October is Cybersecurity Awareness Month, which offers organizations the opportunity to thoroughly examine their security and risk programs and identify where any vulnerabilities might exist. Here at BitSight, we talk about risk management every day. However, we have to practice what we preach — our IT Team offered some insight into areas where organizations can improve their network health not just this month, but regularly.
1. Patching Software
One proactive measure that companies can take to ensure the safety of their network is to implement patches. Patches are one of the most proactive ways to avoid malware attacks, as evidenced this past spring by the spread of WannaCry. Traditionally, malware exploits flaws in a system. Many organizations that were affected by this ransomware attack failed to implement the appropriate Windows patch. Additionally, the time between an exploit and patch releases is constantly shortening.
Defects in clients like web browsers, email programs, image viewers, instant messaging software, document creating software, and media players may allow malicious websites to infect or compromise an organization’s computers. This can happen with no action on your part other than using the application. The best way to prevent this from happening is to make sure your software patches are up-to-date.
2. Password & Credential Management
As malicious attacks become more and more sophisticated, it’s more critical than ever that users adjust their passwords and credentials to that level. If an employee is using the same credentials or password for multiple accounts, they become more susceptible to hackers using an algorithm to easily identify their login information. This can also be the case if employees use easily discoverable personal information as their password to login to certain programs — hackers can easily find this out. A proactive approach to password or credential management is to use a recommended password manager, which securely stores the information and recommends unique passwords for each secure website.
As an extra layer of security, you can also apply two-factor authentication as a part of your organization’s login process, which makes it more difficult for potential intruders to gain access and steal employee personal data.
3. Phishing & Security Awareness Programs
BitSight’s IT team is currently building an Employee Awareness program around phishing. Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (often for malicious reasons) by disguising as a trustworthy entity in some form of email or online communication. Many times, employees will see this in the form of an email asking for sensitive information from their employer — from someone like the HR department, for example. Employees may open the email or open any attachments, which would immediately make them vulnerable to the attack that malicious actors intended. By educating employees on what to look for with these corporate phishing attempts, as well as how to respond, companies can arm their teams with actionable advice that keeps their network safe.
4. Regular Security Testings
As another element of their security program, corporate security teams can regularly test or scan for vulnerabilities within their network. By performing vulnerability scanning, teams can eliminate or address any weak areas that bad actors can exploit with the intent of infiltrating their network. Organizations can also have penetration tests run by an outside company, as well as application security testing done. All of these measures proactively examine the holes in a company network objectively and from the outside-in. Your security team can then take the appropriate measures to address these issues and strengthen those areas accordingly.
5. Managing Third Party Risk
Lastly, it’s important to emphasize the importance of third-party, or vendor, risk within your organization. Businesses can partner with hundreds or even thousands of vendors that they engage with almost every day — if those companies possess sensitive information, it’s critical that their networks are readied for potential attacks as well. This is because hackers are now attacking larger organizations through these smaller vendors — they know that other, smaller organizations may not have the bandwidth to guard against these bad actors.
This trend truly highlights the importance of continuously monitoring your vendors. BitSight Security Ratings help organizations do just this every single day, assisting them in building and adjusting their vendor risk management program at the speed and growth of their business. Overall, understanding third-party risk in a real, quantifiable way helps organizations keep their network safe.