October is Cybersecurity Awareness Month—ironically, it’s also one of the worst months for cyberattacks. To help organizations stay ahead of evolving risks, sophisticated attack vectors, and the latest data security threats, UDT’s Mike Sanchez, CISO & SVP of Cybersecurity Solutions, has compiled the following risk management best practices for improving your organization’s security posture.
This guide is broken into four actionable strategies:
1. Start Simple: How to Leverage a Prevention-First Approach
Cybersecurity is often seen as a complex issue, but looking at it from a prevention-first approach can be helpful place to start when it comes to improving your organization’s data security. A majority of data breaches have less to do with complicated technology and far more to do with the behavior of individuals and organizations.
Consider this common example: an organization is breached due to a zero-day exploit in a software used by the company. This exploit was patched weeks ago, but multiple individuals in the organization failed to allow time for the update, allowing a bad actor to infiltrate a vulnerable system—at the end of the day, this breach was not caused by a technology problem, but by a people/process problem.
Even the most advanced antivirus software or firewall will not be effective in stopping breaches if the people in your organization don’t have the proper training and education required to keep their data secure. Here are some simple methods that any organization can perform right now to reduce your overall risk, both from a people and process perspective:
- Do regular risk management trainings. This cannot be stressed enough. Your users, no matter what industry your organization is in, need to be properly trained and educated in data security and awareness. This is mission critical for the success of any organizational security strategy.
- Do delete idle users. Users that have not logged into your system for 90 days or more or who are no longer with the organization should be deleted from your system to eliminate potential compromise risks.
- Do update your systems regularly. Ensure that all of your organization’s apps, software, and firmware are up to date with the most recent patches and fixes to prevent gaps in your security infrastructure.
- Do leverage antivirus support. At minimum, check to make sure that any antivirus applications your organization uses are installed on a majority (if not all) your endpoints—and make sure it is the latest version available.
- Do check your cybersecurity insurance policy. Make sure you still have the proper coverage types and limit amounts. Also, check to see if any policy compliance requirements have changed and ensure that your organization is meeting all compliance requirements.
2. Password Protection: How to Safeguard Your “Keys to the Kingdom”
In a recent “cyber sloppiness” report, the Cybersecurity and Infrastructure Security Agency (CISA) revealed that unchanged or weak passwords/login credentials are a top security threat for organizations across verticals. This should come as no surprise.
Passwords are often the first line of defense for any network or system, as well as the most easily exploited weakness. Cybercriminals consider passwords the “Keys to the Kingdom,” and compromised credentials are bought and sold with frightening regularity among bad actors. Unfortunately, password security is often compromised by users in any number of ways, most often by using weak, common, or default passwords.
In order to keep your organization safe from infiltration, it is important to make sure you have appropriate password policies in place (and ensure they are being followed and enforced). After all, even the most complicated cyberattacks start simple, and they’re successful when users have compromised their credentials.
Here’s what you can do now to make sure your organization doesn’t fall victim to compromised login credentials:
- Don’t use default passwords. Always require that users receiving new hardware change their passwords from the default password set by the admin within 3 days. Be sure to also educate users on why it is dangerous to keep default passwords: if their password is compromised, then every user who is also still operating under the default password will be at risk, too.
- Do require that all users set unique passwords. Avoid simple or commonly used passwords that can be easily guessed, such as the names of pets or children. Instead, use strong, distinctive passwords with long combinations of letters, special characters, and numbers. Randomly generated passwords can be created by using an online password generator.
- Do regularly change your passwords. The longer period of time that a password is used, the more likely it is to be compromised. This is why it is so important to ensure everyone in your organization changes their passwords regularly. At minimum, organizations should require passwords to be changed every 6 months, though best practice is to cycle out old passwords after 90 days. There may be times when it is wise to have all passwords in your organization updated outside of this schedule: for example, if it is discovered that any of your organization’s passwords are compromised, it is advisable to have all passwords changed immediately.
- Don’t use organizational credentials for personal accounts. Educate users on the risks of applying the same credentials used at their organization across their personal accounts (and vice-versa). Hackers may successfully acquire this information through previously breached platforms, such as LinkedIn or Yahoo, and then use this stolen information to access other accounts.
- Don’t share passwords. It’s as simple as that. If a user shares their password with someone else, it won’t matter how strong it is. Implement a strict policy to forbid password sharing, even among users of the same organization.
- Don’t write down your passwords. Leverage secure password managers to store your credentials. Never write them down where someone might be able to find it.
3. Stay Ahead of AI: How to Navigate AI-Fueled Threats
AI is now being used by bad actors to supplement and improve their attack vectors. In fact, cybercriminals adoption of AI has led to an 8 percent rise in attacks so far in 2023. AI has allowed cybercriminals to greatly reduce or eliminate many of the warning signs and red flags (think mis-spelled words) that have long aided users in avoiding such things as phishing emails.
With the increase in AI’s role in cyberattacks, it is important to keep the following things in mind to navigate this new threat landscape successfully:
- AI can guess passwords. Some AI programs are allowing cybercriminals to guess passwords fairly quickly, especially if they are commonly used passwords or contain personal information (much of which can be found through social media which AI can scan in a matter of minutes). Use unique, strong, and/or randomly generated passwords for the most protection.
- AI can craft more effective phishing emails. Scammers are using simple AI apps such as ChatGPT to create phishing emails without the usual red flags (think misspelled words). By combining these AI tools with data from a user’s social media and/or data stolen from hacked websites, cybercriminals are able to create highly targeted spear-phishing campaigns that are almost indiscernible from the real thing. If you receive an unexpected or suspicious email, call the sender directly, especially if it contains an attachment or has a link to a site that asks for personal information or credentials.
- AI can clone voices. It may sound like something out of the future, but bad actors are now employing AI-generated voice cloning, allowing them to mimic a person’s voice almost exactly. Scammers may use this as a social engineering tool to make calls posing as someone else to extract information via phone phishing. They may also use it to supplement a spear-phishing email attack, calling the target in advance of the email (posing as the sender) to let them know the email is coming. The idea is that the call will make the recipient less suspicious of a malware-loaded email. If you receive a call you are suspicious or unsure about, ask the person questions that only they would know how to answer (and can’t be easily gleaned from social media). If you are still suspicious after you hang up, call the person back directly and confirm it was actually them on the phone.
4. MFA Fatigue: How To Avoid Falling Victim to MFA Attacks
While the use of MFA is still a good risk management practice, your organization needs to be aware of MFA fatigue attacks. This type of attack bombards users with repeated two-factor authentication (2FA) or MFA verification prompts in an attempt to fool them into authenticating/entering their credentials.
Here are some quick tips to protect against MFA fatigue attacks:
- Do limit the number of attempts a user must go through to verify identity. Ensure everyone is aware of this number!
- Do replace static pin entry. Notifications should be specific to the login attempt, like Microsoft Number Matching or Duo Verified Push.
- Do train your users on MFA. As with most of the issues covered in this guide, it is important to train your people. Make sure everyone in your organization is aware of these attacks and knows to be suspicious if they receive an unusual number of MFA or 2FA prompts.
Take The Quiz—What’s Your Security Risk Level?
New to cybersecurity or trying to improve your security posture? Take our brief quiz to understand how your organization might score when it comes to risk—and what to do about it.
Proactive Security for Peace of Mind—Accomplish More With UDT
In today’s digital landscape, you know the stakes have never been higher. Cyber threats evolve relentlessly, and your organization’s data and reputation are on the line.
Smart, simple security goes beyond traditional endpoint protection. It requires proactively monitoring your risk and prioritizing strategic security updates in areas with the most impact—all without compromising on ease and cost.
UDT offers comprehensive, custom solutions to help your organization effectively manage risk.
Don’t wait until disaster strikes. Fortify with a proactive security solution for peace of mind. Contact UDT today and schedule a consultation to discuss how to safeguard your organization from cybercriminals—every day and at every moment. Our team is standing by to support you.
Accomplish More With UDT
Get your custom solution in cybersecurity, lifecycle management, digital transformation and managed IT services. Connect with our team today.
About Mike Sanchez, CISO & SVP of Cybersecurity Solutions - UDT
Mike Sanchez is CISO & SVP of Cybersecurity Solutions at UDT, where he applies 20+ years of experience developing and implementing best-in-class risk management and security solutions for organizations in major industries, like Financial Services and Education. Prior to joining the team in 2016, Mike served as President and COO for a Visa subsidiary where he led global cybersecurity initiatives for Commercial and Federal markets. He holds a Juris Doctor and BA of Science in Computer Engineering from the University of Miami, and is a retired Captain of the US Marine Corps.