2020 was a rough year. While many of the year’s events were difficult to predict and perhaps unavoidable (COVID-19, wildfires, and civil unrest, etc.), many of 2020’s massive data breaches were predictable and completely avoidable. Perhaps the most noteworthy attack was the recent SolarWinds debacle in which Russian state actors entered the networks of several US federal agencies and thousands of American businesses through the SolarWinds end-point management tool. The breach exposed countless sensitive documents and assets, and we’re still discovering how bad the breach actually was.
But who was at fault? Was it the SolarWinds leadership team, who had been warned about lax security? Maybe it’s the federal government and their reallocation of cyber security funds? Could it be the businesses who made the mistake of trusting SolarWinds? The everyday security admin? No, this hack represents an industry-wide failure. Data breach has been on the rise for years. State actors inside North Korea, Russia, and China are notorious for powerful cyber-attacks on government agencies and private businesses. Though the twenty-first century requires us to send and store secure transmissions of information, as an industry we’re doing an incredibly poor job of doing that task well.
It’s easy to ignore if your business hasn’t been exposed in a breach or if you haven’t been hacked (if you’re not sure, check this out). It’s easy to see a headline and think “that’s tough for them.” But the fact is, it’s only a matter of time before your business ends up one of many thousands who suffer a data breach each year. If you think things will slow down after SolarWinds, you’re mistaken. As you read this, there are dozens and likely hundreds of similar attack campaigns happening on all kinds of systems. The next big hack isn’t a matter of if, it’s when, and on who. Everyone has a responsibility to prioritize security so we can limit the number of weak links in the security chain that involves all of us. The recent hack doesn’t represent a single failure, it represents a failure of a nation, an industry, and everyone in it. We are simply not taking cybersecurity seriously enough.
Data via Security Boulevard
So, it’s time to change our thinking. We must do more to prioritize cybersecurity. As more employees work remotely and we grow to depend more on centralized management solutions, the cloud, and so on, we must find ways to secure data through any means necessary. The threats will grow. Attacks will get stronger and more targeted. You’d better have the tools and skills you need to fortify yourself.
With that diatribe aside, let’s look at a few critical changes your organization—no matter how big, small, sophisticated, or simple—must do in 2021 and beyond. It’s time we all start taking a no-nonsense approach to security.
Revisit Your Cybersecurity Budget
The good news is that 55% of organizations are increasing their cybersecurity budget for 2021. The bad news is that’s barely more than half and it’s not enough. We all need to be doing more. Your budget for 2021 may already be set, but it’s never too late to move some things around. It’s time to do some tough math and ask yourself if it’s more important that your business prevent data breaches, secure its data, and avoid paying for ransomware, or get a little boost in productivity. As it stands today, most businesses should be considering how to beef up cybersecurity before they worry about investing in a new project management tool. What small gains you get in productivity will be nothing compared to what you stand to lose from paying a ransom for your data ($84K is the average ransom), or losing your data altogether. This year, as you look at spending, consider where you can tighten your belt so you can emphasize security. Your budget will go towards things like certifying technical employees, training non-technical employees, investing in secure software and encrypted hardware solutions, and a few other things we’ll cover. Find some dollars to invest in keeping yourself secure, then let’s go back to the basics.
Stop Relaxing on Basics
Many businesses aren’t even doing the basics when it comes to cyber security, so let’s go back to the start. Yes, it’s remedial to many, but you can’t build an effective security program if you don’t have a foundation to start on, so it’s wise considering whether your organization is taking the actions below.
USE A PASSWORD MANAGER
Many users pick the same password for everything or choose something easy so they can remember it, but this leaves them vulnerable. To make things super easy, use a password manager. They help users create super-secure passwords that you can store inside one iron-clad vault. When it’s time to log in somewhere, your secure password will auto-populate.
USE MULTI-FACTOR AUTHENTICATION
Multi-factor authentication works in a lot of ways, but usually it’s that annoying thing where you get an email or text with a number you must enter in addition to your password. Annoying or not, using it can help you prevent threat actors from accessing your systems. Wherever possible—in business and personal accounts—enable multi-factor authentication. The two seconds of extra effort will pay off in the end.
ENCRYPT ANY ON-THE-MOVE DATA
Many people still use USB devices to store data, move data, or what have you. Whether the data on them seems less critical or not, it’s still crucial that these devices be encrypted in case they’re lost or stolen. Invest in encrypted hardware for employees so that data is secure even if it’s traveling on a device. This is even more crucial now with so many remote workers.
GET ALL THE OTHER BASICS
VPNs, firewalls, and anti-virus should all be in place for your organization. We’ll discuss new solutions later but continue to verify that all your security solutions are up-to-date, fully patched, and ready for the latest threats.
Hire Security Pros or Certify IT Staff
More bad news. There’s a massive industry-wide lack of talent in cyber security. According to Gartner, the unemployment rate for IT security professionals is approximately zero. Further, Global Knowledge reports that companies are wasting around $30K a year per IT employee due to skill gaps. If you’re hoping to hire a cybersecurity professional, it’s going to be tough to find someone because 43% of organizations struggled to fill IT security openings in 2020. But don’t fret. You can invest in the people you already have. If you have IT pros on staff, re-emphasize the importance of cybersecurity and invest in key certifications. Once certified, allow them to update and upgrade systems and policies to keep your organization more secure. Also, be prepared to award staff for their diligence so they stick around for the long haul. Security pros are hard to find, so you must work hard to keep the ones you have.
Train All Non-Technical Staff
End-users might be your biggest threat. They’ll be the ones to accidentally click that phishing email, to fall for a clever social engineering scam, or to inadvertently grant the wrong person access to the wrong systems. But guess what? Their mistakes aren’t always their fault. They don’t know what they don’t know. So, recognizing that your own staff might be your biggest risk, it’s incumbent on you to ensure that they understand basic risks, how to spot and avoid them, and who to go to if they have questions about something that seems phishy. Hold cybersecurity trainings at least quarterly so that your staff understand the risks they face. If you or your technical staff don’t have time to develop a presentation, consider using online training for your users, set a deadline for them to watch, then quiz them after. If their performance on the quiz is tied to a reward, that’s all the better. In addition to training, consider how you might reward employees who spot nefarious emails or knowingly avoid various scams. Your goal should be to build a culture of cyber-vigilance.
Invest in Cybersecurity and Data Protection Solutions
You probably have secure solutions in place today, but are they enough? And are they taking advantage of the newest technology like AI for threat detection? What would you have done, or could you have done if your organization had been affected by the SolarWinds breach? If ransomware locked up your primary systems, would you have a backup to fully recover or would you be stuck paying the ransom? Take time to consider where your security gaps might be and begin to seek solutions that fill those gaps. You should consider everything from physical protection to threat detection, as well as data protection tools including backup and recovery software. You may also want to reevaluate your current vendors to ensure that there aren’t solutions with more comprehensive protection.
Consider Hiring an MSP, VAR, or IT Consultant
We’ve established that cyber security talent is hard to find, and certifications won’t immediately fill the skill gaps you have. That’s why you may consider hiring a managed service provider (MSP), a value-added reseller (VAR), or other IT security superhero to help you up your security game. They can conduct penetration tests to determine your level of vulnerability, optimize systems you already have, suggest rigorous security policies, or even point you in the direction of new solutions that will keep you safe. While having talented security folks on staff is important, you can still make big strides quickly by hiring someone to help for a while.
