October is National Cyber Security Awareness Month (NCSAM), an annual campaign about the importance of cybersecurity in everyday life. According to the US Department of Homeland Security (DHS), NCSAM “[…] is designed to engage and educate public and private sector partners through events and initiatives to raise awareness about the importance of cybersecurity, provide them with tools and resources needed to stay safe online, and increase the resiliency of the Nation in the event of a cyber incident.”
Cyber crime is a growing issue in the US
Information security is one of the most prevalent issues in the US today. Over the course of the last nine months, many high-profile organizations were subject to major data breaches. The US Securities and Exchange Commission (SEC) (considered the largest US financial regulating agency), Deloitte, and Equifax all suffered cyber attacks that compromised personal and/or confidential data, put their reputations on the line, and raised concerns about IS.
- Equifax: In one of the biggest breaches of 2017, Equifax took a huge hit when hackers stole the personal information of 143 million consumers – including full names, birth dates, Social Security numbers, home addresses, and driver’s license numbers. The cyber criminals exploited a weakly secured area in Equifax’s web servers. This was the second cyber attack the credit reporting agency experienced in 2017 (the first occurring in March). Equifax was unaware of the breach for several months until it was detected on July 29. Paulino do Rego Barros Jr., interim CEO at Equifax, issued a public apology in an op-ed piece for the Wall Street Journal, where – in addition to the typical ‘we’re working to improve ourselves’ rigmarole – he announced that by January 31, 2018 the company would roll out a service where customers can access their Equifax credit files for free, for life.
- Deloitte: Considered one of the ‘big four’ accounting firms, Deloitte was hit by a cyber attack that was first discovered in March, but may have gone undetected since October or November 2016. Hackers targeted Deloitte’s global email system, which was poorly secured, and required one password with no further authentication. Exposed data included the personal details, usernames, and passwords of clients representing all sectors, plus blue-chip client plans. In addition to sensitive email attachments with security and design details, the hackers may have accessed IP addresses, architectural diagrams, and business health data. .
- SEC: Following an investigation into illegal trading activities, on September 20 the SEC revealed that in 2016, hackers broke into EDGAR, its dummy filing system. The cyber criminals infiltrated the agency’s vulnerable testing area, where clients input information, such as periodic financial reports and newsworthy developments. This is not the first time the SEC was targeted. In 2015, the SEC charged two defendants for infiltrating newswire services, transmitting stolen data to a web of 32 international traders, and generating a profit of more than $100 million.
Nine steps to make your work environment cyber secure
Information security affects nearly everyone. It begins in your home and extends into the workplace. All organizations are potential cyber crime targets. Here are eight steps you can take to instill a culture of cybersecurity, safeguard your information, and reduce data breach risk:
- Make sure you have implemented an adequate information security management system (ISMS)
An ISMS consists of the policies, procedures, guidelines, resources (including IT systems), and activities that protect a company’s information. Good information security meets the requirements of customers, employees, lawyers, and regulators. It is not only efficient, actively functional, and preventative but is also prepared to address events where your ISMS has been compromised.
- Adopt a risk management approach to information security
This point goes hand-in-hand with establishing an effective ISMS. Be aware of your information security risk profile, the range of risks that could affect your information assets, and have a solid understanding of the likelihood and/or impact of those risks.
- Meet basic cyber hygiene requirements with five critical controls
By adopting five basic controls, your organization will be able to fend off up to 80% of cyber attacks.
- Boundary firewalls and Internet gateways: devices designed to prevent unauthorized access to or from private networks. Good setup of these devices either in hardware or software form is important for full effectiveness.
- Secure configuration: ensuring that systems are configured in the most secure way for the needs of the organization.
- Access control: ensuring only those who should have access to systems have access and at the appropriate level.
- Malware protection: ensuring that virus and malware protection is installed and up to date.
- Patch management: ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied.
If your organization is looking for a program to ensure these five controls are being met, the UK’s Cyber Essentials (CE) is a scheme will help you incorporate these controls. Learn more here >>
- Implement suitable education and awareness training
Training should bestow knowledge about information security policy and procedures, while inspiring daily practice. Make cybersecurity a topic of frequent discussion at all levels. Hold desktop drills to test business continuity procedures.
- Hold every person accountable
The more you know about workplace cybersecurity policies (including the consequences of data breaches), the better equipped you are to meet its requirements. Make sure all employees are security-aware. Encourage individual accountability for access and privacy.
- Make physical information security a part of your strategy
Safeguard the physical work environment. Restrict unauthorized people from entering your secure perimeter. Make sure documents are protected then destroyed when not needed. Secure your desktops, portable devices, and workstations.
- Know your company’s incident reporting procedure
Your organization should have an incident reporting procedure and business continuity plan. Make sure you know who the information security manager is and what to do when something goes wrong.
- Conduct an information security audit
Assess your information security posture from a technical, physical, and administrative perspective. If you have an existing information security management system (ISMS), make sure that it is working as it should be. When in doubt, call in experts to conduct an audit on your behalf.
- Obtain accredited certification to ISO 27001
ISO 27001 is the recognized global standard that defines the requirements for an organization’s ISMS. No matter what the size, structure, sector, or applied technical systems, any organization can adapt ISO 27001 for improved information security.
Follow our NCSAM blog series and learn how to secure your organization from cyber crime. Register to receive our Daily Sentinel and get up-to-date news and information.