Protecting Your Organization’s Crown Jewels In the Midst of a Pandemic Is No Joke This April Fools’ Day

Jokes are serious business — and there is no better example than April Fools’ Day, which has become synonymous with corporate hoaxes. No company does this better than Google, who once used the holiday to tout its latest addition to Google Home product suite — an “existentially dour” garden gnome that dropped musings like “really, we’re all compost if you think about it.”
This year, instead of focusing on tricking your average consumer, why not pull a fast one on some less sympathetic characters? Namely, the bad guys responsible for an ever-increasing number of serious data breaches.

They have certainly had a lot to feel good about in the last year. COVID-19 provided them ample opportunity to exploit overstretched security teams — along with natural human curiosity and anxiety about the pandemic. The result was one of the worst years on record for serious data breaches.

So how does one go about turning the tables? Much like good health habits and vaccines protect our bodies against COVID-19 and other viruses, smart cyber hygiene practices help provide the same kind of protection for our systems, networks and applications.

With April Fools’ Day at hand (and the world finally making significant progress in beating back the pandemic) it’s the perfect time to review ten of the best things you can do to promote excellent IT hygiene — and make sure “the joke” is on frustrated and cybercriminals and their ineffective attacks.

1. Say Goodbye To Password Ploys

Good passwords are long, tedious to type and hard to remember. Given this, it’s hardly surprising that hackers find it so easy to exploit bad password management. When you’ve got dozens of online accounts, the allure of recycling passwords is also tough to resist. Fortunately, a secure password manager is the answer to this problem. These tools generate strong encrypted passwords using a combination of letters, numbers and special characters. The best part? You only have to remember a single master password. Just remember that cloud-based password managers can also be hacked. For optimal protection, choose an offline password manager with multi-layer encryption.

2. End Machinations With Multi-factor Authentication

A strong password and/or effective password manager is a great first line of defense. Incorporating multi-factor authentication provides a second layer of security to your online accounts and makes it much more difficult for adversaries to compromise them. Apps such as Google Authenticator, Authy, and Microsoft Authenticator work by generating single-use access codes on your smartphone. These codes, which generally expire after 15 seconds or so, are then typed into your online account along with your password. It’s important to note that SMS-based multi-factor authentication — in which a text message is sent to your smartphone — is less secure than app-based options. Readers should also be aware that multi-factor protects the log-in phase, but does not offer protection elsewhere.

3. If You’re Not On The List, You’re Eighty Sixed!

Imagine an uncompromising bouncer ruthlessly denying entry to people at the door of the most popular social spot in town. Congratulations — you’ve just mastered the concept of whitelisting! One of the most under-used IT hygiene techniques, whitelisting works by barring all unauthorized software from your systems. If it’s not on the list, it’s not going to run. It’s a great technique for stopping executable files, malware or ransomware in its tracks — and both IT admins and home users can take advantage of it.

4. No Joking Around When It Comes To Education

People are an organization’s greatest resource — and its most glaring weakness. Human error is a fact of life, and these errors often result in devastating data breaches. Fortunately, improving employee education is one of the easiest and least expensive things an organization can do to strengthen its security posture. It’s important that such training be more than a box-checking exercise. Instead, it should be considered a key priority, and employees should be trained to anticipate likely forms of attack. This means exposure to the psychological tactics bad actors employ through email to bait workers into clicking on links and attachments. The use of popular phishing simulation tools in training is one smart way to build good habits.

5. Excessive Admin Privileges Are No Laughing Matter

When it comes to granting privileges, it pays to be particular. Over time, admin privileges tend to grow — as does the number of people having access to business-critical data, but who don’t understand information security at a high level. This creates an unacceptable level of risk, so revoke the rights of anyone who does not need them. In this case, it doesn’t pay to be generous — there is simply too much at stake.

6. Wily Intruders Are No Match for Dedicated WiFi Connections

When it comes to WiFi, guests and employees don’t mix. Organizations need to create a dedicated guest WiFi network separate from their private network infrastructure. Remember, your security is only as strong as its weakest point — and there is no way to safely manage guest access. Only computers and devices approved by a company’s information security personnel should be allowed on company WiFi.

7. Bypass Being Bamboozled By BYOD Blunders

Given the huge amount of telecommuting inspired by COVID-19, limiting Bring Your Own Device (BYOD) policies has become more of a challenge. Yet organizations should endeavor to put reasonable limits on the practice wherever possible, especially when contractors, partners, customers, and suppliers fall under your BYOD policies. Decreasing the attack surface is always smart.

8. Win With VPNs

Speaking of telecommuters, employees who work remotely through network access points or “hotspots” outside of IT oversight are often easy targets. These bad actors can spoof hotspots and steal critical data by prompting workers to send emails, passwords and documents through their equipment. The solution here is simple: A VPN with end-to-end encryption.

9. Deter Deception With Full Disk Encryption

Full disk encryption works by making your data indecipherable to attackers. Unlike with regular file or folder encryption, or encrypted vaults, full disk encryption protects swap space and temporary files. This takes the onus off the user to decide which files to encrypt, and provides more robust all-around protection.

10. Protect Business-Critical Assets With Cutting-Edge Technology

To protect your most valuable and sensitive assets, you need deep visibility into your vulnerabilities. You also need the ability to prioritize remediations effectively. Fortunately, there is a simple way to address these issues: Deploying an attack-centric exposure prioritization platform that can simulate, validate and remediate attack paths to your critical assets. The right solution should be able to continuously expose attack vectors through automated testing, from breach point to critical asset, and provide guided remediation based on critical risk context. By gaining continuous visibility into vulnerabilities — and understanding the risks those vulnerabilities pose to your most sensitive assets — organizations can achieve optimal protection.

The Takeaway

Even the biggest fool knows that security is never perfect. Yet by following the ten steps outlined above, you can put your organization in a much stronger position to protect its crown jewel assets — and render the efforts of bad actors comically unsuccessful.

XM Cyber is the global leader in Attack-Centric Exposure Prioritization, which is also known as Risk-Based Vulnerability Management (RBVM). The platform enables companies to rapidly respond to cyber risks affecting their business-sensitive systems by continuously finding new exposures, including exploitable vulnerabilities and credentials, misconfigurations, and user activities.

XM Cyber constantly simulates and prioritizes the attack paths putting mission-critical systems at risk, providing context-sensitive remediation options. XM Cyber helps to eliminate 99% of the risk by focusing allowing IT and Security Operations to focus on the 1% of the exposures before they get exploited to breach the organization’s critical assets.

Marcus Gilban is Director of Corporate Communications, XM Cyber