Across companies both large and small, cybersecurity is a major and ever-growing concern. Currently there is an ongoing shortage of cybersecurity skills in the marketplace causing many companies to struggle with acquiring and retaining trained cybersecurity staff. What’s more, many companies don’t have the resources for dedicated cybersecurity staff and are instead trying to leverage and upskill existing staff to fill this role where possible.
Regardless of the size of your company, there are some core strategies that can be implemented to help mitigate the risks of cyber threats to your environment. If successfully implemented, these core strategies – which should be part of your organization’s cyber hygiene practices – can form a baseline that vastly helps to improve your security posture and limit your exposure to cyber threats and vulnerabilities.
Developed by the Australian Cyber Security Centre, they encompass many individual strategies but focus on eight in particular, known as the Essential Eight. Below is an overview of the Essential Eight cyber hygiene strategies.
1. Application Whitelisting
Every organization – from large, multinational companies to small, local businesses – has sets of core applications that they need to run that are essential to their business, such as HR, payroll, booking and scheduling software.
To implement this strategy, organizations need to first identify these core applications and how their staff interact with them (are they cloud-based services or hosted on an internal server?). Once organizations identify these applications, they can use tools to whitelist these applications and deny all other applications.
The goal here is to only allow trusted and required applications on your network and to block all others that are not necessary to your business functions. Applications like Netflix and Pokémon Go, for example, are likely not necessary for your business and can be blocked outright to improve security and performance.
2. Patching Applications
After core applications are identified and whitelisted, implement a regular schedule to ensure that these applications are patched and up to date. New vulnerabilities are discovered all the time, and application developers regularly release updates to their applications to patch these vulnerabilities.
Having a regular cadence to check for and implement patches to these applications is essential to reducing your potential attack area. Applications with extreme vulnerabilities should be patched quickly, and unsupported our outdated versions of applications should not be used.
3. Patching Operating Systems and Hardware
In addition to patching applications, organizations need to also have a full and accurate inventory of all of the hardware on their network and regularly patch these devices as well. Servers, workstations and laptops, IP cameras, printers and other devices all have software or firmware that allow them to function. The manufacturers of these device, just like application developers, regularly release updates to their software/firmware to fix any security issues.
Keeping these devices up to date is essential and should be done on a regular basis. One of the key items here is being able to get a full inventory of these devices and what versions of software/firmware they are running. There are even multiple tools that can automate a lot of this too.
4. Restrict Administrative Permissions
All organizations have users that require different access to different systems based on their duties. If you administer a system, for example, you likely have more permissions to that system than most users do. These higher-level permissions should be tightly controlled and regularly audited.
There should also be a layer of separation between administrative tasks and regular user tasks. A best practice is to not use administrative or privileged accounts for normal work. Administrative users can have separate regular accounts and also privileged accounts. These users should only use the latter if they are doing actual administrative tasks that require more permissions.
Reading email or browsing the web, for example, should be done with a standard account, whereas when patching a workstation, a user can switch to their privileged administrative account. While switching between accounts can be tedious and not as convenient, this is a very important strategy to protect your environment and should be enforced. The more time you spend on the network with administrative credentials, the more those credentials are exposed. Limiting that exposure is what restricting administrative access is all about.
5. User Application Hardening
Going hand-in-hand with patching and whitelisting applications, user application hardening is taking those applications that are essential and ensuring that they are secure and only used in the way in which they are intended to be used.
For instance, a lot of web browsers have add-ons and plug-ins that can introduce their own vulnerabilities. Examples of these include Flash and Java as well as PDF viewers, or even ads that can take users to unsafe sites. Examine these applications and familiarize yourself with them so that you know what is and isn’t essential to the application.
6. Multi-factor Authentication (MFA)
Compromised credentials are the main tool in the toolbox of hackers and are most often how they gain a foothold into an organization’s network. On a daily basis, hackers craft phishing emails to harvest credentials or they exploit unpatched applications and operating systems to get passwords in plain text.
They then use these credentials to masquerade as an authorized user with all of the access that entails. Most applications and services now offer the ability to support MFA on their products. Wherever MFA is supported, it should be implemented as an added layer of security. Even if a user’s credentials are compromised, for example, having MFA enabled could still stop a would-be attacker from using those credentials to gain access to your resources.
MFA creates a huge hurdle for attackers and only adds a minor inconvenience to authorized users. MFA can be implemented in a variety of ways: SMS codes, security questions, biometrics and many others. Users are also accustomed to using MFA for a wide variety of services in their personal lives, like banking and email. It’s fairly simple to set up and offers a great deal of protection.
7. Daily Back-ups
Not that the importance of back-ups needs to be reiterated, but having daily back-ups of your systems and data is a crucial piece to limiting the damage from an attack – should an attack make it that far.
Back-ups of files or application configurations can be set up and automated so that they run on a regular schedule. There are many different types of back-ups and back-up strategies, but the most important part is that your data is being backed up in some way and that if your data is corrupted or deleted by an attack, such as ransomware, you can quickly restore as much of it as possible and restore operations.
8. Configure Microsoft Office Macros
Productivity tools like Microsoft Office typically have macros – tools used to programmatically complete tasks – that can be created or downloaded. Since these macros execute code, they can potentially be unsafe if allowed to run unrestricted in the environment. Make sure that only vetted and trusted macros are allowed to run in your environment and that users can only get them from trusted locations. All other macros should be blocked by default.
While cybersecurity is a big field that covers a lot of ground, focusing on these eight essential areas can dramatically improve your organization’s cyber hygiene and help mitigate the risks of cyber threats. What’s better is that even if you don’t have dedicated cybersecurity staff, there are tools that can give you enterprise-level security and automation to help with these things. By investing the time and resources to implement these strategies, you can ensure that you’re doing what you can to protect your company’s resources, customers and data.