Cyber threats are on the rise – putting businesses, dollars and real lives in grave danger. Regardless of an organization’s size, most companies deal with securing personal information, computer networks and connected devices to conduct daily operations. As cyber attacks grow in frequency and sophistication, associated costs to mitigate these attacks skyrocket. According to Gartner, the worldwide security market reached $75 billion in 2015. This spending is expected to increase in 2018 to $101 billion and reach an estimated $170 billion by 2020.
How can businesses with minimal IT and cybersecurity budgets keep up with today’s demands? Fortunately, there are a number of cost-free solutions that organizations can adopt to make a positive impact in their security program.
1. Change your password
As much as one-third of all data breaches and cyber attacks can be attributed to weak or out-of-date passwords. These breaches can be accomplished through password cracking programs, phishing attempts, theft and the illegal buying and selling of personal data. It takes more than 200 days, on average, for a victim of cyber attack to notice the breach. According to a 2015 report by TeleSign, 47 percent of people are using passwords that are more than five years old. Creating a strong password policy and enforcing quarterly password updates is key in defending against credential hacks.
In 2016, Dropbox, LinkedIn and Yahoo were the victims of large-scale breaches (Yahoo’s attack was the largest in history, with more than 1 billion accounts compromised). Unfortunately, many users adopt the same username and password across all of their online accounts. This allows hackers to enter stolen credentials to access additional resources online. In some instances, hackers were able to remotely control the user’s desktop. From there, hackers can purchase goods and services from online retailers, such as Amazon, through the compromised machine.
Unsafe passwords, such as “123456” and “password” are among some of the easiest credentials to crack and still heavily used to this day. However, creating unique and long passwords for each account can prove difficult to remember. Password managers, such as LastPass or KeePass, can help users create and safely store credentials that are difficult to breach.
An added security measure of multifactor authentication processes should be considered at the organization level. Multifactor authentication (MFA) is a system that prevents data theft by requiring more than one source of credentials from a user or employee before they can access your data. For example, organizations could install a push-notification app, like Duo Security.
2. See What the Bad Guys See
What exactly do the “bad guys” know about your network? Search engines like Shodan and Censys gather enormous amounts of information about your company’s network and publish it online. Through sites like this, hackers can locate your organization’s potential vulnerabilities. For example, a hacker could discover that systems on your network use a weak SSL cipher which can be used extract sensitive information. These search engines also identify open internet-based cameras and baby monitors that can be used for spying purposes! Conversely, this information can be used by a business to help identify and patch weaknesses before a breach happens.
The website haveibeenpwned.com is a great resource to help individuals and organizations identify compromised email accounts. This site will identify which service provider leaked the credentials and the year that it happened. In addition, users can query the results for an entire domain, which allows IT administrators to quickly mitigate the issue.
3. Know your users and trust your devices
Over time, some organizations develop what is referred to as “a hard outer shell and soft in the middle.” This refers to instances when companies deploy firewalls and other security services which protect the perimeter of the network, while ignoring the security of internal systems. The proliferation of cloud-based services and BYOD (bring-your-own-device) practices have increased vulnerabilities with the “hard outer shell” security approach.
Truly secure organizations have adopted zero trust models — this is when an organization no longer trusts its internal networks or external connections. To implement this practice, companies must migrate from role-based models and move toward attribute-based models for authentication. This can be accomplished by deploying security certificates on corporate end user devices. When users attempt to establish a remote connection, the security system checks the attributes of the certificate installed on the device and login credentials of the user that is attempting to connect. In the event a user attempts a connection without a certificate installed, the connection will be denied.
Improving your organization’s security posture does not constitute the adoption of expensive tools and outrageous license fees. Ensuring users follow password management best practices, mitigating threats outlined by search engines and adopting zero trust authentication models will make a large contribution to your overall security strategy.
Learn more about implementing low-cost security solutions, hacking prevention, incident response and more at the Michigan Cyber Range Convention on May 18. Seating is limited. Visit Merit.edu/MCRcon17 to register today!