The cyber threat landscape has never been more fragmented.
In a competitive context, fragmentation is usually good news. You prefer your competitors to be disorganized, overmatched, clawing for crumbs of the wholes you snatch for yourself.
In the context of cybersecurity, however, things are very different. “Fragmentation” really means “a greater number and diversity of threats that collectively strain future victims’ capacity to respond.”
It sounds much scarier that way, doesn’t it?
Fortunately, you’re not powerless in the face of the relentless fragmentation of the cybersecurity threat landscape. You can take any number of steps to harden your defensive posture in the new decade — recognizing that the totality of digital threats is only going to grow as time goes on.
Here’s what to do as we move into the 2020s.
1. Invest in a Comprehensive Business Data Backup Solution
First, and perhaps most importantly, invest in a comprehensive business data backup solution at your earliest convenience.
Your company already faces a multitude of cyber threats, many of which you’re only dimly aware (and many more of which you’re not at all cognizant). Those threats will continue to multiply in 2020. And you know full well that every minute you’re without access to your company’s most sensitive data is a minute that could change the course of your company’s history for the worse.
2. Execute All Operating System Patches As Soon As Possible
Don’t put off operating system patches until they’re convenient. You know as well as anyone that there’s no optimal time to upgrade the basic plumbing upon which your corporate computing network relies. If it helps, set and enforce an update schedule that applies across your entire network.
3. Don’t Defer Browser Updates (And Continue to Evaluate Your Secure Browsing Options)
Don’t defer browser updates, either. Your company is more likely to be victimized by a browser-vectored malware attack than an OS-vectored attack (such as a zero-day exploit, a scary-sounding type of threat that must be taken seriously but actually isn’t all that common).
As soon as you’re made aware that your browser is due for an update, execute that update. And should concerns arise about the integrity of your preferred browser, consider making the switch. Using a secure web browsers eliminates a lot of cybersecurity headaches.
4. Use a High-Quality Virtual Private Network (Paid)
For a VPN to serve as an effective safeguard against cyber threats, it needs to be in widespread use at your company. Even the occasional data leak is useful to malicious actors who might be lurking in the shadows, patiently waiting to catch whatever digital crumbs you allow to fall their way.
VPN quality is also important. Free VPNs abound, but they’re not always built in the end-user’s best interest, and a few may be actively harmful. Take third-party reviews seriously; don’t use products that aren’t well-liked by the experts.
5. Use a Comprehensive Anti-Malware Suite
This probably goes without saying in the year 2020. If you’ve made it this far without an anti-malware suite, congratulations — you’re either a genius or just incredibly lucky.
As with VPNs, anti-malware software quality matters. Don’t use a product around which there’s even a whiff of controversy, as is the case with once-popular products like Kaspersky and McAfee. Your company’s data is too important to entrust to corporate actors who have no qualms about putting you in a compromising position.
6. Run Regular Anti-Malware Scans (Don’t Wait For Automated Runs)
Anti-malware suites typically run automatic whole-system scans at frequencies chosen by the user. But you shouldn’t wait for yours to complete its regularly scheduled system check. The more often you probe for hidden threats, the likelier you are to catch a potentially serious problem before it causes a massive headache for your company.
7. Devote One Hour Per Week to Threat Research
You might not be a subject matter expert in all things cybersecurity, but you are — last time you checked, anyway — your organization’s ultimate decision-maker. It’s incumbent upon you, as the person to whom all the subject matter experts do answer, to understand the threats most likely to affect your industry, your company, your employees.
And that means you need to stay informed. To start, set a realistic goal: one hour per week devoted to researching the latest cyber threats. Any longer than that and you may detract from other priorities; any less and you’ll struggle to follow your CISO’s briefings.
8. Attend At Least One Cybersecurity Conference This Year
This is another key prong of your self-education efforts. To be clear: Yes, you, the ultimate decision-maker at your organization, should absolutely attend at least one cybersecurity conference each year.
If you’re based out of a major metropolitan area, it’s unlikely to present a major imposition. Non-experts are routinely floored to learn just how many cybersecurity conferences take place in the United States each year. There are a lot, and it’s almost certain that one is slated to happen in your neck of the woods within the next 12 months.
Your annual cybersecurity conference routine shouldn’t replace your in-house IT team’s continuing education obligations, of course. They should be fixtures at relevant conferences around your region and beyond, at far greater frequencies than once every fourth quarter. Nevertheless, their immersion is no substitute for your own firsthand experience.
9. Hire a Best-in-Class CISO (Or Keep a Trusted Partner on Retainer)
Don’t wait for your organization to grow to the point that you think it needs a Chief Information Security Officer. That point comes much sooner than you realize.
Indeed, it’s arguable that you should hire a full-time CISO before you hire a full-time CMO. Keeping your marketing function at the director level for an extra year or two probably won’t constitute an existential threat, but spending the next 12 or 24 months steadfastly denying that your company faces catastrophic risk from a host of known and unknown cyber threats well could.
10. Educate Your Staff About Email Hygiene
“Email hygiene” has something of a dual meaning. It’s often used in the context of maintaining a “squeaky clean” email list — that is, a marketing or contact list that’s totally up to date and devoid of outdated addresses.
But email hygiene has a deeper and frankly more important meaning, at least outside the marketing department. That is: the set of practices that prevent your team from falling victim to any of the myriad email-vectored threats.
The list of such threats is long and ever-changing. Hiring a best-in-class CISO and sending your security team to at least one cybersecurity conference each year will certainly help burnish your email hygiene, but by themselves they’re not enough. It’s on you, as the ultimate decision-maker, to roll up your sleeves and lead by example.
11. Maintain Strict Data Security Protocols for BYODs
Born of relentless cost-cutting and Gordian logistical challenges, “bring your own device” (BYOD) is here to stay. Most small and midsize companies not steeped in digital security (or practicing it as a core service) enforce BYOD policies in one form or another.
Is the BYOD “cure” — outsourcing the purchasing and maintenance of employees’ computing devices to employees themselves — worse than the disease it’s designed to cure (namely, corporate device bloat and the inevitable costs that come with)? That depends on the quality of your BYOD data security protocols.
If you don’t yet have a data security policy for your BYOD network, task your CISO with drawing one up. It’s crucial that your entire team is on the same page with regards to BYOD maintenance, protection, and crisis mitigation. You can’t afford to wing a breach; by the time one of your employees’ devices is hacked, it’s too late to implement an orderly mop-up plan.
12. Require Two-Factor Authentication for All BYODs and Corporate Cloud Accounts
Articulating a comprehensive BYOD data security policy is beyond the scope of this article, but one measure does deserve special mention: two-factor authentication. Any corporate account accessible from your employees’ take-home devices must enforce two-factor authentication for all log-in attempts, with no exceptions.
The same goes for corporate cloud accounts accessed from company-owned hardware, of course, and/or within company networks. But it’s especially important that you don’t leave employee-owned devices vulnerable when they’re not on the premises.
Likewise, all BYODs must be lockable, preferably with biometric credentials. An unlocked BYOD in the wild is a ticking time bomb, and PINs are easy enough to guess or steal.
13. Maintain a Strict “Need to Know” Basis for All Operational Security Measures
Your sales team doesn’t need to know the ins and outs of your company’s financial plumbing. Why should your line employees know every defensive move your IT team makes?
You know how crucial it is to silo proprietary information off from those who don’t need to know it. This is all the more important in cybersecurity, not least because the threat vector with the greatest potential to do your organization harm is the one you may have overlooked up until now: the malicious insider.
Guard your secrets well, friend. Guard them well.
14. Maintain a Strict “Minimum Required Permissions” Policy for Employees
For the same reasons it’s so important to maintain “need to know” status for all cybersecurity operations, it’s vital that you maintain a strict “minimum required permissions” policy across the board. In other words, each of your employees — no matter how senior — should have only those permissions which he or she needs to perform his or her job function, and no more. Allowing employees into accounts or permission levels where they don’t belong inevitably weakens those domains, even when the employees mean well.
15. Tighten Third-Party Data Security Standards
Hold all of your vendors, no matter how minor or tangential to your core business functions, to the same rigorous compliance standards to which you hold your own team. In certain industries, such as finance, this is par for the course; you simply won’t work with vendors that don’t take appropriate precautions. “Soft” industries are vulnerable as well; retailers present an irresistible target for hackers thirsty for fresh payment card information.
16. Redouble Physical Security Wherever Practical
In the old days, corporate “crown jewels” lived in locked filing cabinets and fireproof safes. Today, they’re just as likely to be found on computer towers or — worse — the cloud itself. If your organization houses its own servers, harden the building(s) and room(s) in which they’re kept.
Otherwise, work with a cloud provider and/or colocation service that takes physical security seriously. It’s not just theft and vandalism you need to guard against; it’s also fire, severe weather, earthquakes, and other “acts of God” that can’t fairly be attributed to malicious human activity.
17. Avoid Common Password Storage Mistakes
Two-factor authentication is table stakes in 2020. Unfortunately, it’s not yet time to kiss the trusty old password goodbye for good. For the foreseeable future, you and your employees will need to use alphanumeric access credentials, which means you’ll need to store said credentials safely.
A digital password locker may be an acceptable solution, provided it’s suitably secure. Check with your CISO if you have any qualms. Otherwise, consider a dispersed storage method that leaves no digital trace, such as a simple code committed to pen and paper only.
18. Consider Cyber Insurance, But Don’t Use It As an Excuse Not to Innovate
Cyber insurance is the next hot thing in the once-staid insurance industry. Is it a moral hazard?
Not if you’re absolutely sure you won’t allow it as an excuse not to take the sorts of preventive measures described above. Think of cyber insurance, instead, as a last resort that exists solely to ensure your organization isn’t ruined by a single breach. It’s a financial remedy, not a license to cut corners.
Are You Ready for a New Decade’s Threats?
A new decade is dawning. With it comes a multitude of digital threats — some new and unimaginable, others old and familiar, if not quite welcome.
As this treatise should make clear, anticipating and parrying the most potent of these threats is no easy feat. Maintaining a perfect record amid the sheer multitude of bad actors out there is no easy feat; few organizations are able to achieve one.
But that mustn’t stop you from trying. Your customers, employees, shareholders, and vendors depend on you to do your utmost to maintain a safe digital domain — today, tomorrow, and ten years from now.