This is an original article by Kathleen Martin, MEP's IT Security Officer and a Certified Information System Security Professional.
Almost weekly we hear about another company or organization that has fallen victim to a cyber-attack. We know cybercriminals are more persistent and we need to be more diligent about protecting information.
I think in our personal lives most of us are trying to be more careful. Gone (I hope) are the days of setting each of our personal passwords to 123456. Yet, we don’t seem to carry the same level of concern into the office. Since our IT professional surely has a handle on our cybersecurity, I shouldn’t worry…right?
The fact is, we as employees play a vital role in protecting the company we work for, and it only takes one wrong click to compromise a business. A recent study from Willis Towers Watson found that 90 percent of cyber incident claims result from some type of human error or behavior. Here are five questions and answers to help guide you on your journey to making your company more secure.
A company’s risk varies considerably based on its unique operating environment so there are many things to evaluate and consider.
Do you have many employees who use email? Spear phishing might be a top risk for you. Is every device with an IP address on your shop floor secured? If not, malicious code, unauthorized access and use or data exfiltration could be top risks.
Performing cybersecurity risk assessments should be a key part of your organization’s information security management program. Everyone knows there is some level of risk involved when it comes to a company’s critical and secure data, information assets and facilities. But how do you quantify and prepare for this cybersecurity risk? The purpose of an IT security risk assessment is to determine what security risks your company’s critical assets face and to know how much funding and effort should be used in protecting them.
The NIST Risk Management Framework (RMF) is a great resource to get started. The RMF provides a structured, yet flexible approach for managing the portion of risk resulting from systems your company can control and business processes of your organization.
While using a password manager for your personal online accounts is a terrific way to stay secure, remember to check your company’s policies before using any software at work.
Password managers can help you to store your passwords as well as help you to generate unique ones for each site. However, keeping all your passwords in one place is risky. It’s important to understand how your passwords are protected and if they are encrypted. There are various commercial products available that work with multiple devices and browsers, so do your research to find one that best meets your needs.
Protecting your intellectual property and sensitive customer and employee information can give you and your customers peace of mind. It is also a sound business practice when you look at the financial impact, decrease in productivity and loss of trust a cyber-attack can cost you.
For companies in the Department of Defense (DoD) supply chain, such protection is an absolute must. These companies are required to meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards or risk losing their DoD contracts.
Here are several examples of security frameworks or standards that can help you understand and mitigate your risk: NIST Cybersecurity Framework, NIST SP 800-53 - Security and Privacy Controls for Information Systems and Organizations, the NIST MEP Cybersecurity Self-Assessment Handbook, and the Payment Card Industry Data Security Standard (PCI DSS). It’s easy to get confused about which document you should reference, so here’s a little more information about each:
Two-factor authentication (2FA) is an extra layer of security used to make sure that you are who you say you are. The problem is that usernames and passwords alone are easily guessed, and people use the same passwords for multiple sites. Publicly disclosed incidents reveal that 5,518 records are leaked every minute.
2FA stops other people from easily gaining access to your accounts. When 2FA is enabled, you enter your username and password into the login page. Then, instead of immediately gaining access, you will be required to provide another piece of information. This second factor could be one of the following:
If you are unsure whether or not your sites or apps have 2FA, visit TwoFactorAuth.org to find out.
Turn 2FA on for all accounts. See Telesign’s step-by-step instructions for enabling2FA: https://www.turnon2FA.com.
Most companies do have policies about how to purchase software (either boxed/online or externally hosted in the cloud). It is important to know which applications you can use immediately, and which may need further investigation to ensure they are secure enough for your use and the data that will be processed and/or stored within them. Know what is required and work with your cybersecurity professional to go through the required processes to ensure the information will be secured properly.
View the original article here.
If you would like to better understand your cybersecurity risk, you can use the MEP National NetworkTM Cybersecurity Self-Assessment Tool, or contact IMEC at info@imec.org or 888.806.4632.