Cybersecurity: Amplified And Intensified

7. What’s essential.

April 28, 2021 Shiva Maharaj
Cybersecurity: Amplified And Intensified
7. What’s essential.
Chapters
Cybersecurity: Amplified And Intensified
7. What’s essential.
Apr 28, 2021
Shiva Maharaj

There is no such thing as a minimum security standard. While this is not meant to be an exhaustive list of what you have to do to attain a comprehensive cybersecurity posture. It is meant to be more of a guide of what you should be doing and if you're not maybe it's time you did.


KONTINUUM
Because you're entitled to IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Show Notes Transcript

There is no such thing as a minimum security standard. While this is not meant to be an exhaustive list of what you have to do to attain a comprehensive cybersecurity posture. It is meant to be more of a guide of what you should be doing and if you're not maybe it's time you did.


KONTINUUM
Because you're entitled to IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Shiva Maharaj:

On today's episode of cybersecurity amplified and intensified, I'd like to offer a list of items that I think every company no matter their size should have in place to help secure their future. First and foremost, no one needs their everyday user account to have administrative access to anything. And no, there are no exceptions. It does not matter if you own the company. Asset Management, it's not just a financial term, it's the cornerstone of getting to and maintaining proper cybersecurity. No matter what fancy tools you have, it will be hard to protect something if you didn't know it existed. Once you know what you have, ensure you have centralized control of all these devices, Microsoft has done a great job of including drive encryption with your business class operating system. And if you're using a Windows 10 home device, spend that extra $100 to upgrade to Windows 10. Professional you owe it to your customers times are changing. Many companies no longer need that on premise server. So you can go to Azure Active Directory and with that you can get Single Sign On consider one of your employees parting ways with your company. Unless you have up to date documentation. Are you willing to bet your company's future you can disable all of their accounts in a timely manner. By using SSO, you should now have a single credential to manage and secure each user dovetailing off of SSO there's multi factor authentication, or MFA, which is usually looked upon by users as the bane of their existence. It's cumbersome, and frankly a hassle, especially when your phone is nowhere in sight to retrieve that six digit code. But having that added challenge is often your last line of defense from an attacker, especially if you're keen on using common or easily as passwords. MFA comes in a few different flavors most popular being text message or SMS emails to TP codes and an authenticator app or push notifications. All in a last ditch effort to confirm you are who you are logging in as my advice. Don't use SMS or email base MFA. It's far too easy for a competent hacker to intercept a code med for either my preference is to use either to TP based code or push notification service. At this point in time, I don't think any company should use or much less consider a solution that doesn't offer SSO and MFA options. If you've been following recent events, many software and hardware vendors have been issuing updates to help secure their product we call this act of installing the update. patching this type of patching is a major step in helping to secure your company. After all, no software is infallible. By testing and deploying these patches, you're able to give your organization a fighting shot against those wishing to harm you one thing to keep in mind test your patches before you install them in your production environment. If you can't do this, consider getting someone who can many people still working remotely and likely staying that way for the foreseeable future email phishing has become one of the most popular ways for someone seeking unauthorized access to get into your system. That shiny firewall you spent 1000s of dollars on is as useful as a paperweight only two ways to help mitigate this vector of attack. First, you have to install some kind of service that will take these suspicious or malicious emails out of your users mailboxes. Secondly, you need to train your users on what to look for because there will be emails that get passed. These anti phishing services backup and disaster recovery is a place I usually see room for lots of improvement. Most assessments I've done for new clients usually show one of two things there are no backups or the backups are never tested. Having backups that are never tested are akin to having a fire hose with no water that single hour a day to test your backups could save your company should an incident arise. Your backup should be immutable, meaning they cannot be deleted or changed in any manner. While we're on the topic of backups. Ensure your backups include your email system and any other SAS systems you utilize. Don't know what SAS is Software as a Service, Salesforce, HubSpot, Microsoft 365 just to name a few sure you can put your eggs in one basket hoping the vendors are doing their backup but I'm sure you didn't get to where you are today. By doing that, I'd be remiss if I didn't mention antivirus. Yes, we still need these guys. Any AV platform you utilize should offer these features at a bare minimum definition and behavior based analysis application and or process blocking, disable the use of USB drive. After all, in the vast majority of use cases, there's no need for USB drives DNS security to block out those malicious sites or command and control which means calling home to get that encryption key to seize and lock up all of your files. This is not meant to be an exhaustive list of what you have to do. It is meant to be more of a guide what you should be doing and if you're not maybe it's time you gave someone a call to help you with the