By Karen Sprenger   /   Mar 23rd, 2021

Six Cybersecurity Best Practices That Fit Almost Any Organization’s Budget

Whether your organization is large or small, cost-effective cybersecurity best practices are on everyone’s wish list. While each network and the needs of each organization are unique, let’s look at six affordable cybersecurity best practices that can dramatically improve the security of any digital environment.

Six Cybersecurity Best Practices That Won’t Break the Bank

  1. Use a Password Manager

If you are a regular reader of our blog, you already know that strong passwords are key to any security program, and that eight-character passwords are no longer long enough (read the statistics in our password blog). You know that cybersecurity best practices dictate that passwords should be passphrases that are a minimum of 16 characters. (At LMG Security, we have a password cracking rig that is about four years old, and it can run every eight-character password in less than 24 hours.)

Of course, the average user has, at a bare minimum, at least a dozen passwords to remember. If you don’t provide them with the appropriate tools to help them, they will resort to reusing passwords, using predictable patterns, or storing them in a file on their computer called passwords, which of course does not create a secure environment. So, help them out. Find and use an enterprise password manager. Your users will thank you for only requiring that they remember one strong password, and you will be able to manage their accounts and monitor the strength of their passwords. All of which will secure your environment. Win-win.

  1. Implement Multi-Factor Authentication

Now that you’ve made your team happy implementing a password manager, implement multi-factor authentication. You are going to get push-back at first; no one likes an additional step to log-in, but there is no better way to secure their accounts. As you may know, account authentication can take three forms:

    • Something you know
    • Something you are
    • Something you have

Multi-factor Authentication means that you are using two or more of those methods. If you log into an account using a username and password, that is only a single factor – something you know. If you add a code from an authenticator app or token to your username and password, you are now using two forms – something you know and something you have. Retinal and fingerprint scans are examples of something you are – however, for the most part those technologies can be expensive to implement across an enterprise environment.

If one of your users falls victim to a phishing attack and mistakenly gives up their credentials, the account is still secure because the attacker doesn’t have access to the other authentication mechanism. (Yes, there are attacks that can compromise the second type of authentication, but only a handful, and most attackers are going to give up and move on if they see that extra work is required.)

  1. Ensure You Have a Robust Patching Program

Keep your software up to date. This includes operating systems on servers and workstations, as well as software applications. Most software updates include security patches. Without the latest patches applied, you are leaving yourself vulnerable. If you can automate patch management, even better. This is a simple, cost-effective cybersecurity best practice that every organization should prioritize. Make sure that you are monitoring vendors for out of cycle patches as well. With recent exploits against SolarWinds and Microsoft Exchange, it’s more important than ever to stay on top of latest developments.

  1. Strong Account Management

Ensure that you have good processes in place to manage users’ accounts, not just in the event they leave, but in the event that they transfer to a new role. Practice the concept of “least-privilege” on your network, giving each user access to only the information that they need. If they change jobs within the organization, review their permissions. Don’t just add, remove any permissions that they won’t need in the new position.

This is not only necessary to safe-guard personally identifiable information (PII) and electronic protected health information (ePHI), but it can also limit the effects of ransomware if the user’s account is used as the trigger. The ransomware may only encrypt files that it can access from the infected account. If the user doesn’t have access, the files won’t be encrypted. During your account reviews, don’t forget to watch for – or better yet, set up alerts for – new accounts that are created that you and your team do not recognize. These cybersecurity best practices are a cost-effective way of protecting data and limiting lateral malware spread.

  1. Implement Cybersecurity Training for Everyone

As @swiftonsecurity will tell you, “The greatest vulnerability on any network is the human mind.” You can build the most secure network in the world, but as long as it’s being used by and is accessible to people, it is vulnerable. Mistakes happen, we’re only human. It’s important to continue to train your users. Teach them what to watch for and tell them how to handle it. Encourage your users to report it to you quickly when they do make a mistake. The ability to act quickly can make all the difference in the world. Try to create an environment where users are not punished for coming forward. If users are afraid to report their mistakes, you won’t have an opportunity to correct a small mistake before it becomes a major incident.

  1. Embrace Zero Trust

While zero trust may seem like the buzz word of the moment, it’s a concept that’s been in practice for years and a strong defense against vulnerabilities. Zero trust describes a network that does not automatically give privileges to a device just because it is connected to the network. With the growth of the Internet of Things (IoT), zero trust is more important than ever. Just because someone plugs their smart toaster into your network, this does not mean that the toaster should have access to any services. In 2016, The Atlantic mocked up a server to look like a toaster. It was compromised in less than an hour.

Likewise, non-IoT devices should not be automatically trusted. Just because my laptop was connected to your network last year, does not mean that you should allow it the same privileges now. (Do you have a way to verify this is the same laptop I was using before? Do you have a way to prove that it’s me using the laptop?) Devices need to be identified and then continuously verified, through some sort of authentication.

Conclusion

How many of the six affordable cybersecurity best practices are you currently using? If you’re already doing everything on this list, congratulations! You’ve taken care of the low hanging fruit and have made great progress toward a more secure environment. (Maybe we can talk about the next level priorities in the near future!)

If you still have a way to go on the list, don’t despair. Implement as many cybersecurity best practices as you can and continue to chip away at the list. If you need additional support with cybersecurity training, technical testing, or advisory services to help you build a prioritized plan for stronger cybersecurity, contact us – we can help!

About the Author

Karen Sprenger

Karen Sprenger is the COO and chief ransomware negotiator at LMG Security. She is a noted cybersecurity industry expert, speaker, trainer, and course developer, in addition to managing LMG Security’s operations. Karen has over 25 years of experience in cybersecurity and information technology. She is a GIAC Certified Forensics Examiner (CGFE) and Certified Information Systems Security Professional (CISSP).  Karen is a hands-on executive; she built a Fiber optic network to 34 schools, supported 18,000 users, 50 miles of network, and one very temperamental vending machine, led many of LMG Security’s large incident response cases, and negotiated and paid ransoms. She is a long-standing teacher of a technical leadership advancement course for a large state agency, and speaks at many events, including the Institute of Internal Auditors, the Internal Legal Tech Association, and the Volunteer Leadership Council. Karen also implemented and constantly enhances LMG’s Security’s incident response and project management systems, as well as automating financial procedures to ensure consistency and client satisfaction. In her spare time, Karen considers “Digital Forensics” a perfectly acceptable answer to the question, “But what do you do for fun?” She is also part of the exclusive group of “techie geeks with strong communications skills,” and her superpower is providing understandable explanations of technical topics. Karen is proud to have played a substantial role in building the team at LMG Security with a focus on hiring top technical talent who can also communicate well with clients.