By: Stephanie Porfiris, June 25 2020
Experts weigh in on the definitive guide to cybersecurity as the world continues to work from home.
COVID-19 has forced a rapid change in the way we work. Today, employees everywhere are committed to a work model where a single computer is as likely to be used for scouring Youtube for “sourdough starter” as it is for a Zoom call.
At the same time, there’s been a rise in cyber threats worldwide.
Global spending on cybersecurity may reach $133.7 billion by 2022, and 68% of business leaders believe their cybersecurity risks are increasing.
As such, companies and individuals are faced with new demands to step up their digital safety, almost as quickly as they had to adjust to barista-free mornings.
We sat down with two experts on the topic to get their thoughts on what individuals and businesses need to be doing to protect themselves.
Claudette McGowan is the Global Executive Officer of Cyber Experience at TD Canada. She’s one of the Hundred Most Powerful Women in Canada in 2018, one of the Top 50 Leaders in FinTech in Canada, and is a member of the US Canada innovation partnership.
Robert Herjavec is a serial entrepreneur, having started and exited several IT, cyber, and tech companies, and appears on the hit show, Shark Tank. Robert has served on the Cybersecurity Advisory for the Government of Canada and participated with the White House Summit on Cybersecurity.
Lesson #1: Understand the Constant Threat
The first step to building a defense is understanding the precise enemy you’re up against.
According to Claudette, everyone in the organization needs to be thinking about digital hygiene, from your CEO to frontline workers. And they need to be thinking about it constantly. Hackers don’t rest, and that means the organizations defending themselves against them can’t either.
One of the challenging things about developing a proactive strategy is that organizations need to cover every base, from every angle. Naturally, that demands a very macro approach.
Hackers, on the other hand, have the luxury of choosing one tiny little piece of the puzzle and dedicate their resources to that one-minute element.
Because of that, organizations can’t afford to relax for even a moment if they’re to keep their data safe.
Lesson #2: Lock the Door Behind You
Never before has corporate safety been so reliant on the security of individuals’ homes. That change in dynamic means there is a much higher degree of responsibility on each employee’s data hygiene practices.
Have a Password Management Policy
One of the most critical parts of a security plan is, of course, the password. To uphold good password hygiene, organizations need to have, and actively enforce, a good password management policy. That means making sure that everyone is changing their passwords regularly. Every 90 days is okay, every 60 is good, and every 30 means you’re pretty much Fort Knox.
Of course, it doesn’t matter how often you change it if your password is always an uninspired variation of “password123”, so use something more cryptic. Sixteen character passwords with a combination of numbers, letters, and special characters are the gold standard.
Protect Your Wifi
“Make sure that everybody in the home understands the importance of cybersecurity,” implores Claudette. It doesn’t matter how on point Mom and Dad are if their kids don’t know the first thing about security and are accessing the same network. Once one member of the household is exposed, the whole family is.
Claudette also warns users to be mindful of who else may have their wifi information.
“Think about all the different people that you give your wifi password out to,” she says. “I have this great set of family members that, whenever they come over, don’t even say hello. First, they go, ‘what’s the wifi’? Be mindful of who you’re allowing access to.”
VPN: Valid Paranoid Necessity
Okay, it doesn’t really mean that. It stands for Virtual Private Network. But that just doesn’t convey the same sense of importance, does it?
If you’re going to be accessing (or allowing your employees to access) any kind of sensitive information from home, you really should have a VPN set up.
“A home computer is seven times easier to hack than a device within a corporate network,” says Robert, “and the idea of having a device that you can lock down will become more difficult. We have to find a way to secure those devices without physically holding them.”
Build Multiple Lines of Defence
For larger organizations with more resources, our duo of experts advises adding on a few additional layers of security. In addition to the tools and tips outlined above, they think these items are crucial:
- Compliance – Have a team dedicated to monitoring, enforcing, and updating relevant policies and procedures.
- Audit – If you aren’t subject to one legally, hire a team to do an internal audit to make sure you haven’t missed any gaps.
- Cyber insurance – If you feel it’s a good fit for your team, Claudette believes this can certainly have a place in protecting your company’s interest.
Lesson #3: Know Your Ecosystem
Head in the Cloud, Feet on the Ground
For many of us, the idea of storing information in a cloud means entrusting our valuable data to something intangible. We can’t see it, we can’t touch it, and we don’t understand it. So naturally, people have concerns about their degree of reliability.
But our experts assure us that moving to the cloud is an entirely secure option — as long as you do your homework.
“We need to take the time to do the fundamentals and make sure we get brilliant at the stuff that helps us to run our operations. That means making sure that you’ve considered every single kind of endpoint.”
An endpoint is an end-user device, like a laptop, phone, or wearable. Claudette says it’s essential to be well acquainted with every single kind of equipment in your organizations’ system.
“I’m very bullish on the cloud,” adds Claudette. “It’s the right thing to do, but measure a few times before you cut. Every organization should ask, ‘do we have the right fundamental, foundational elements in place to move with speed truly?'”
Dig Out Your Camo
We’ve established that being reactive in the digital world is not only okay; it is the normal state of things. That said, wherever there is room for a pre-emptive strike, organizations should take advantage.
“Have threat hunting abilities,” says Claudette. “Employ folks that are searching your systems and understanding what types of threats are out there. Are you truly resilient when it comes to those things coming to your doorstep?”
If you’re not convinced the upfront cost of employing this team is worth it, consider this:
“The average cost to a company in Canada that has the data breach is 4.7 million dollars,” adds Claudette. “You want to be as resilient as possible.”
Lesson #4: Invest in Great Intelligence
Take Advantage of Auto Remediation
Small and large companies alike will have a wide array of endpoints, from laptops to printers. For our panel, making sure an organization is empowered with the tools and solutions to ensure each one is protected is vital.
That includes having assets like ‘automated remediation tools’ on board.
Auto remediation allows a system to detect, and respond to, events and implement a fix. It will examine and diagnose a problem, perhaps before human intelligence would, and take a series of steps using conditional logic.
These tools, according to Claudette, are vital for understanding what’s happening in your company.
Have a Designated Security Expert
No matter how excellent the tools in which you invest are, Robert reminds us that success comes from working with a team that’s highly skilled at implementing them.
According to Robert, 80% of small businesses below 500 employees don’t have an expert on-site. COVID has disrupted budgets across the board, so he believes now is the perfect time to reevaluate your priorities and see if you can bring one, either in-house or as a third party.
Take the staff you have and train them into high-value security roles, rather than asking them to do menial work. Then, outsource those non-glamorous responsibilities.
Lesson #5: Consider Internal Threats
Know Your Team’s Behaviours
When we’re talking about security threats, it can be tempting to focus only on outside risks. But Claudette reminds us that we need to be looking at our shop as well.
“Long gone are the days where you’re just kind of protecting the perimeter and trying to prevent anybody from the outside of getting in,” she explains.
You need to understand user behaviors in your organization, That could be knowing when a new device is being added or monitoring team traffic for visits to sites, folders, or documents that don’t make sense.
“The largest data breach in the US government was from an insider attack,” adds Robert. “You have to be able to protect core applications because every company has some crown jewels that are critical to them.”
Here’s the tricky thing about security: not all inside threats have wicked intent; often, the most significant internal threat is the real risk of human error. Robert says a whopping 85% of malware attacks still come through phishing.
The reality is that people will click on things they shouldn’t. That’s because that pesky factor of human sentiment governs our decisions, and great phishing campaigns prey on arrogance, fear, loneliness, or other basic human emotions.
“We always tell people when we do training; you’re not that sexy. There isn’t a woman in Russia that wants to meet you. You did not win a lottery that you didn’t enter, and you don’t have an uncle in Africa who left you millions of dollars. So don’t click on that stuff.”
I know a few storylines on TLC’s 90 Day Fiancé that pose a challenge to that definitive way of thinking, but we’ll trust Robert’s expertise here.
To learn how he thinks organizations, particularly small ones, can address this issue, check out this clip:
Lesson #6: How to React to a Breach
Be Reactive. But React Really, Really Quickly
Our experts agree it’s tough to protect against an attack that hasn’t been` seen before. That means that most of the tools available today are going to be slowly reactive.
“It’s your responsibility to react quickly,” says Robert. “In a lot of the previous breaches, attackers were in that network for 18 months. That’s inexcusable, and that’s where you want to focus; being able to detect as quickly as possible and react as quickly as possible.”
Learn from Others
Once you have the hardware and software necessary to protect your team against known threats, the best thing your team can do, according to our panel, is learning from others. Whether it’s looking at past security breaches or current ones in other parts of the world, information is your ally.
“Every company needs to spend some time understanding what happened and why,” says Claudette.
Part of this means ditching the shame associated with having an account hacked. Instead of sweeping it under the carpet, we should be sharing that information and asking ourselves why it happened. Could we have done something differently? Were we targeted? When we start to share information, we can begin to build a more secure future.
We are all faced with a tall order to move our organizations to home, and that comes with increased risks to security – both personal and professional.
If you’re an organization, install the best possible security system for your employees — now is the time to re-evaluate your budgets and move cybersecurity up the priority list.
Invest in tools, training and, if budget allows, a new designated resource.
If you’re an employee, you are now a crucial gatekeeper for your company’s data. By introducing it to your home, you’ve accepted a post in the line of defense.
That means your partner, kids, and walk-across-the-keyboard cat are also members of that line of defense. It may be a motley crew, but with a little bit of education, attention, and literacy, you should be able to lock the door behind you.