Ogres and Onions – The Basics of Cybersecurity in 11 Steps

Want to listen instead?

Generally speaking, most national days or months are made up by corporations to sell more products – like national taco day or coffee day. While we fully embrace Taco Tuesdays, we can take some added pride in the fact that National Cybersecurity Awareness Month has a bit more legitimacy behind it. It was created by the president and congress in 2004 and sees the Cybersecurity and Infrastructure Security Agency and the National Cybersecurity Alliance lead a collaborative effort between government and industry to raise cybersecurity awareness. We thought we’d start the month off with a live Between the Bytes podcast that covered the basics of cybersecurity in 11 steps.

#1 – Let’s talk about Layers

IT field support professionals want organizations to layer security. This is critical because a cybercriminal might break through any single layer. However, if you have multiple layers, it’s much harder for them to get through, particularly if disparate devices and programs are involved. So your IT support team might install a firewall, use an antivirus, and have some human cybersecurity experts. It’s much more difficult for a hacker to work through all those pieces than to penetrate a single layer. It’s like putting multiple alarms in your home, it might seem redundant, but it’s necessary for this day and age.

We often say effective cybersecurity is like ogres. Anyone who has seen Shrek knows that ogres are like onions – they have layers – and your cybersecurity should as well.

#2 – Build Your Foundation

When it comes to implementing cyber security, organizations are faced with the thorny question of where to start.

Our IT experts give a short answer: you start wherever you’re the most vulnerable or where you have the highest risk.

One easy way to reduce that risk and limit vulnerability is through Multifactor Authentication – or MFA. This is where an organization can start to move the cybersecurity needle. MFA is a simple change that adds a layer of security that prevents criminals from hacking into employee passwords. Considering that lost credentials are still the #1-way cybercriminals access systems, implementing a base layer of MFA gives you the most protection for the smallest investment.

#3 – Put up Your Walls

Any organization that has employees at a physical location needs to have a firewall in place. A firewall is a gateway between the whole world, including international attackers, and your internal network, which makes that little piece of hardware critical. It also works both ways. If an infected machine on the inside is trying to send data out, a good firewall will notify your IT team.

What level of firewall do you need? There are lots of different kinds of firewalls and lots of different brands. Within those brands, there are very different tiers, some that seem mildly approachable in terms of cost and some that are ridiculously expensive. At the end of the day, they all do the same thing, which is filter traffic in and out. A basic firewall is going to block ports. The firewall will block that port if someone’s trying to come in who shouldn’t be. A deep packet inspection (DPI) firewall will look inside every packet to see what’s in there rather than just watching for certain ports. That requires more processing power and resources inside a firewall, which explains the different expense levels.

The products that we believe provide the most bang for an organization’s dollar are Sophos and SonicWALL. In many cases, you can tie in an antivirus or endpoint protection. So, suppose you have Sophos antivirus and a Sophos firewall, and a machine gets infected. In that case, that firewall can block that machine from reaching the outside world and from spreading across the rest of the network since they’re working in tandem.

#4 – Take Your Medicine

Endpoint protection (or securing the actual devices that employees use) is another critical entry-level security step. One of the most basic ways to do that is through an antivirus program. Built-in antivirus products are not sufficient for a work environment. This is one of those scenarios where you get what you pay for, and our experts want to encourage everyone to pay some. Sure, use the free antivirus that comes with your devices, but don’t stop there. If your ISP provides you with some anti-virus when you sign with them, that’s better. However, we encourage clients to go a step further and pay for an antivirus. Sophos has an excellent antivirus product that our team installs on every workstation we touch out there in the world.

#5 – Don’t get Held for Ransom

The next logical layer is an anti-ransomware product. Sophos provides one, and there are other brands out there. Most antivirus programs are reactive. A device gets infected, and then the antivirus company sends the signature of that program out to the rest of its users. Behavioral-based security is the way security is heading. It looks for things that are being encrypted and notices unusual behavior. When it sees it, it blocks whatever’s happening. Your network support company should be telling you to spend the money to put this protection at critical locations, which are any machines where files are stored, anywhere that QuickBooks or your financial data is stored and on the devices of executives as well as anyone handling money.

#6 – Filter out the Junk

After your organization has the basics covered, invest in spam filtering. This entails having a third party scan incoming emails to ensure they don’t contain an infectious attachment. These services are not flawless, but the best ones learn and improve. Anti-spam products have a bonus – they should make your users more efficient. Instead of reading 200 email messages, 170 of which are fake, employees should see a large percentage of those filtered out. The result is that every email user in your organization should become more efficient. Our IT support folks believe the productivity increase alone pays for itself quickly.

#7 – Get your Team Trained

Unfortunately, in most systems, users are the weak point that cybercriminals target. Your firewall doesn’t get tired; there’s no human error involved there. There can be programming errors, but generally, it’s a pretty flawless device. Since attackers know this, they’re going after the users. Since so many breaches stem from users, your people should be trained in security awareness, anti-phishing techniques, and what to be wary of in emails. Train your users and retrain them annually. An often overlooked piece of training, especially for the money handlers, is how to deal with wire transfers and other monetary requests. We’ve seen attacks where a hacker will insert himself into an email chain by breaching a vendor or a third party, which looks legitimate. Putting procedures in place can reduce this risk.

#8 – Password Management

The next step up is to implement some type of password manager. Since you want your employees to have strong passwords, remembering them is an issue. You don’t want them storing passwords in notebooks or putting them on post-its and sticking them to monitors or under keyboards. Our IT field support teams see that too often, which means that attackers know that as well.

#9 – Segment your Network

Once your basic protection is in place, it’s time to take a critical look at your networks. The idea is to segment them so that any damage done to one segment does not impact the others. Also, some components naturally have more risk, which should be contained. Guest wireless, for example, should not be on the same network as your servers. The money handler should be on a separate network. IT security personnel only have to deal with that smaller segment if there is an issue. This is also a good BYOD (Bring Your Own Device) solution. The most effective way to deal with employees bringing in external devices you have limited control over is to put them on a different network where your IT team can limit potential impacts.

#10 – Prevent Data Loss

How wonderful would it be if your email was intelligent enough to search itself for sensitive content like credit card or driver’s license numbers? With Data Loss Prevention (DLP), it can!
DLP programs will scan content and alert your IT team if it sees something askew. Pair that with a Mobile Device Management (MDM) solution. To ensure that data on phones is also being protected.

#11 – Monitoring Solution

A solid monitoring system will alert your IT support team to unusual resource usage. It will note if an employee’s machine spikes suddenly if someone’s computer is being remotely accessed. Still, they are sitting at their desk, if passwords are being reset, if employees are suddenly logging on at 2:00 AM. It’s not usual for them, and impossible journeying is when someone logs in from Las Vegas and then logs in from South America five minutes later. These systems will give your IT support a heads-up.

As you can see, the best cybersecurity isn’t just one silver bullet; it’s built-in layers. While it may sound overwhelming, we encourage clients to start somewhere. Start with one of these solutions, then bolt on others as you go. Trying to do it all at once isn’t always very realistic, but you can do one thing, and if you start anywhere, MFA is an easy solution that provides a great return.

This article was written from one of our podcast episodes on Between The Bytes!

To learn more about protecting you and your business from cybersecurity threats, check out our Ultimate Guide To Cybersecurity!

Related Insights