Cyberthreats are on the rise — putting businesses, dollars and real lives in grave danger. Regardless of an organization’s size, most companies deal with securing personal information, computer networks and connected devices to conduct daily operations. As cyberattacks grow in frequency and sophistication, associated costs to mitigate these attacks skyrocket. According to Gartner, the worldwide security market reached $75 billion in 2015. This spending is expected to increase in 2018 to $101 billion and reach an estimated $170 billion by 2020.
How can businesses with minimal IT and cybersecurity budgets keep up with today’s demands? Fortunately, there are a number of cost-free solutions that organizations can adopt to make a positive impact in their security program.
1. Change Your Password
As much as one-third of all data breaches and cyberattacks can be attributed to weak or out-of-date passwords. These breaches can be accomplished through password cracking programs, phishing attempts, theft and the illegal buying and selling of personal data. It takes more than 200 days, on average, for a victim of a cyberattack to notice the breach. According to a 2015 report by TeleSign, 47 percent of people are using passwords that are more than five years old. Creating a strong password policy and enforcing quarterly password updates is key in defending against credential hacks.
But what exactly constitutes a “strong” password? Strong passwords include numbers, special characters, upper and lowercase letters and are more than eight characters in length. However, strong passwords can be difficult to remember. Particularly when considering that passwords should never be used in more than one place — each should be unique to that instance.
The passphrase technique utilizes an easy-to-remember sentence, which turns into a difficult-to-crack password. The sentence “Michigan is a great place to live and work,” could be converted into a strong password by inserting numbers and special characters, such as, “M1ch1ganI$@Gr3@tPl@c3ToWork!” This could be distilled into an even stronger version by shortening it to “MIiaGptl&w1.” The passphrase gives a user a mnemonic device to remember the complicated characters.
An added security measure of multifactor authentication processes should be considered at the organization level. Multifactor authentication (MFA) is a system that prevents data theft by requiring more than one source of credentials from a user or employee before they can access your data. Some of these include texting verification codes to a mobile phone, or the installation of a push-notification app, like Duo Security. Google offers free MFA solutions with their online accounts.
2. Remove Administrative Rights
With administrator privileges, end users have the ability to do anything they want to their device or workstation, including downloading questionable programs and applications (which may contain malware), ignoring IT policy and removing security features. UK-based Avecto says that 80 percent of any reported Microsoft vulnerability would be mitigated with the removal of administrative rights.
End users can also ignore needed security patches if they are granted administrative access to their device. Applying security patches through a forced update or download eliminates known vulnerabilities at the earliest possible time. Businesses should permit employees the minimum level of rights required to perform their job functions.
3. Institute IT Security Frameworks
According to Australia’s intelligence agency, 85 percent of intrusion techniques can be prevented by instituting the first few controls from their IT security framework called the Australia Signals Directorate. IT security frameworks provide a list of best practices and implementation steps for blocking and defending against the most common and damaging cybercrimes.
Some of these steps include conducting an inventory of authorized and unauthorized devices within your organization, creating secure configurations for mobile devices, workstations and servers and controlling the use of administrative privileges within your network. In addition to the Australia Signals Directorate, another free framework available online is the 20 Critical Security Controls offered by the Centers for Internet Security. This prioritized list of security measures for businesses provides a step-by-step process for effective cyberdefense.
Beginning a cybersecurity program does not require an organization to spend thousands of dollars implementing controls and purchasing software. Instituting password policies, utilizing least privilege on network devices and instituting basic security frameworks will have a positive impact for your security program.
Merit Network provides consulting services, cybersecurity training and certification and community security resources. If your nonprofit needs help with your current security posture, Merit CISO Consultant Services is designed to kick-start your program by building the strategy you need to protect your customers and your business.