How To Mitigate Security Risks And Lower Chances Of Becoming A Cyberhacking Victim

Security awareness training is the key

The pandemic of 2020 brought about many harsh realities to organizations that weren’t prepared for the intake and onboarding of remote users and workers. Organizations had to provide enough laptops/desktops, ensure that VPN capacity would be able to meet the increased demands, and provide the appropriate security controls and licenses for their remote end-users. Needless to say, many corporations had their hands full. The threat actors also saw a spike in their activities and campaigns. Ransomware activities in 2020 rose to a level that has never been seen before and it continues to proliferate. In August of 2020, 235 million Instagram, TikTok, and Youtube user profiles were exposed in a data leak and in early April of the same year, Facebook’s 267 million user profiles were sold in the dark web. 
 

For companies grappling with privacy regulations such as California Consumer Privacy Act (CCPA/CRPA), the pandemic has put increased pressures and strains to an already overburdened security/IT/compliance team. The CCPA requirements call for companies and organizations who transact and conduct business with California citizens to protect their privacy as well as honor and process any privacy intake requests.  

Whether that is someone who is inquiring about their private information that has been collected by the organization or someone requesting that their information be deleted, companies are subject to acknowledge and respond within a reasonable time. If the organization is not prepared to meet these requirements and requests, regulatory fines might be imposed. Data exfiltration and leakage have become synonymous with security events and organizations must perform their due diligence to protect their sensitive data and their customer’s private information.

What should organizations do to mitigate security risks and lower their chances of becoming cyberhacking victims? First, companies must understand the information lifecycle of their data and information. How their users create sensitive data, share it, store, archive and finally expunge. Additionally, IT and security teams must work together to have accounting and visibility of their physical and virtual assets. With the advent of the cloud, critical information can reside on-premise and off-premise and sometimes off-premise in non-corporate sanctioned locations such as a user’s personal Google drive or Dropbox.  

Whenever possible, construct a data classification program with tagging on important data and apply appropriate security controls commensurate with the sensitivity levels. For example, if your HR team is responsible for creating offer letters that are to be extended to potential employees, this document will normally contain private and identifying information such as name, address, and email address of the potential new employee as well as compensation data such as annual salary and bonuses.  

This document might be labeled “confidential” or “highly confidential” and should be treated appropriately. Does your organization have an encryption strategy for when this document is shared via email? Are they stored in someone’s laptop unencrypted or are they on a local file share? Or perhaps they are stored in the cloud without appropriate audit and security controls?

For obvious reasons, cloud adoption during the pandemic accelerated and this is another vector for data exfiltration and leakage. Companies should be enabling a good identity access management process with multi-factor authentication features as part of their cybersecurity hygiene.

Periodic audits of cloud and Software as a Service (SaaS) logs are good, but having a correlated event management system is preferred and would help information security teams immensely. Understanding who accesses what, where, when, and how are critical questions that must be auditable and allow organizations to account for their information lifecycle.

Finally, remote workers must be given continuous security awareness training that is supported by a good security architecture and tools. Security awareness is a vital tool that helps mitigate social engineering attacks and mitigate the risks of information leakage. SASE or secure access service edge is a concept that has gained a lot of traction during the pandemic. The SASE framework protects users and cloud-based infrastructure by delivering security services such as threat prevention, web filtering, malware sandboxing, Domain Name System (DNS) security, and credential and data loss protection. These security services are more important and relevant now as remote workers continue to function and work outside of the traditional enterprise perimeter.

The pandemic has brought about new challenges in how we work, interact, and conduct our business. This season has taught us about how we respond to crisis and our agility and flexibility to meet unforeseen problems. It is important for organizations to understand that critical data and sensitive data are one and the same. We must be careful in our planning and, if we must, quickly react to the challenges but not at the expense of the organization’s security posture.

Jon Mendoza is the CISO for Technologent. He has over 24 years of experience in Information Technology and Cybersecurity.  He has created security programs for businesses and organizations and has led a team of engineers from various IT disciplines and domain.    Visit www.technologent.com  Connect Jon Mendoza