As the COVID era drags on, it is clear that work life “post-COVID” may be very different from life “pre-COVID.” This is especially true as it relates to IT security. More and more employees have shifted to a telecommuting work model, and for many businesses that may be the case for an indefinite period of time. This raises important questions as to which security improvements or other changes IT departments need to make in 2021 to keep their businesses and client data safer from cyberattacks.
Here are five potential IT defense measures that your business can implement to protect your organization’s data as well as your clients’ data:
- Ensure your network only accepts connections through an encrypted Virtual Private Network (VPN). Preparing your network for long-term telecommuting connectivity and ensuring that your employees can only access your company’s network by using an encrypted VPN is an important first step. When properly configured, VPNs provide an encrypted “tunnel” between an employee and the company’s internal network (and back), which provides a secure connection as employees continue to remotely access their employers’ networks over the long haul.
- Invest in and enact mandatory multi-factor authentication techniques. Multi-factor authentication (MFA) involves validating the identity of a person and is critical to defending a network against many types of cyber threats, including phishing and credential stuffing attacks. MFA helps to protect against unauthorized network access even if an employee has had their account log-in credentials compromised. According to TechRepublic, the use of MFA increased by 18% in 2020. This also includes a 27% increase in the use of biometric data for security purposes. MFA has emerged as a key tool to combat the threat and expense of cyberattacks; as such, organizations of all sizes would be well served in making MFA implementation a top priority.
- Implement mandatory employee social awareness training. According to the 2019 Verizon Data Breach Investigations Report, approximately one-third of all cybersecurity breaches stemmed from phishing attacks, with that number rising to almost 80% in cyber espionage attacks. There is no better time to prepare your employees on how to recognize and avoid phishing attacks. One cost-effective measure to combat phishing attacks is to tag all emails originating outside the company as “external.” This creates more awareness and helps to prevent employees clicking on bad links or opening infected attachments that appear to come from fellow colleagues.
- Implement “layered” security for your network, also known as “Defense in Depth.” In addition to requiring a user to log in with solely their credentials, consider “layering” your network security by encompassing additional security measures such as MFA, password hashing and salting, biometric verification, application whitelisting and/or secure network logging and auditing. According to Help Net Security, in the second quarter of 2020, approximately 70% of all cyber-attacks involved “zero day” malware. This means 70% of all cyberattacks are using malware that does not yet have an anti-virus signature – a 12% increase from just the first quarter of 2020. To help defeat these “zero day” attacks, the more “layers” of network defense will work to strengthen a company’s ability to detect and prevent a developing cyberattack. Diversifying network defenses can pay dividends.
- Recognize and minimize the insider threat. “Insider” cyberattacks have increased by approximately 50% over the last two years. According to the Verizon Data Breach Report, over 30% of all reported cyberattacks and data breaches are directly attributable to company insiders. To alleviate this threat, it is critical to have your IT department identify and eliminate employee “privilege creep.” Insider attacks often stem from employees having excessive access and privileges to parts of the company network to which they do not need access. In short, it is critical to take the time to ensure that employees only have access to the data they actually need, and nothing more.
This list is by no means exhaustive, and there are certainly many other tactics, defenses and strategies companies can implement to protect their networks and data from external and internal cyber threats and attacks. Nevertheless, these “top five” recommendations are foundational to any type of network security improvements and should be considered as part of any upgrades for network cyber defenses in 2021.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.