backdrop

8 Best Practices for Organisations to Ensure Cyber Hygiene

Given the rapid evolution of cybercrimes, the threat landscape is very volatile. In fact, since the pandemic, the FBI has reported a 300% increase in cyberattacks in the US. Unfortunately, 43% of attacks were aimed at small businesses but only 14% were prepared to defend themselves

With this in mind, it is pertinent that organisations develop a common cyber hygiene policy. Basically, given the level of sophistication of cybercrime today, installing an antivirus or using network firewalls is not enough. Rather, organisations should strive to maintain good cyber hygiene.

slider

What is cyber hygiene?

Cyber hygiene pertains to a set of practices organisations should employ to maintain the health and security of their users, networks, devices, and data. Essentially, the goal is to guarantee the security of data and protect it from theft or attack.

As such, here are 8 of the best practices you can employ in your organisation to ensure cyber hygiene.

Ensuring your organisation’s cyber hygiene:

 

Ensuring your organisation’s cyber hygiene:

 

1) Employ Multi-Factor Authentication (MFA)

Enabling multi-factor authentication on all of your organization’s accounts and devices ensures that only authorised users have access.Given the variety of authentication methods available, having at least two or three verification factors, such as using one-time passwords (OTPs) and password-based authentication, creates a layered defence that makes it more difficult for an unauthorised person to access a network.

2) Ensure endpoint protection

Some businesses provide employees with Internet of Things (IoT) devices, such as laptops, desktops, and mobile phones, to access the corporate network. That said, businesses should ensure that these endpoint devices have device and browser protections as well as network, application, and data controls to ensure that sensitive data is protected. Likewise, the occurrence of any cyberattack is mitigated.

3) Perform regular backups

By regularly performing backups, organisations can be assured that their data is safe. That said, experts recommend following the 3-2-1 rule of backup, in which three copies of data are stored on two different kinds of media while keeping one copy offsite. Doing so can guarantee that all sensitive organisational data is secured.

4) Patch software right away

Since cybercriminals systematically look for vulnerabilities in outdated software, update your software right away whenever patches are available. In a 2020 IBM survey, they found that 43% of respondents who recently experienced data breaches indicated that the cause was a failure of the organisation to patch their software right away. As such, routinely screen your network for missing patches and update them right away when possible.

5) Implement a Cloud Access Security Broker (CASB)

For organisations that rely on infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS), utilise CASB software. With this in place, it would secure connections between end users and the cloud. Likewise, it would enforce your organisation’s security policies, such as authentication, encryption, data loss prevention, and malware detection. Essentially, through a CASB, an organisation can have better visibility and control over the security of cloud-based data.

6) Educate your employees

Routinely conduct in-depth cybersecurity trainings to emphasise their crucial role in mitigating cyberattacks. Likewise, provide consistent reviews and updates on relevant cybersecurity policies to reinforce learning about foundational cybersecurity practices.

7) Routinely scan your system

Regularly conduct scans for your entire network to identify threats and vulnerabilities. This includes scanning endpoint devices and routers to determine any potential points of entry for attackers. Encrypting devices and having at least WPA2 or WPA3 encryption on routers can secure your network from threats.

8) Create an incident response plan

Given the plethora of attacks on big businesses such as the 2021 Colonial Pipeline Ransomware Attack, the 2021 T-Mobile Cyberattack, and the 2020 SolarWinds Hack, businesses should have an incident response plan in case attacks like those do happen. Through an incident response plan, IT and cybersecurity professionals can identify the breach correctly, contain the threat, control the damage, and patch vulnerabilities that allowed the attack to happen in the first place. This can help the business recover from the attack with minimal damage.

Final Thoughts

Given that cyberattacks can be expensive and damaging to the organisation, it would be beneficial for companies to maintain good cyber hygiene. By following 8 of the best practices to ensure cyber hygiene, the organisation can be assured that possible threats are mitigated and data and networks are secure.

That said, if your organisation needs help maintaining good cyber hygiene, Cyber Sierra can help. With your organisation’s growth and security in mind, Cyber Sierra can assure you that all cybersecurity regulations will be met, risks will be managed seamlessly, security will be baked across the entirety of your business, third-party vendors will be monitored, and the right insurance coverage will protect you and your business from costly breaches. Essentially, with Cyber Sierra’s consolidated approach to security, you can be assured that all your security needs will be met.

 

Cyber Awareness

More articles like this

Find out how we can assist you in completing your compliance journey.

backdrop

Benefits of Cyber security Compliance: Why you should consider investing in ISO 27001 or SOC 2 regardless of your industry segment

The increasing rate of cybercrime post-pandemic has led many technology leaders, CTOs, and engineering professionals to apply cyber security compliance procedures to their organisations. However, some still assume that compliance only applies to IT and finance businesses, leaving other industries vulnerable to cyberattacks.

As cyberattacks can happen to anyone, this article will go over why businesses, regardless of industry, need to invest in cybersecurity compliance now more than ever, particularly in ISO 27001 and SOC 2 certifications.

slider

What is Cybersecurity Compliance and Why is it Important?

Cybersecurity compliance is defined as meeting the regulatory requirements needed for organisations to protect the confidentiality, integrity, and availability of the information they handle.

Compliance, then, is important as it ensures that firms are equipped with the right tools and systems to proactively mitigate security breaches and maintain good cybersecurity hygiene.

How can my Organisation Achieve Compliance?

To achieve compliance, organisations must get certifications from relevant third-party governing bodies to prove that they are using information systems equipped with the right tools and risk-based security controls to protect sensitive data.

While there are many systems available in the market, organisations should look for those that allow them to:

  • Detect and assess risks and vulnerabilities (technology and human-induced)
  • Manage and mitigate third-party risk, and
  • Conduct periodic scans and create relevant security controls to monitor system performance

In Singapore, 40% of cyberattacks target small and medium businesses (SMBs), with 54 % identifying phishing as the main threat to their business. This scenario makes systems that provide counter-phishing protection, asset scanning capabilities, and risk assessment policies such as Cyber Sierra’s particularly sought after as their protection can cover the most basic threats. 

 

Features of Cyber Sierra's Platform
Features of Cyber Sierra’s Platform

Which Certification should my organisation get?

There are many cybersecurity frameworks that one can get certified in.

However, most companies consider these two as the best indicator of high-quality information security management: ISO 27001 and SOC 2.

ISO 27001

ISO/IEC 27001 is the leading international standard that outlines the requirements for establishing, implementing, and maintaining a cyber-resilient information security management system (ISMS). An ISMS encompasses the organisation’s whole toolbox (people, processes and procedures, and technology) in managing information security risks.

The key requirement needed to comply with this framework is to develop an ISMS that addresses the following security objectives:

Security objectives ISMS need to address to comply with ISO 27001
Security objectives ISMS need to address to comply with ISO 27001(Source: https://www.itgovernance.eu/blog/en/what-is-an-isms-and-why-does-your-organisation-need-one)
  1. Confidentiality – All sensitive information will only be accessible to parties who have authorisation
  2. Integrity – Only parties with authorisation can alter information in the system
  3. Availability – All necessary information can and should be available to parties with authorisation at all times

Thus, to be ISO 27001 compliant, an ISMS must be capable of keeping sensitive information assets secure and protected.

SOC 2

Meanwhile, SOC 2 is a compliance framework that outlines the data storage, management, and processing criteria that companies must uphold to achieve a good security posture.

The framework operates based on five trust services principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

SOC 2 Principles (Source: https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report)
SOC 2 Principles (Source:SOC for Service Organizations: Trust Services Criteria)

What’s interesting about SOC 2 compliance is that implementing the five principles varies depending on the company’s needs and operating models.

  1. Security: Protecting data against unauthorised access. To comply, companies implement stricter access controls, encryption, web application firewalls, and multi-factor authentications (MFA) to prevent security breaches.
  2. Availability: A system’s accessibility to the authorised parties based on the service-level agreement (SLA) they set. Network monitoring systems, disaster recovery plans, and automated security controls are crucial to fulfilling this principle.
  3. Processing Integrity: A system’s or process’ capability to fulfill its design function. For this, performance monitoring and quality assurance procedures are thus recommended.
  4. Confidentiality: Restricting access to data that only select authorised parties have clearance, such as passwords, intellectual properties, business plans, and sensitive financial information. Similar solutions to the security principle can be applied.
  5. Privacy: Adherence to the organisation’s data privacy policy and the AICPA’s generally accepted privacy principles (GAPP) when collecting, storing, processing, and disclosing sensitive information. Rigorous information security controls are then necessary to maintain this principle.

Benefits of Cybersecurity Compliance with ISO 27001 and SOC 2

1) Improves Cybersecurity Posture

According to an article in Business Wire, the pandemic has increased cyber threats to firms and individuals by 81%, thus highlighting the importance of maintaining a stronger cybersecurity posture in recent times.

With this, getting ISO 27001 or SOC 2 compliance can ensure that your business is equipped with the right tools to detect and assess risks and vulnerabilities and combat even more sophisticated attacks such as SQL Injections, MITM, DDoS Attacks, and DNS Spoofing.

2) Boosts Stakeholder Confidence

Due to their high-value reputations, getting ISO 27001 and SOC 2 certifications can boost stakeholders’ confidence in your business as it shows your capacity to implement the highest information security standards.

These certifications often double as trust assurances, with some companies taking it further by only transacting with organisations that have at least either ISO 27001 or SOC 2, making your compliance with both a competitive advantage against those who are uncertified.

3) Prevents Damages Brought by Security Breaches

Lastly, having either ISO 27001 or SOC 2 certification can help your organisation prevent damages that come with security breaches, as both require your systems to have adequate security controls to mitigate breaches at their onset.

Thus, having such certifications can then provide your business with a formidable defense against cyberattacks, especially if the risk is from third-party relationships.

Concluding Thoughts

At Cyber Sierra, we consider our clients’ cybersecurity posture the most important thing to protect their businesses. That is why we built our platform to be ISO 27001 and SOC 2 compliance-ready by integrating tools and controls such as counter-phishing protection, an automated risk register, and third-party risk management (TPRM) policies.

Easily modifiable depending on your business’s needs, Cyber Sierra’s platform is designed to offer the best thought leadership on simplifying customers’ compliance journey so that our clients can focus on achieving business growth without worrying about their cyber hygiene and security posture.

You can contact us here to request a demo of Cyber Sierra’s solutions.

Governance & Compliance

More articles like this

Find out how we can assist you in completing your compliance journey.

backdrop

Sensitive Data Handling

For clarity on what ‘sensitive data is, refer to your Company’s Information Security policy. It should also stipulate guidelines, specific to your org, on how to handle sensitive data.

Generally, any data that helps identify individuals, their residency, banking, or health information is considered sensitive. Also, information that can risk the competitive advantages or reputation of the organization is sensitive.
slider

As an employee, here are 11 steps you can take to handle sensitive data well, to mitigate the risk of a breach:

  1. Ensure devices have encryption.
  2. Use synthetic data, instead of actual, where possible. This way, any leakage does not risk real people.
  3. When sharing information internally, and especially externally, only pass on what is needed. Remove non-relevant content.
  4. Secure/Wipe the hard drive before disposing of old devices.
  5. Restrict locations to which work files with sensitive information can be saved or copied.
  6. Use application-level encryption to protect the information in your files.
  7. Develop the habit of deleting unnecessary files, which no longer serve your business purpose. Note to check for storage rules in your Company’s information security policies first.
  8. Use Virtual Private Networks (VPNs) when logging in from outside the workplace.
  9. Limit sharing of data externally. If possible, consider using data leakage prevention tools.
  10. Stop using USB drives altogether, or limit the storage of sensitive information on unencrypted devices.
  11. Use separate wifi for Guests/Customers.

As you may notice in the steps above, developing a more proactive, defensive approach to data is most helpful, especially where sensitivities are high.

Sensitive Data Handling

More articles like this

Find out how we can assist you in completing your compliance journey.

backdrop

Cyber Risk Through
Third Party Relationships

Every cybersecurity risk that your organization faces, is likely present in companies or individuals it works with. Increasingly, breaches happen because of vulnerabilities present in the network of Third-Party Relationships (TPRs) you have.

As a result, the following are important points to note when you interact with parties outside your organization.
slider
  1. Ensure your company has a policy for Third Party Risk Management (TPRM) with clearly defined controls that apply to TPRs.
  2. Maintain a central repository for TPRs and analyze the cybersecurity risks they pose and subsequently, apply appropriate controls to each party, with reference to TPRM or best practices you are familiar with.
  3. Third parties are not just ‘vendors’. Any supplier, IT service provider, associate, affiliate, or consultant is also part of the same set of third-party relationships. Controls in your organization’s information security policies should apply to all.
  4. Apply controls across the relationship. The importance of cybersecurity controls is normally overlooked, especially during and in the terminal phases of the relationship.
  5. Require your third parties to inform you of their security practices and in particular, any breaches, especially in relation to data concerning your customers or organization.

When cyber attacks occur in your supply chain of TPRs and if the data compromised concerns your business or its customers, your organization is likely to suffer impact too and may even be held liable.

As a result, watch out for the parties you are interacting with within the course of business and be mindful of cyber risk in this sphere.

Third Party Risk Management

More articles like this

Find out how we can assist you in completing your compliance journey.

    toaster icon

    Thank you for reaching out to us!

    We will get back to you soon.