7 Security Strategies to Reduce Cyber-Attacks
There is a big difference between compliance and security, yet the language and words used to describe the two concepts are often used interchangeably. Let’s take for example a jewelry store. If the jeweler was required to only protect the valuables with compliance, they would put a lock on the door when they are not at the store, and they would meet the requirement of securing the diamonds. But they don’t stop protecting their assets with just one single lock. A jewelry store is full of security mechanisms to protect its business if the lock is picked or the door is mistakenly left unlocked. They use security cameras, locked cases, the glass case is full of gorgeous items, but only one piece is removed at a time for viewing. The store is staffed by at least two people, and so on. You get the idea…the security of the jewelry store is protected by layers of security. Below are descriptions of cyber security layers a business can use to focus its valuable data, not just complying with standards of protecting it.
1. Risk Transference is a Good Place to Start—
Let’s boil down the concept of “risk transference.” Transferring risk involves shifting the liability or responsibility of risks to another organization, which is typically accomplished by buying cyber liability insurance. But let’s consider this option. It is only a “good start”
because if your business is supposed to offer cybersecurity awareness training to your employees two times per year, but you are not really providing formal, interactive training, you may run into problems when your business tries to file a claim because of a security breach. If training was ad-hoc, the insurance company is going to look into it. Analogies are entertaining, so let’s use one
here: If insurance companies handed out auto insurance, but didn’t require people to have a driver’s license or any type of safety course, what would the highway look like and would you trust someone who doesn’t have a licensed, but has insurance? Well, this is exactly what is happening in the cyber liability insurance industry right now.
2. Use a password manager
One of places businesses can begin to improve security is requiring UNIQUE, strong passwords, and one of the easiest ways to do this is by using a password manager. Basically, a password manager securely keeps all passwords to all accounts in one “vault” and recalls the passwords from the manager, when needed. This allows users to create really strong passwords and have lots of unique passwords for all of their accounts. An example of a Password Manager on the market are: Lastpass, dashlane, bitwarden, keeper, and so many more.
3. Use two-factor Authentication
Single factor authentication is just that…single…one. In most cases the only thing that is secret is the password. If your password is c compromised and you don’t realize it, someone can log into your account, but with two factor authentication enabled, it is a little harder
for hackers. 2FA is a second layer of protection, usually a security code texted to your phone, and is time sensitive. This adds another layer of security and doesn’t really take that much extra time. Keep in mind, there are phishing attacks that can potentially trick users into sharing the code on their phone. So, it isn’t 100% fool-proof, but nothing is in security, it is a layered approach that hardens an organization from hackers.
4. Verify Links and Potential Illegitimate Email Messages
Everyone knows that Ransomware attacks are the preferred hacking attack by cyber criminals. It is a great way for them to make money. Every business has email, every business needs their computers to do business and many businesses have cyber insurance to cover the cost of ransomware attacks. There are criminal syndicates who develop software and sell it to criminals on the darknet, referred to as RAAS. Ransomware as a service to other criminals. Therefore, you should look at every email with a side-eye. Consider it guilty of malicious intent until proven otherwise. Learn how to spot a phishing email by attending Zelvin Security's Security Awareness Training.
5. Measure Resiliency with a 3rd Party Cyber-Security Assessment
At Zelvin Security, we are motivated by proactively identifying risks and vulnerabilities to mitigate the most likely risks. One of the best ways to identify the gaps in security for a business or a vendor is to have a fresh pair of eyes test the organization to identify the weakest points. At Zelvin Security we perform penetration tests, vulnerability assessments, security awareness training, and cyber security advisements to help businesses measure where their greatest risk lies.
A risk assessment is a non-technical high-level overview of the security posture of the organization, measured by the author. It is subjective. It is not measuring the effectiveness of the security controls; it is simply describing the assets and controls within the organization. This is a compliance checklist. It is not a security assessment.
A Vulnerability Assessment is a technical security assessment provided by Zelvin Security. The goal of the engagement is to identify well-known vulnerabilities within the tested environment which could potentially be exploited by a threat actor or make a system perform in
an unintended manner. In 2019 over 20,000 new, unique computer vulnerabilities were discovered. This type of test identifies if these vulnerabilities are on a network/system and whether or not, the business is at risk for these vulnerabilities. At Zelvin Security, we take
the test one step further and provide businesses with a step-by-step guide to mitigate the vulnerabilities in the least expensive, most effective way possible.
A Penetration Test is a simulated cyber-attack. A pentest, aka Ethical Hacking Engagement, is when an Ethical Hacker is paid to identify security issues within a business emulating a malicious actor to see if PII, PHI, sensitive data, credentials, and access to unauthorized
areas can be discovered and exploited. With this type of test Zelvin Security sends phishing emails to try to trick users into providing the access, but the testers also try to trick the computer systems and security controls into allowing access. This is the type of test to see how the network or application or cloud environment tolerates a real world-style attack, the likely level of sophistication an attacker needs to successfully compromise the system and identifies if the countermeasures in place (like 2fa, endpoint detection software, antivirus, and more) are effective at mitigating threats against the system.
If your business is not routinely performing 3rd party cyber security assessments to identify technical security threats, you are an easier target than businesses who are measuring their success against attacks.
6. Security Awareness Training
Humans are the weakest link for cyber-attacks, since phishing is so widely used by cybercriminals, but you can practice how to identify phishing emails and foil attacks. You can practice your security awareness skills, and you can learn how to identify new attacks before they happen. Zelvin Security offers cyber security awareness training. We hope you will consider joining us for an interactive
program which will give you practical tips to protect yourself at work, home or wherever you are online. It's fun and full of excellent strategies to reduce social engineering threats.
7. Know your Assets
Today, if you don’t have a comprehensive understanding of all of your digital assets, take a moment to complete an audit. How many computers, printers, cameras, machines, servers, IoT, timeclocks, and other networking devices are on your system. This is the most important pillar to security. Why is it the most important element…because if you don’t know what you are trying to protect, you can’t
protect it! And, if you have an attack, you will need to know your digital assets.
This list is just 7 of the most important computer security strategies you can implement today to help protect your network against malicious actors. If you have additional security related questions, please don’t hesitate to reach out to Zelvin Security. Our goal is to help you secure your business assets and improve your computer security posture BEFORE an attack. So, let’s figure out what you need to do to protect your business. Call Zelvin Security today (607) 758-9427