5 Bad Cybersecurity Practices Businesses Must Stop Doing Now!

5 Bad Cybersecurity Practices

5 Bad Cybersecurity Practices Businesses Must Stop Doing Now

“We have been hacked!” Probably the most dreaded news a CEO can get hit with. But cybersecurity compromises are not only from external sources. Insiders are just as capable of causing harm as external attackers, whether through the distribution of malware, spyware, viruses, or just sheer negligence.  

Here are 5 common pitfalls or poor cyber practices your company could be vulnerable to and how you can prioritize them now to guard against insider risks to its cybersecurity. 

A. Don’t play down the role of Physical Security

Don’t get too ‘comfortable’ when attending to your physical security. It should be your top focus. The majority of insider events can be avoided by simply preventing anyone (unauthorized access, to use an industry term) -physically- from entering your vital infrastructure.  

For example, consider Red Dot; a heating and conditioning business in the Seattle area, where two janitors stole employee and client personal information by searching desks, filing cabinets, and garbage cans. Before being apprehended, they procured fake credit cards, broke into bank accounts, and stole tens of thousands of dollars.

Put high-value systems in isolated locations with rigorous access controls. Keycards are convenient and affordable, but they only provide single-factor authentication and can be misplaced, stolen, or borrowed. Even if the audit log may indicate that Alice went into the computer room at 10:03:34 in the morning, what if Bob was actually using her key?  

Card thieves can be stopped by adding two-factor authentication to keycards, such as using a PIN and a keycard, but compliant employees will still lend their cards and PINs to coworkers. 

Think about biometric verification. Although pricey, fingerprint scanners and comparable tools are common options.  

Securing your computer systems, however, is insufficient. Vulnerabilities can come from unlocked hard copies, thieves, or untoward coworkers who could steal vital material. Ensure that every employee has a lockable drawer in their desk or filing cabinet to protect confidential information. 

B. Don’t ignore Segmenting of LANs

Although they should take center stage among your internal defenses, reliable monitoring points for host or network-based intrusion detection systems might be difficult to locate.  

Network-based systems rely on LAN sniffers, while host-based systems typically use agents. It is simple to monitor a single internet connection, but it might be challenging to locate appropriate locations—choke points—within frequently turbulent LANs. Each LAN segment should have its own sniffer, in the ideal world. This is cumbersome, unworkable, and will probably overload you with pointless notifications in a large network.  

A better strategy is to think of your LAN as a collection of enclaves, each with its own zone of trust and separated by firewalls where they connect to the corporate backbone. 

 

Cybersecurity DOs and DON'Ts

    Cybersecurity DOs and DON’Ts

 

C. DON’T neglect thorough screening of your new recruits

In general, it is best to spend more time looking into an applicant’s background. If your organization considers background checks too time-consuming, consider outsourcing.  

However, background checks don’t always provide the complete picture. For instance, a standard check might confirm the applicant’s current address but would not show that a known scam artist or a dissatisfied ex-employee lives at the same home.  

Such relationships can be found using services like Systems Research & Development’s NORA (Non-Obvious Relationship Awareness). NORA is able to conduct personnel checks on current employees, potential hires, subcontractors, and vendors by merging data from seemingly unconnected company systems. 

D. DON’T underrate the need for sophisticated Firewall and Anti-malware programs.

According to research, malware infection, which made up 53% of all cyberattacks in the UAE in 2017, was the most frequent type of cybercrime. And since ransomware is currently the most common cyber security concern for small businesses, safeguarding your company from it and other forms of malware is essential.  

Ransomware is a threat that is difficult to combat with current anti-virus technologies because it evolves almost as quickly as new anti-virus tools. When it is too late to save your files, ransomware might operate covertly in the background and go undetected by an antivirus program. Therefore, it is crucial to spend money on software that has been created particularly to address this problem.

While efficient anti-malware programs can detect and contain software infections when they attack, it is crucial to stop them from ever reaching your database in the first place. 

Therefore, the key to preventing malware from getting into your computer systems is to invest in an efficient firewall. Additionally, because cybersecurity risks are evolving quickly, it’s important to always pay attention to update notifications and run them as soon as they appear. These updates are a crucial weapon in the fight against cyberattacks since they are developed in response to the most recent cyber threats. 

 
Educate your staff on the use of all software  

You may prevent ransomware assaults, which can infiltrate computer systems through emails and other employee-related mistakes, by employing firewall and anti-malware software in conjunction with employee education. 
 

E. DON’T disregard the risk from using free public wi-fi to work on sensitive documents.

It’s tempting to take your laptop and connect to the free public wi-fi considering how many of us work remotely or answer a few work emails on the weekend from a cafe. It’s all over, after all, and the boss won’t wait until Monday to examine that project. However, locations that provide free wi-fi, such as your local coffee shop, the airport, or the hotel, put you at risk for fraud.  

When using free public WiFi, avoid accessing your email, online bank, or credit card accounts, advises FBI fraud specialist Frank Abagnale. This is due to the “evil twin” fraud, in which con artists create false networks that mimic actual ones but aren’t. 

This is not an exhaustive list of corporate cyber do’s and don’t -or best practices-. However, these are relatively simple measures you can imbibe into your company’s work environment through a structured and deliberate GRC implementation. Perhaps you’re reading this but don’t know where to start then speak to one of our risk auditors for free today. At Daakyi; we believe small and medium-sized businesses should not be left in the dark due to budget restrictions. Talk to an expert today

 

A Peek into Corporate Cyberwarfare – And How SMBs in the US Have Become Sitting Ducks

Corporate Cyberwarfare on Small Businesses

A Peek into Corporate Cyberwarfare – And How SMBs in the US Have Become Sitting Ducks

The FBI predicted in 2012 that organized cybercrime against corporations would soon overtake terrorism as the biggest threat to the United States. In the digital battleground ten years later, cyberwarfare is a constant, and we witness it in real time. Early in 2022, as tensions between Russia and Ukraine reached a breaking point, cyberattacks came under intense scrutiny from the security community—and for good cause.

The largest fixed-line telecommunications provider in Ukraine, Ukrtelecom, was the target of a destructive and sophisticated cyberattack in March 2022 that severely disrupted its connectivity on a countrywide level. The Computer Emergency Response Team (CERT) of Ukraine conducted research at the time that showed there had been 60 coordinated cyberattacks, the majority of which had been aimed at information collection and disrupting communication systems. Cyberespionage will continue to exist.

But first, what is Cyberwarfare?
Attacks on computer systems of nations or institutions are considered cyberwarfare and are done with the goal of destabilizing, destroying, or harming infrastructure.

What Kinds of Cyberwarfare Exist?

Sabotage
Once sensitive information has been identified, companies must ascertain any potential threats to this data. Insider threats or malicious insiders like angry employees or careless employees are examples of third parties who would wish to steal the data, competitors who could gain an advantage by stealing information, and other parties.

Espionage
Spying on another nation to obtain secrets is referred to as espionage. In terms of cyber warfare, this can entail utilizing a spear-fishing assault or botnet to infiltrate a computer before obtaining crucial data.

Attack via Denial-of-Service
In a denial-of-service (DoS) assault, a website is bombarded with fictitious requests, compelling it to respond to them and rendering it unavailable to legitimate users. This type of attack could be used to take down a crucial website that is used by users such as citizens, soldiers, first responders, scientists, and others to disrupt important operations or systems.

Grid of electrical power
An attacker might cripple infrastructure and risk disrupting the livelihoods of thousands of people by hacking the electrical power grid and disabling vital systems. The ability to use services like text messaging or telephone might also be disrupted by an attack on the electrical power system, which would prevent them from functioning. (Predicted way back in the movie Die Hard 4(2007)

Propaganda
Attacks using propaganda aim to influence the thoughts or feelings of those who reside in or support the targeted nation. The employment of propaganda can be used to reveal embarrassing truths or disseminate falsehoods that make people doubt their nation or even harbor animosity toward the adversary.

Economic Upheaval
The majority of contemporary economic systems rely on computers to run. Hackers may gain access to finances by attacking the computer networks of financial institutions like banks, payment systems, or stock exchanges, or they may deprive their targets of the money they require for subsistence or to wage cyberwarfare or other types of conflict.

Unexpected cyberattack
These cyberattacks are the kind that would have the same impact as Pearl Harbor or 9/11: enormous assaults that catch the adversary off guard and compromise their defenses. They could be employed in hybrid warfare to debilitate the adversary before a physical assault.

How does cyberwarfare appear? Several forms of cyberwarfare are possible:

    • Attacks on the financial system
    • Attempts to damage public infrastructure, such as electrical systems or dams
    • Attacks on the safety infrastructure, such as early warning systems or traffic signals
    • Attacks against military organizations or resources

In conclusion, we will reiterate that organized cybercrime is now the biggest threat to the United States, and we witness it in real-time. Cyberwarfare appears in several forms, such as attacks on the financial system, public infrastructure, or safety infrastructure. The goal of these attacks is to destabilize, destroy, or harm innocents. To defend against cyberwarfare, we must be constantly vigilant and upgrade our computer systems regularly. In all honesty, no one institution or individual can claim to be 100% safe! That’s an open secret in the cybersphere. What the smart organizations and businesses rather do -with the help of frameworks, regulations, and modern innovative security solutions- is just to reduce their risk exposure! Staying on top of their game…that’s it!

– – –

If you’re new to this (cybersecurity) or feel overwhelmed with the thought of what you must do as a business owner to protect your company (keep safe from cyber threats) then you’ve come to the right place. Book a call with one of our ISACA and ISO certified IT Risk Analysts today. Remember you don’t have to fight alone… no reward in that.

 

The Importance of GRC & Cybersecurity to US Companies (Part II)

The importance of Governance, Risk and Compliance in Small Business

The Importance of GRC & Cybersecurity to US Companies (Part II)

In the previous post, we looked at the importance of GRC(Governance Risk and Compliance), its origins, and the critical role it plays in any cybersecurity implementation, especially for small and medium businesses. It is not too straightforward for this category of companies because on the one hand they often do not have the budget to bring on heavyweight consultants or a full-fledged in-house team and yet they are -on the contrary- the most vulnerable to cyber threats and attacks.

Today we go on further to expand on the 5 key pillars a business owner needs to be aware of when considering upgrading their businesses to be cyber safety compliant.

1. Risk Mitigation

One of the biggest hazards facing any business today is an inadequate cybersecurity plan and implementation. Businesses of all sizes and in all sectors are constantly at risk from cyberattacks. Your IT and security teams can collaborate with your GRC function to comprehend the scope of your cybersecurity framework and record its advantages and disadvantages. Technically speaking, you can describe the many cybersecurity threats you’ve found, and GRC can add a business-related perspective to list more threats. A thorough understanding of enterprise risk is developed through the integration of these two levels of cognition.

The company can then decide whether to invest in, for example, a new firewall or managed service or decide to take no action and risk the possibility of a successful cyberattack. The conversation at the executive level alters when cybersecurity is framed as a business decision to reduce risk rather than a “techie issue” that IT wants to spend money on. Together, the IT and GRC teams can assist the business in developing a thorough understanding of the risks associated with inadequate cybersecurity and gaining support for a strategy to mitigate those risks.

 

2. Legal, Regulatory, and Business Compliance

As was mentioned, regulatory standards and compliance regimes are more complex and burdensome than ever, and things aren’t going to get any better. A committed GRC team can look into the constantly shifting compliance landscape and alert the IT team early on to emerging changes, giving them time to adapt. Building a solid working connection with GRC will ultimately save time because they are aware of the reporting and compliance needs. IT systems ought to be created with compliance in mind so that reporting artifacts (such as reports, audit summaries, and the like) are produced as a natural byproduct of cybersecurity, as opposed to as an afterthought.

Not working in a regulated sector? You still have to answer for your actions. Think about the underwriting procedure when obtaining cybersecurity insurance for your business. Consider the research a potential business partner would conduct before partnering with you. Many of the dozens of questions and attestations you’ll see on the application form are the norm for regulatory agencies. Your cybersecurity strategy will be more thoroughly viewed if these challenges have been considered, recorded, and addressed.

 

3. Internal and external audit support

GRC can serve as a company’s internal self-audit. To ensure that the house is kept in order, mature businesses would go beyond their own procedures and standards to provide “evidence” or audit documents to its GRC and auditors. The GRC may assist in creating a workable and suitable compliance structure that helps keep everyone on the same page, from documenting that patching is carried out as planned to confirming that incident response testing has been conducted. As already talked about, it is better to design security controls so that audit artifacts and documentation are produced throughout the security process rather than as an afterthought. Comparing automated reporting to manual or ad hoc processing, the effort and error are significantly reduced.

Internal Audit as a Pillar of GRCInternal Audit as a Pillar of GRC (image credit: rawpixel)

 

4. Data Privacy

Your GRC staff should be knowledgeable about how privacy laws are constantly evolving. For instance, in Canada, a corporation must overcome federal restrictions, provincial rules, and unique rules on specific sorts of data (such as health information) in order to conduct business. The GDPR in the EU has altered the business environment in and with Europe, and it is spurring more change in numerous other countries across the world. GRC may assist your IT staff to make sure that the proper safeguards are in place to protect your customer and employee data, including adequate protection, geographic storage, recording, reporting, etc. These insights will enable you to strengthen your defenses right away and make informed decisions about IT in the future.

 

5. Response to Incidents

Your incident response planning and response programs will also heavily rely on the GRC team. GRC can be crucial in incident response that doesn’t include the technical specifics under IT’s control, whether they’re assisting with the coordination of crisis management tabletop testing exercises or managing contacts and filings with regulators in the case of an actual breach.

GRC: It’s Advantageous to Businesses

If none of these arguments have struck a chord with you, take into account the fact that GRC is simply smart business. Making wise choices, staying away from unnecessary risk, and abiding by the law is crucial for treating your clients and employees with respect. And, to put it too simply, that is the essence of GRC.

If you have an in-house team already then maybe it’s time to shift the subject if your connection with your internal GRC team isn’t great. You may more effectively and thoroughly protect your data and reputation by using them as an extension of your IT and security staff.

Otherwise, get in touch with us for a Free 5 minute consultation with Daakyi’s dedicated experts. We periodically do free ISO 27001 audits for SMBs, Subscribe to our channels, follow us on LinkedIn and other social media channels and you’ll be notified to participate with your company.

– – –

Daakyi Consultancy over the years has been helping such mid-range businesses to have decent and world-class cybersecurity enforcement, using the concept of a proprietary lean GRC implementation. We however see it as our contribution to society to offer good free advice for small businesses and share valuable actionable nuggets which can be put into action while considering the installation of a full-blown cybersecurity machinery.

How Fewer & Shorter Meetings Can Lead to More Productivity and Less Stress for Cybersecurity Professionals

Fewer & Shorter Meetings Leads to More Productivity
how to have fewer meetings cybersecurity
    Meeting schedule (courtesy: atlascompany)

As cybersecurity professionals, meetings are at the core of our day-to-day work. However, without paying attention to the final outputs and metrics our efforts are to produce, we can easily become inefficient with a lot of overwhelm. Today we’re going to look at the role of meetings in our workplaces and how to make the most out of this necessary but not sufficient component of any organization today.

Whether they are face-to-face, Zoom calls, Microsoft teams, or Google meetings, meetings always waste time. (Whether value was acquired is what determines if another 30 valuable minutes of work time were not lost.)

Given that meetings take up a significant portion of the time spent at work (especially in the era of remote work), let’s examine ways to increase productivity while holding fewer and shorter meetings:

  1. Have fewer meetings

Yes, this might sound strange but sometimes too many meetings can be counterproductive. One less meeting is one more hour of productivity ‘opportunity cost’ saved for your employees or team members. Their energies, efforts, and resources go elsewhere and like drops of water add to getting the bucket full.

The illusion that more meetings equal accountability have to be re-examined. 

A meeting is not a tool for accountability, it can be used for that, but it’s best fit for collaborative work, demos, timed brainstorming, decision-making (emergency or not), and education/training. 

Unfortunately, meetings are so prone to abuse, that one bad nut/stakeholder can turn a harmless 30min team huddle or budget review into an albatross of conflicting opinions, that most likely lead nowhere. 

A solution to this is to let the Facts (situated in the right context) do the talking. The one who has the undeniable facts or empirical evidence desired should be given the most prominent voice. When participants get used to that, you create a culture of rewarding well-researched and less emotional or parochial submissions during meetings.

 Productivity and accountability can rather be ensured using tools and techniques such as:  

    • Alarms & Timers
    • Remote work monitoring Software
    • Deliverables & Deadlines
    • KPIs & OKRs, whatever makes your organization’s productivity engine tick.

  1. Have as few attendees as possible: Just like an ordinary debate among friends or family at a party, every extra person is an opinion, angle, and perception to be factored in. As it is commonly said, opinions are like noses. Everyone has their own. A way to tackle this is as the organizer of the meeting is to single out the most important Goal(tangible outcome) for the meeting and pick out SMEs(subject matter experts). If there are more stakeholders then consider grouping them into smaller(nested) meetings and designated their head(s) to represent their view and outputs of their mini-meeting at the bigger meeting. 

  1. Adopt Mind Mapping Techniques: Here’s a quick tip from Jay Ripton on utilizing Mind Mapping effectively. 

Mind mapping is an effective method to discuss an idea and explore new possibilities related to it. Business meetings can significantly benefit from a mind map maker. Managers can use mind-mapping tools for the following benefits  

    • Managers and leaders can create engaging presentations for the meeting. Audience engagement is crucial to getting a positive outcome from the meeting 
    • Regular PowerPoint meetings can take minutes and even hours to discuss the plan. Mind mapping allows you to cover long meetings in just minutes without missing any essential details and remaining on the meeting agenda 
    • Mind maps make task assigning seamless. Team members and leaders can know their responsibilities without complex explanations 

    • Meetings can discuss the agenda in order and logical structure with mind mapping” 

Meeting Dos & Don’ts 

Now that we’ve figured out how to set up meetings to achieve more let’s look at what to do or not do during them to add an additional layer of induced productivity while reducing vulnerability to wasted time. 

  • Have warm-up intros especially if it’s a close-knit team and allow for off-topic social issues to be discussed. This allows for bonding, reduces the risk of animosity going into the meeting, and makes team members feel cared for. After all, people are the reason why your organization exists, and who best to cater to first than those in-house. 

  • Minimize Distractions/Disturbance. Though camera’s being on is preferred for optimum engagement it may be useful for attendees with distracting backgrounds to go off-camera. It’s the same with audio, if you’re not talking or actively involved in a topic best be on mute. Also reducing technical hitches is a good goal. 
  • End meetings when goals are met. Simple, not much explaining is needed. Hard stops are the best! 
the joy of fewer meetings
The joy of fewer meetings (courtesy DCStudio)

In conclusion, we’ll pick a leaf from the books of physicists who’ve taught us that: 

  • Efficiency = Output /Input.

Simply meaning if we want to get more value for our time and our organization’s money (i.e.. efficiency) then we need to focus on getting more output while not necessarily increasing the input denominator (time primarily). After all, the final denominator of World Records in any Sport is of course Time. 

Next week we’ll be sharing 3 Things to do to Advance your Cybersecurity Career in the next 3-6 months…, like our social media pages to stay updated on cutting-edge industry news.  

Credits: https://www.digitalmarketer.com/blog/make-meetings-more-meaningful-jay-ripton/ 

 

The Importance of GRC & Cybersecurity to US Companies (Part I)

The importance of Governance, Risk and Compliance in Small Business

The Importance of GRC & Cybersecurity to US Companies (Part I)

GRC, or Governance, Risk and Compliance is becoming more and more crucial to many firms’ day-to-day operations. In this article, we’ll talk about GRC and how it can support your cybersecurity system.

After a succession of high-profile business bankruptcies necessitated the need for better internal controls and monitoring in the early 2000s, the idea of a formal GRC emerged. GRC operations are likely the focus of entire departments at larger companies, especially those in tightly regulated industries like utilities, finance, and insurance; smaller companies may only have one or two persons filling this position, sometimes not even full-time.

However, more and more businesses are considering the advantages of having a recognized GRC role in-house as regulatory duties for organizations of all sizes expand. But what does GRC mean in reality? Let’s examine the abbreviation:

Simply described, governance is the process of making decisions. What factors are taken into account when a business decision is made? Are the choices made adequately in line with the mission or objectives of the organization? A meaningful foundation for a company’s activities is provided by governance.

Risk refers to elements that might endanger a company. Threats from the outside or the inside might be classified as risks. They might be insignificant or existential. They could be things you can control or things related to the environment that could occur whether or not you want them to. Not all risk is negative; businesses will have a “risk appetite” that determines how much danger they are ready to take on in different business areas. Entering a new industry, for instance, could be risky, but the benefits might outweigh the dangers.

The area of compliance includes legal and regulatory matters. The norms of conduct that an organization must abide by to exist may be established by governments, industry authorities, or even third parties.

Any organization’s security and IT operations staff will find resonance in reviewing these definitions via a cybersecurity lens. For instance:

  1. Risk Mitigation
  2. Legal, Regulatory, and Business Compliance
  3. Internal and External Audit support
  4. Data Privacy
  5. Response to Incidents

Each of these areas is a huge concept that deserves a separate discussion/exposure on its own. For example, falling foul of Data Privacy regulations could lead to fines and penalties from regulatory bodies behind the GDPR, the CCPA, and HIPAA (in the case of handling Personal Health Information (PHI).

We have prepared these posts to be bite-sized and actionable even for business owners new to the field. This topic is discussed in two parts and in the second part we shall go into each of these five segments in high-level detail.

Hope you learned something new and are more confident about the pillars of GRC and where to start to properly implement a Cybersecurity GRC unit in your company without spending a fortune.

– – –

If you don’t have all the time in the world and would like handheld guidance in executing cybersecurity measures at your organization, then reach out to one of our Fortune 500 experts here. If you just want to keep learning, then you can sign up for cybersecurity tips served through real-life story-like reports on common cyber breaches and threats and how to mitigate them.