication, where users must enter a password and a special code which is sent only to them. This weeds out hackers who have the password, but not the employee’s phone.

Firewall

You are probably tired of hearing about it but the firm’s firewall is a must-have security asset. Whether you have a domain or peer group network, you need an enterprise firewall to control what gets in to the network. By preventing malicious content from ever appearing before a user, the firm prevents accidental employee error. A good firewall costs as little as $50 per month, all in.

Training

One of the greatest improvements will come from training the firm’s team to protect themselves from malicious hackers. If everyone understands the basics of cybersecurity, your IT team has decreased the one of the broadest attack vectors.

The Magic Bullet: Backups

Hackers can kiss your ransom goodbye if you have adequate backups in place. True backup and DR costs as little as $99/month, so what are you waiting for? By having full backups in place, with cloud redundancy, you can restore your whole network in a matter of minutes or hours. Problem solved.

Showing 2 comments
  • Brian Focht

    No no no, Accellis! You’re one of my favorite security companies, but PLEASE don’t keep telling people that the best password policy involves changing passwords every 90 days. Even the new NIST regulations do away with this requirement, because in reality, the actual result is a reduction in the quality of passwords people use, or an increase in other security risks – like writing those passwords and leaving them sitting on an office desk.

    Passwords should be changed as a result of certain types of events – an employee leaves or is fired, the network suffered a breach, or one of your employee’s personal data is involved in a major hack, and passwords were compromised. Otherwise, requiring long, complex passwords, combined with 2-factor authentication (which I happily note you included), is the best option.

    • Thanks for bringing the NIST change to our attention, Brian. This post was originally drafted before NIST updated their guidelines. We’ve been keeping up on the draft changed in the NIST guidelines and we agree completely with the approach NIST seems to be taking. Complex passwords that are difficult to compromise through social engineering or brute force attacks… and change infrequently are much stronger and way more secure. However, many of the current security frameworks still call for frequent changes in passwords, so it is important to take the other guidelines into consideration. Hopefully others frameworks will follow NIST’s lead. We’ll notify our security team and make edits as NIST makes new recommendations.