October is an interesting month. It ends with Halloween and comes with 30 more days filled of cybersecurity. In fact, each year October is “National Cybersecurity Awareness Month” in the U.S. and “European Cybersecurity Month” in, well, Europe.
So, before we dress up as ghosts, vampires, or whatever, let’s have a quick look at some old, some new risks we see each day, and how to deal with them.
- User Training. Creating Awareness. It Never Gets Old!
This is the Holy Grail in security. I’m not talking malicious insider threats (more on those later), but careless users. They click on cat pics all day. They click on weird emails. They download a nice desktop background that comes as an executable. Basically, we’re looking at the root of all evil.
I’ve recently noticed an increase in social engineering and/or phishing attempts.
It starts harmless with emails supposedly sent by colleagues, but from their private accounts. Maybe they’d like to work on a project but require a document right now? What could possibly go wrong?
- Ransomware Is Still a Thing. But the Impact Is Easily Prevented.
It happens too quickly, and when we notice it, it’s often too late. The data is gone, the machine no longer usable. What to do now? Format C:\ and restore from backup. Oops, no backup? Well…
End-user devices are low-hanging fruits for such attacks. To prevent a disaster, make sure the home/user folders are either backed up to a remote server, or synced with a SaaS solution. But also make sure the users understand items outside of those folders aren’t protected.
- Working From Home Is Risky. Mind Your Robot Vacuum.
Since March, most of us have been working from home. From a security standpoint, this is extremely challenging and comes with loads of variables. Sure, IT still has control over the end device, but not the surrounding. It starts with insecure Wi-Fi connections and ends with all the IoT devices we use. Without deep investigation, we can’t know if and what data they pick up from the network, and if they do, where do they send it?
Unfortunately, minimizing the risk in such a situation isn’t easy, but a combination of enforcing VPN connections and multi-factor-authentication to access the most critical business systems should be a requirement.
- Free Tools and Services. Ever Wonder Why They’re Free?
This isn’t new but goes unnoticed most of the time. There are loads of free tools and web services out there that sound charming and useful. An automated full text translation into whatever language? A tool to merge two or more PDF documents? Another tool to create flowcharts and visualize business processes? We all use them, don’t we?
We just cannot be sure what happens with all the information we give away voluntary.
An organisation needs a multi-layered approach to mitigate such risk, starting with a strict policy blocking accesses, but the best idea is to provide such services in a more secure way. PDF editors and flow chart tools don’t cost millions anymore.
- Budget Freezes. And Cuts.
Until end of 2019, IT budgets weren’t the biggest in an organization, but managers learned to juggle the money, and it worked out, somehow. Finding and acquiring new talent was a bigger problem.
Now, looking at the last quarter of 2020, we can say things went south. Finding a suitable IT person is often easier now, as many have lost their jobs, but there’s zero money to hire them.
So, the headcount situation is the same if not worse. What to do now?
The obvious answer is to rely more on technology, but it’s a bit more complicated than that.
Most technology (read: tools) cost money, too, and where do we get the money if there’s none available? In many cases, freeware or open-source could come to the rescue, and in other cases, it’s might be time to finally start looking into automating routine tasks. Start now.
- Finally, the Evergreen: Insider Threats, the Malicious Kind.
Frustration as a result of six months of “isolation,” probably no bonus payments, no pay rises for obvious reasons, but still: this is what could possibly create a disgruntled employee. And there’s no higher security risk to any organisation.
An employee is considered trustworthy until something happens. There’s no warning, and it’s almost impossible to interrupt an incident once it starts. Forwarding information, destroying data, destroying company property, you name it.
But still, efforts to mitigate such incidents are required, like deploying a data loss prevention solution, and making sure the principal of least privilege exists and works.
So, what do we do now at Halloween?
Perhaps dressing up as ransomware? Difficult, as no one knows what it looks like.
Dressing up a virus? Well, maybe not in 2020.
Maybe as a log? Chances are no one gets it. Good old UDP joke.