Boards now rank Cyber Security either the #1 risk (22%) or in the top 5 risks (57%) for their companies according to the 2019 Global Cyber Risk Perception Survey by Marsh & McLennan Companies (one of world’s leading insurance brokers and risk advisor). This makes Cyber the topmost risk by a fair margin, over even Economic Uncertainty at #2. I happen to work with multiple companies from public, to private, to non-profit. What is most surprising to me is that I’ve found too many companies don’t even implement what I call “The Cyber Basics” to dramatically reduce the risk of cyber-attacks. These Cyber Basics are not costly, but they do dramatically reduce the risk to the company of many types of typical cyber breaches. I know many boards struggle with how to oversee cyber security risk at the firm, and therefore I wanted to help educate the Corporate Director community about what I believe needs to be in “The Cyber Basics” for any size company that is big enough to have a Board of Directors. Obviously cyber defense is a layered solution, and specific risks differ based on a company industry, information processed, and countries that you operate in. However, I think you will agree that there is absolutely no reason not to follow these best practices, because they are all low cost, relatively easy to implement, and they dramatically reduce key risk and hacker target areas for a company. I’ve formatted this as a checklist, so any board member can use this to quickly verify that their company is doing what should be standard best practices. I also want to note that this list will not protect against everything, so companies still need to put in protections against other specific risks they have that are unique to the company structure and organization. However, not implementing these basics is akin to never getting regular checkups, not exercising, eating poorly, and then being surprised when you have health problems.
☐ #1: Multi Factor Authentication (MFA) for anyone with access to Financials, Banking, Wires, ACH, or Credit Card Processing
Why this should be implemented? Hackers and phishing attacks primarily target those employees who have access to the financials, whether it be the ability to send wires, or process credit cards, or authorize spending on vendors. Verify these employees have MFA turned on for access to email, access to banking sites, access to your HRIS or Payroll platform, and access to Credit Card Processing websites or tools. MFA is usually available for most websites and applications, but sadly few turn it on.
How does this reduce risk? If someone in one of these roles has their password hacked via a sophisticated phishing scam, those hackers won’t be able to use the password because the logins require both the password and a 2nd key (e.g. multi-factor) to be entered. The most typical MFA setup sends a random number text to your phone that you enter, or it uses an MFA App like Norton VIP Access, Google Authenticator, Authy, or Microsoft Authenticator which generates the random number.
☐ #2: Multi Factor Authentication (MFA) for login to email and the network for all Senior Executives (CEO, CFO, Controller, VP of HR, Presidents, etc.)
Why this should be implemented? Phishing today targets these senior individuals because they know they are the ones who can authorize spending, even if they cannot send the wire or ACH. Executives are very prone to being hacked or falling for phishing attacks. People then impersonate them and use their credentials to send emails authorizing spending that is fraudulent.
How does this reduce risk? See answer to the first item above. Same thing applies.
☐ #3: Multi-Factor Authentication (MFA) for all your IT people with any kind of Administrative rights…especially domain admin rights.
Why this should be implemented? Hackers target IT people with Administrative rights because once they are compromised, basically the whole company is exposed because Administrators can do anything on the network and access everything.
How does this reduce risk? If an Admin is compromised, the 2nd factor authentication will prevent the account from being used to compromise the company. Low cost solutions exist for this like Duo for Active Directory (Active Directory is the most common authentication used at most small and large companies).
NOTE: You may be asking yourself, why not implement MFA for every user in the company? That can be very costly, so my recommendations above target a small % of the company to keep costs down, while addressing the riskiest individuals who have the highest likelihood being targeted by cyber criminals. However, if you can afford it, then yes, MFA for every user is your best option.
☐ #4: Remove Administrator Rights to User’s PC’s
Why this should be implemented? Malware or viruses are usually downloaded from the internet via malicious sites or links, or from files in email. This malware usually “installs itself” behind the scenes. Removing Administrator Rights stops your Users from being able to install applications, thereby stopping the malware from installing (in most cases). Yes, it is annoying that IT must install software for people, but it’s better than having malware encrypt all your servers and share drives and shutting down your business…don’t you think?
How does this reduce risk? The most common way companies are hacked is someone downloading malware or a virus from the internet. If the malware cannot install itself, you are infinitely more protected since we can’t seem to stop users from clicking or opening things they should not. And, yes, this goes for Macs too…not just PCs.
☐ #5: Ensure your VPN or remote access software requires user authentication
Why this should be implemented? VPN or Remote Access is often required for people who work at home, or remotely, etc. No surprise, hackers know this, and they try and exploit weak passwords or other hacks to access the VPN and then gain access to your network and files and databases. Most VPN’s can be setup to use your Active Directory authentication or a cloud based single sign on (SSO) solution. And remember, you can add MFA to Active Directory cheaply with solutions like Duo and that will now work with your VPN.
How does this reduce risk? Having user authentication required on VPN or remote access software helps ensure only users you allow can remotely gain access to your network. Combining MFA with user authentication for remote access just makes this more secure.
☐ #6: Printers, Scanners, Copiers should not be accessible via the Internet
Why this should be implemented? This seems obvious, but hackers use exposed printers and copiers to launch attacks on the network. Most printers/copiers have known exploitable security holes.
How does this reduce risk? I’ve never seen a good reason these devices need to be available over the internet, but I often find they’ve been setup this way without IT knowledge or awareness, thereby creating a huge security hole.
☐ #7: Have Guest WiFi that only allows access to Internet via a VLAN. If guests or contractors need access to network, give them a corporate laptop to use while onsite.
Why this should be implemented? Most contractors don’t need access to the network, just the internet. Share files with them via sharepoint or box.net or whatever cloud storage you use, but don’t let them on your network. You don’t control their security, so why would you let them on your network? It’s like drinking someone else’s drink without knowing whether they were just sick. If they do need network access, give them a company laptop. Your IT team should have extra laptops just for general replacement, so use those rather than exposing yourself and your company to your vendors bad cyber hygiene.
How does this reduce risk? Visitors, contractors, etc. all present security risks because they could already have compromised PC’s that then connect to your network and spread a virus. Not allowing them on your network ensures they don’t infect your network.
☐ #8: Company WiFi should require authentication, not just knowing the WiFi password.
Why this should be implemented? WiFI passwords are notorious for not being changed nor secure, and everyone knows the password and tells anyone they need to work with.
How does this reduce risk? Requiring an additional level of authentication, just like logging onto the network, ensures that only authorized people are on your Company WiFi. All modern company WiFi systems can be connected to Active Directory or whatever your company network authentication is.
☐ #9: Make sure all “User” passwords are (1) required to be changed regularly, (2) lock someone out after so many mis-tries, (3) and require strong password rules.
Why this should be implemented? There are readily available password cracking tools that compromise easily guessable passwords by repeated trying. The days of passwords that don’t expire or allowing weak passwords are behind us…only foolish companies allow this, at their peril.
How does this reduce risk? If someone uses these tools at least the account will be locked usually before the password is hacked.
☐ #10: Yes, Anti Virus and Malware needs to be on every PC, every Mac, and every Server.
Why this should be implemented? I think this is self-explanatory, but I can almost guarantee you that most companies have some PC, Mac or Server running today without this either installed, or it is not running. It only takes one to infect your entire company. Make sure your company can scan/audit to ensure anti-virus/malware is installed and is running and active. Often it is installed, but somehow gets turned off, and IT should know if this happens.
How does this reduce risk? Self Explanatory…without this you are inviting infection, viruses, and malware.
☐ #11: The IT team needs to use a password sharing tool like Zoho or LastPass.
Why this should be implemented? IT teams need to share administrator or other sensitive passwords to be able to support large environments with complex devices, servers, etc. Too many IT departments share these passwords in spreadsheets or other insecure ways, which can easily be compromised…and you also don’t know whether someone who has left company still has the file with all the passwords.
How does this reduce risk? A team cloud password tool ensures the passwords are shared using encryption and you can easily remove access for someone who leaves company.
☐ #12: Make your IT team change “Administrator Account Passwords” on some regular schedule.
Why this should be implemented? IT teams are notorious for never or rarely changing Administrator passwords, because it is annoying and often requires quite a bit of testing to make sure things work after the password is changed. A schedule of changes should be created, managed, and audited to ensure it is happening.
How does this reduce risk? Administrator rights are the golden keys for hackers, so we should have high expectations for how we manage this risky area.
☐ #13: If the company uses Amazon Web Services (AWS) there are AWS Best Practices that must be in place for Security and Configuration…make sure they are being followed.
Why this should be implemented? Mis configured AWS services are the cause of many cloud cyber security breaches. Examples include making sure there are no “public S3 buckets”, that the “root AWS account and all IAM users uses MFA”, verifying all AWS services are “owned by a defined user IAM account” (not the root AWS account), and regularly conducting an AWS Best Practices Audit. There are services to scan your company and see if any AWS accounts make available public S3 buckets. Pay special attention to Marketing and HR who often use AWS in addition to IT. There also is an AWS Best Practices Audit your company should run regularly (at least annually) to verify these items, and many others, are being followed. And it is not costly. Often you can receive credits from AWS to offset the costs.
How does this reduce risk? Public S3 buckets are the most common way PII (personally identifiable information) or credit card info has been exposed on the internet from companies using AWS. Misconfigured AWS services are a common problem that leads to cyber breaches…AWS can be very secure, but only if done correctly. A Best Practice Audit ensures things are done correctly. Be sure to run at least annually since I guarantee your AWS environment changes often. (Note: There are more expensive services that both AWS offers and that security companies offer that can perform exhaustive checks, and I would recommend them if you heavily use AWS and store PII or other sensitive information.)
☐ #14: If the company uses Microsoft Azure, make sure the company regularly runs the Azure Secure Score process in the Security Center and addresses found issues.
Why this should be implemented? The only way to ensure your cloud services are secure is to regularly check that they are secure. Use the tools Microsoft gives you and ensure IT tracks the remediation of every item found in the audit, including tracking if any were false positives that could be ignored. Run at least quarterly, but even better monthly.
How does this reduce risk? Sadly, people change and configure things constantly in Azure (or AWS), and they often mis configure items and leave their cloud services open to attacks or leaks. (Note: There are more expensive services that Azure offers and that security companies offer that can perform exhaustive checks, and I would recommend them if you heavily use Azure ad store PII or other sensitive information.)
☐ #15: Train your employees on cyber security.
Why this should be implemented? People are woefully ignorant of how to protect themselves and the company from cyber-attacks. Make sure all new hires get training right away, and at least annual training occurs for everyone. Cyber-attacks change every year so keep your people informed and they will help protect the company.
How does this reduce risk? People are the most common attack vector for phishing, email hacking, false websites with malware, etc. Train your people to protect themselves and the company. This is one of your best investments, and it’s not costly.
☐ #16: Purchase Cyber Insurance
Why this should be implemented? If you do get hacked, paying out fines, covering legal costs, and other liabilities in case of a breach of things like SSN, credit card numbers, health records, etc. can be very expensive. Cyber Insurance helps pay for these items and it’s not overly costly…and, even better, if you’ve implemented all these checklist items, your cyber insurance costs will likely be lower.
How does this reduce risk? Almost any size company that processes significant personal information of employees or customers, or credit card info, should have insurance just like they have general liability insurance.
☐ #17: Either use Single Sign On (SSO) or verify users monthly for all Cloud Storage or SaaS Applications
Why this should be implemented? Many people have moved to using storage in the cloud (dropbox, box.net, onedrive, google drive, etc.) or using many different SaaS applications (salesforce.com, netsuite, Payroll, HRIS, DocuSign, etc.). The challenge is knowing who has access to this data, especially after people leave the company.
How does this reduce risk? If you use Single Sign On (SSO) with all your cloud applications then when you remove someone from your directory authentication (e.g. like Active Directory) because they left the company, then they also will be removed from having access to your cloud storage or SaaS apps because SSO uses your directory authentication. If you don’t have SSO, or the funds for SSO, then a mitigating control is to review who has access and remove anyone manually on a regular basis, such as monthly. Don’t let disgruntled ex-employees increase your cyber risk. Not to mention, removing un-used users from cloud services usually saves you money since most are charged by user count.
☐ #18: Access to the Internet should be protected by a Firewall that is managed by a 3rd party skilled in keeping it updated/patched, and skilled in configuring it securely.
Why this should be implemented? Firewalls require management and skilled configuration. Too many companies are poor at managing all their firewalls, ensuring every one is patched and configured securely, so outsourcing this to a company that is skilled at this and does this every day is a good use of funds.
How does this reduce risk? Firewalls are the first layer of protection from the internet hackers. Ensuring they are configured securely and patched against known vulnerabilities is just a requirement these days.
In conclusion, I’m quite positive security professionals will think of other low cost “basics” that should be added to this list, so just let me know and I’ll update and publish for anyone to download and utilize.
I hope many Board Members will utilize this list to trust but verify their company is implementing the Cyber Basics to help reduce the risk of a cyber breach.