backdrop

8 Best Practices for Organisations to Ensure Cyber Hygiene

Given the rapid evolution of cybercrimes, the threat landscape is very volatile. In fact, since the pandemic, the FBI has reported a 300% increase in cyberattacks in the US. Unfortunately, 43% of attacks were aimed at small businesses but only 14% were prepared to defend themselves

With this in mind, it is pertinent that organisations develop a common cyber hygiene policy. Basically, given the level of sophistication of cybercrime today, installing an antivirus or using network firewalls is not enough. Rather, organisations should strive to maintain good cyber hygiene.

slider

What is cyber hygiene?

Cyber hygiene pertains to a set of practices organisations should employ to maintain the health and security of their users, networks, devices, and data. Essentially, the goal is to guarantee the security of data and protect it from theft or attack.

As such, here are 8 of the best practices you can employ in your organisation to ensure cyber hygiene.

Ensuring your organisation’s cyber hygiene:

 

Ensuring your organisation’s cyber hygiene:

 

1) Employ Multi-Factor Authentication (MFA)

Enabling multi-factor authentication on all of your organization’s accounts and devices ensures that only authorised users have access.Given the variety of authentication methods available, having at least two or three verification factors, such as using one-time passwords (OTPs) and password-based authentication, creates a layered defence that makes it more difficult for an unauthorised person to access a network.

2) Ensure endpoint protection

Some businesses provide employees with Internet of Things (IoT) devices, such as laptops, desktops, and mobile phones, to access the corporate network. That said, businesses should ensure that these endpoint devices have device and browser protections as well as network, application, and data controls to ensure that sensitive data is protected. Likewise, the occurrence of any cyberattack is mitigated.

3) Perform regular backups

By regularly performing backups, organisations can be assured that their data is safe. That said, experts recommend following the 3-2-1 rule of backup, in which three copies of data are stored on two different kinds of media while keeping one copy offsite. Doing so can guarantee that all sensitive organisational data is secured.

4) Patch software right away

Since cybercriminals systematically look for vulnerabilities in outdated software, update your software right away whenever patches are available. In a 2020 IBM survey, they found that 43% of respondents who recently experienced data breaches indicated that the cause was a failure of the organisation to patch their software right away. As such, routinely screen your network for missing patches and update them right away when possible.

5) Implement a Cloud Access Security Broker (CASB)

For organisations that rely on infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS), utilise CASB software. With this in place, it would secure connections between end users and the cloud. Likewise, it would enforce your organisation’s security policies, such as authentication, encryption, data loss prevention, and malware detection. Essentially, through a CASB, an organisation can have better visibility and control over the security of cloud-based data.

6) Educate your employees

Routinely conduct in-depth cybersecurity trainings to emphasise their crucial role in mitigating cyberattacks. Likewise, provide consistent reviews and updates on relevant cybersecurity policies to reinforce learning about foundational cybersecurity practices.

7) Routinely scan your system

Regularly conduct scans for your entire network to identify threats and vulnerabilities. This includes scanning endpoint devices and routers to determine any potential points of entry for attackers. Encrypting devices and having at least WPA2 or WPA3 encryption on routers can secure your network from threats.

8) Create an incident response plan

Given the plethora of attacks on big businesses such as the 2021 Colonial Pipeline Ransomware Attack, the 2021 T-Mobile Cyberattack, and the 2020 SolarWinds Hack, businesses should have an incident response plan in case attacks like those do happen. Through an incident response plan, IT and cybersecurity professionals can identify the breach correctly, contain the threat, control the damage, and patch vulnerabilities that allowed the attack to happen in the first place. This can help the business recover from the attack with minimal damage.

Final Thoughts

Given that cyberattacks can be expensive and damaging to the organisation, it would be beneficial for companies to maintain good cyber hygiene. By following 8 of the best practices to ensure cyber hygiene, the organisation can be assured that possible threats are mitigated and data and networks are secure.

That said, if your organisation needs help maintaining good cyber hygiene, Cyber Sierra can help. With your organisation’s growth and security in mind, Cyber Sierra can assure you that all cybersecurity regulations will be met, risks will be managed seamlessly, security will be baked across the entirety of your business, third-party vendors will be monitored, and the right insurance coverage will protect you and your business from costly breaches. Essentially, with Cyber Sierra’s consolidated approach to security, you can be assured that all your security needs will be met.

 

Cyber Awareness

More articles like this

Find out how we can assist you in completing your compliance journey.

backdrop

Benefits of Cyber security Compliance: Why you should consider investing in ISO 27001 or SOC 2 regardless of your industry segment

The increasing rate of cybercrime post-pandemic has led many technology leaders, CTOs, and engineering professionals to apply cyber security compliance procedures to their organisations. However, some still assume that compliance only applies to IT and finance businesses, leaving other industries vulnerable to cyberattacks.

As cyberattacks can happen to anyone, this article will go over why businesses, regardless of industry, need to invest in cybersecurity compliance now more than ever, particularly in ISO 27001 and SOC 2 certifications.

slider

What is Cybersecurity Compliance and Why is it Important?

Cybersecurity compliance is defined as meeting the regulatory requirements needed for organisations to protect the confidentiality, integrity, and availability of the information they handle.

Compliance, then, is important as it ensures that firms are equipped with the right tools and systems to proactively mitigate security breaches and maintain good cybersecurity hygiene.

How can my Organisation Achieve Compliance?

To achieve compliance, organisations must get certifications from relevant third-party governing bodies to prove that they are using information systems equipped with the right tools and risk-based security controls to protect sensitive data.

While there are many systems available in the market, organisations should look for those that allow them to:

  • Detect and assess risks and vulnerabilities (technology and human-induced)
  • Manage and mitigate third-party risk, and
  • Conduct periodic scans and create relevant security controls to monitor system performance

In Singapore, 40% of cyberattacks target small and medium businesses (SMBs), with 54 % identifying phishing as the main threat to their business. This scenario makes systems that provide counter-phishing protection, asset scanning capabilities, and risk assessment policies such as Cyber Sierra’s particularly sought after as their protection can cover the most basic threats. 

 

Features of Cyber Sierra's Platform
Features of Cyber Sierra’s Platform

Which Certification should my organisation get?

There are many cybersecurity frameworks that one can get certified in.

However, most companies consider these two as the best indicator of high-quality information security management: ISO 27001 and SOC 2.

ISO 27001

ISO/IEC 27001 is the leading international standard that outlines the requirements for establishing, implementing, and maintaining a cyber-resilient information security management system (ISMS). An ISMS encompasses the organisation’s whole toolbox (people, processes and procedures, and technology) in managing information security risks.

The key requirement needed to comply with this framework is to develop an ISMS that addresses the following security objectives:

Security objectives ISMS need to address to comply with ISO 27001
Security objectives ISMS need to address to comply with ISO 27001(Source: https://www.itgovernance.eu/blog/en/what-is-an-isms-and-why-does-your-organisation-need-one)
  1. Confidentiality – All sensitive information will only be accessible to parties who have authorisation
  2. Integrity – Only parties with authorisation can alter information in the system
  3. Availability – All necessary information can and should be available to parties with authorisation at all times

Thus, to be ISO 27001 compliant, an ISMS must be capable of keeping sensitive information assets secure and protected.

SOC 2

Meanwhile, SOC 2 is a compliance framework that outlines the data storage, management, and processing criteria that companies must uphold to achieve a good security posture.

The framework operates based on five trust services principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

SOC 2 Principles (Source: https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report)
SOC 2 Principles (Source:SOC for Service Organizations: Trust Services Criteria)

What’s interesting about SOC 2 compliance is that implementing the five principles varies depending on the company’s needs and operating models.

  1. Security: Protecting data against unauthorised access. To comply, companies implement stricter access controls, encryption, web application firewalls, and multi-factor authentications (MFA) to prevent security breaches.
  2. Availability: A system’s accessibility to the authorised parties based on the service-level agreement (SLA) they set. Network monitoring systems, disaster recovery plans, and automated security controls are crucial to fulfilling this principle.
  3. Processing Integrity: A system’s or process’ capability to fulfill its design function. For this, performance monitoring and quality assurance procedures are thus recommended.
  4. Confidentiality: Restricting access to data that only select authorised parties have clearance, such as passwords, intellectual properties, business plans, and sensitive financial information. Similar solutions to the security principle can be applied.
  5. Privacy: Adherence to the organisation’s data privacy policy and the AICPA’s generally accepted privacy principles (GAPP) when collecting, storing, processing, and disclosing sensitive information. Rigorous information security controls are then necessary to maintain this principle.

Benefits of Cybersecurity Compliance with ISO 27001 and SOC 2

1) Improves Cybersecurity Posture

According to an article in Business Wire, the pandemic has increased cyber threats to firms and individuals by 81%, thus highlighting the importance of maintaining a stronger cybersecurity posture in recent times.

With this, getting ISO 27001 or SOC 2 compliance can ensure that your business is equipped with the right tools to detect and assess risks and vulnerabilities and combat even more sophisticated attacks such as SQL Injections, MITM, DDoS Attacks, and DNS Spoofing.

2) Boosts Stakeholder Confidence

Due to their high-value reputations, getting ISO 27001 and SOC 2 certifications can boost stakeholders’ confidence in your business as it shows your capacity to implement the highest information security standards.

These certifications often double as trust assurances, with some companies taking it further by only transacting with organisations that have at least either ISO 27001 or SOC 2, making your compliance with both a competitive advantage against those who are uncertified.

3) Prevents Damages Brought by Security Breaches

Lastly, having either ISO 27001 or SOC 2 certification can help your organisation prevent damages that come with security breaches, as both require your systems to have adequate security controls to mitigate breaches at their onset.

Thus, having such certifications can then provide your business with a formidable defense against cyberattacks, especially if the risk is from third-party relationships.

Concluding Thoughts

At Cyber Sierra, we consider our clients’ cybersecurity posture the most important thing to protect their businesses. That is why we built our platform to be ISO 27001 and SOC 2 compliance-ready by integrating tools and controls such as counter-phishing protection, an automated risk register, and third-party risk management (TPRM) policies.

Easily modifiable depending on your business’s needs, Cyber Sierra’s platform is designed to offer the best thought leadership on simplifying customers’ compliance journey so that our clients can focus on achieving business growth without worrying about their cyber hygiene and security posture.

You can contact us here to request a demo of Cyber Sierra’s solutions.

Governance & Compliance

More articles like this

Find out how we can assist you in completing your compliance journey.

backdrop

Why Startups Must Get Serious About Cybersecurity

I recently met the co-founder of an up-and-coming FinTech startup. During our conversation, he boldly stated, “My company is too small to need comprehensive cybersecurity.” Such a mindset is common in most startups. Many assume that only larger organisations should worry about phishing scams, ransomware attacks, or advanced persistent threats. Yet, the truth is worth noting.

slider

Cybercriminals increasingly target small businesses and startups

Smaller businesses are more likely to be targeted by cyber attackers than larger enterprises. They also suffer more. Per one recent report, smaller companies (<100 employees) experience 350% more social engineering attacks than larger companies. Data breaches at small businesses have also surged by 152% in 2020 and 2021. And larger organisations? By only 75%. The cost of data breaches for small firms has also increased: from $2.35 million in 2020 to $2.98 million in 2021. The increase was much smaller for medium and large organisations during the same period.

Smaller businesses need more funds and human resources to implement robust cybersecurity measures, resulting in weak defences that leave many gaps for bad actors to exploit. Attackers also know that targeting larger firms is more likely to attract the attention of law enforcement. That’s why they prefer to target unprepared smaller businesses. In return, they get a reasonably high payout while keeping a relatively low profile.

How Startups Can Protect Themselves

Since 60% of small businesses fold within six months of a cyberattack, startups must take cybersecurity more seriously. If they don’t, they will become victims and struggle to survive, much less thrive. For one, all startups must implement a cybersecurity strategy, invest in robust security tools, and implement strong procedures to protect their business-critical data.

Startups can also benefit by identifying their most crucial assets and prioritizing their defense areas accordingly. Other protective strategies like next-gen anti-malware/anti-virus tools, multi-factor authentication, strong access controls, data encryption, backup, and regular cybersecurity training can also help to mitigate at least some cyber risks in their business landscape.

A Final Word

The writing is on the wall. Hackers target small businesses and startups as much as – and sometimes more – than established firms. And the sooner startup owners wake up to this reality, the better they can safeguard what matters to them – their digital assets, people, budding reputations, and most importantly, their futures.

 

Cyber Awareness

More articles like this

Find out how we can assist you in completing your compliance journey.

backdrop

Cyber Sierra Roundtable: Cybersecurity Risk in Supply Chains

Supply chain risk in the world of information security gains notoriety with every new breach. 2020’s SolarWinds breach is a never-ending saga, with news of impacted entities continuing to come up. Vulnerabilities in open source are another headache, with log4j dominating headlines.

 

How does the information security team prepare for such unknowns, with only one certainty in mind, that such unknowns exist and can come up suddenly on any given day?

A team of experts convened during the Singapore Fintech Festival 2022 to discuss supply chain risk from a cybersecurity perspective. This meeting was facilitated by Cyber Sierra in Singapore. Please find below a summary of questions, panelists, and discussion points.

slider
  1. What are some impacts of third-party vendor risks? How do you manage such risks?
  2. Have you experienced first-hand such supply chain attacks? Can you share your learnings and experiences?
  3. Do you classify vendors by their potential severity of risks?
  4. Are you able to isolate or ring fence a problematic system or solution (from a vendor) from the rest of your systems?
  5. How can companies guard against misleading declarations from vendors?
  6. Is there a role for regulators to play in terms of enforcing certain best practices in containing supply chain risk?
  7. What is your opinion of a mandatory cyber insurance policy?

Panelists (Reference)

Guarding against third-party risks amid an evolving cyber security landscape

Getting cybersecurity right can be extraordinarily complex given the constantly evolving landscape of new threat vectors and security vulnerabilities. In many cases, the weak link is human, and even senior executives have found themselves tricked through social engineering, noted Stephen Barnham, a senior technology leader in the Banking and Financials Service Industry (BFSI).

Speaking at a recent roundtable discussion organised by Cyber Sierra with IT and cybersecurity practitioners, he shared an anecdote of how a General Manager was tricked by someone purporting to be the CEO to transfer tens of thousands of dollars for a non-existent company initiative.

While the natural propensity might be to dismiss or ignore potential cybersecurity weaknesses as something that will not happen to us, Barnham urged businesses to establish a culture of awareness around cybersecurity and to make it everyone’s responsibility.

The risks from without 

As the world becomes more interlinked and businesses digitalise, one growing risk would undoubtedly be from third-party organisations. At the root of this are digital systems that are increasingly integrated, including with external vendors and partners. When ignored, this can lead to a variety of cybersecurity breaches including bad actors gaining entry through them or supply chain attacks. Silvia Thom, who was formally the CTO at Zalora, shares that vendor security is a common problem.

“You send out a security questionnaire [to the third party] and you get back the answers. There’s that pressure to get the contract from the other side. And, you know, if it’s a two, three-year-old vendor, how much security could they have built up?” said Silvia.

But is third-party risk management crucial? Pramodh Rai, co-founder and CEO of Cyber Sierra thinks so. He pointed to the prevalent use of automated hacking tools by threat actors, citing the example of how some Internet-accessible databases were hacked within minutes of going live. 

“Somebody somewhere has written a script that is looking for common vulnerabilities. That’s why it’s important to validate your cybersecurity posture first – because the other side is automating the process of hacking,” said Rai.

Security or speed? Choose one 

But why are so few organisations paying attention to third-party risk management? According to Anagat Pareek, ex-CISO of PayTm, third-party risk management is at the bottom of priorities at most organisations mainly due to a lack of time.

“There were instances where we had to turn [vendors] away because of the lengthy onboarding time. By the time we go through the laborious security checks, it would take too much time out of the project runway. In the absence of a [better solution], it can get to the point that we miss a business opportunity,” said Barnham of the time crunch when addressing third-party risk.

But keeping everything in-house is often not the solution either. Barnham explained: “You are in a world where you want to give your developers access to open source. You want them to go to publicly available code repositories. You are contracting external developers and have a hybrid team of developers.”

For many, the result is a compromise where security is reduced to a security checklist.

“We give out access to our systems to vendors. We check the compliance of these vendors by sending them security questionnaires with checklists. If they tick ‘no’, they don’t get the contract. So, everything is ‘yes’, of course. But how do you know that each one of them is compliant?” asked Pareek.

“How are they controlling access to data? Is their data encrypted at rest and in motion? Are they PCI-compliant? We rely a lot on paperwork to answer these questions, but really, nobody has the wherewithal to go out and look at 100 vendors. It’s impossible. We need a better solution.”

A better way with Cyber Sierra

There is where Cyber Sierra can make a difference, says Pareek. “Cyber Sierra can be deployed to scan the network and upload the report. Many vendors may not know what a security vulnerability is, or what a network scan is. And they don’t want to buy another commercial solution – they are trying to build a business after all. Cyber Sierra will also help them become more secure and give the clients they work with the confidence that they’re dealing with a secure organisation. I think it’s a win-win situation.”

Edwin Tan, Head of Information Security at Julius Baer concurred: “Cyber Sierra can provide efficient due diligence of a vendor setup based on measurable criteria. This allows us to take quick proactive action in working with the vendor to address the key concerns before engaging them.”

“My environment has become so much more complicated over the last 10 years; my attack surface has become significantly broader. This is where all my attention is going. If there is a solution that enables me to connect to third parties yet gives me peace of mind about who I’m connecting to, by verifying that they are compliant to whatever standards we want to hold them to. This would help me to use my time far more efficiently,” said Barnham.

Verify and insure 

Another benefit of automated checks lies in their ability to verify that a security declaration is indeed true. Barnham added: “When you have that automated tooling and knowledge that there is that automated tooling, it will disincentivise individuals from lying about their preparedness and compliance. Because now they know they are going to get caught. This allows you to get out of that vicious cycle of pointless checklists, and instead becomes a proactive collaboration.”

“Once people in the ecosystem know that you have this capability, they will not want to turn up at your doorstep, making false declarations,” Rai agreed.

And what role can cyber insurance play? Participants at the roundtable are uncertain if it should be mandatory but agreed that it can give companies a choice to mitigate risk, assuming the premium is affordable

Cyber Attacks

More articles like this

Find out how we can assist you in completing your compliance journey.

    toaster icon

    Thank you for reaching out to us!

    We will get back to you soon.