Underlying the current world events, is an ongoing campaign of cyber attacks. The mix of nation state or criminal activity is debatable, but the attacks are ongoing and increasing in intensity. It is important to understand we are all targets for these attacks. Governments, critical infrastructure, and contractors supporting the Department of Defense are highly targeted, but many other organizations will get caught up in the attacks. Those tertiary targets will be used to attack other targets, used as distractions, or monetized to fund additional attacks. While most of us have limited ability to affect these world events, we can take basic precautions to make sure we, and our organizations, are not easy targets that get caught up in the activity. Our Cyber Security Services team developed the following recommendations:
Use a Password Manager – Choose the one you like the best, but start using a password manager. You remember one complex passphrase (make it meaningful to you and nonsense to anyone else) and use the password manager to remember all the rest. Attackers are hoping you use the same password across multiple websites, email logins, and access to your network – do not be an easy target.
Use Multi-Factor Authentication (MFA) – If it is available, enable it on everything, but specifically on email, financial, healthcare, and other sites with sensitive data. If MFA is not available, ask why (including your organization). MFA dramatically decreases the success of credential theft attacks (most from phishing) that lead to a wide variety of fraud and ransomware attacks. Our goal is to make attacking our organization less appealing to attackers – do not be an easy target.
Provide Security Awareness Training – Activate your human firewalls by increasing awareness and reporting. You can make security awareness training fun by using gamification techniques, offering rewards, holding parties, whatever is appropriate for your organization. The most successful programs use a combination of videos, reminders, phishing test emails, and games at least once per month on an annual program. It keeps security awareness near top of mind without being overbearing. Make it fun and soon you will overhear office conversations about the latest “lame” phishing attack they received – do not be an easy target.
Get Good Advice – Cyber security can be complex and every organization has to uniquely design their security, so do not go it alone, get some good advice. Whether the advice is from internal resources, third parties, or industry support groups, find out what others are doing and what your organization can do better. Your security does not have to be invincible (although that would be nice), just hard enough to not be an easy target.
Assess the Organization – “I don’t know what I don’t know,” so do an assessment and reduce what you do not know. The Cybersecurity & Infrastructure Security Agency (www.cisa.gov) has free tools and links to other federal government free tools, many of the Information Sharing and Analysis Center (ISAC) organizations (www.nationalisacs.org) have free tools, and a little internet searching and you can get your hands on all kinds of frameworks, checklists, and tools. If all that sounds too daunting, talk to your favorite cyber security professional and get some help from someone who specializes in the field. The goal is to know where your strengths and weaknesses are so you can avoid being an easy target.
Every organization has to determine its risks and the appropriate security measures to have in place. A local government with water system controls is going to require a different set of solutions than a small manufacturer. The list above is just a starting place for security basics that can help protect you and your organization right now – do not be an easy target.
If you need assistance, please feel free to reach out to our Cyber Security Services team.
Readers should not act upon information presented without individual professional consultation.
Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.