A cybersecurity breach prevention: recommendations for enterprises

Personal smartphones and tablets are used to store working data, both personal and corporate passwords, and other sensitive information. So, it is troubling that mobile protection often lags behind.

In one of our earlier posts we discussed the primary reasons why cybersecurity breaches happen. Now, what shall we do to prevent said cybersecurity breaches?

It’s easy to advise businesses to “simply remove all reasons for the breaches”- store passwords securely, don’t use easy-to-guess combinations, update your software often, protect mobile devices, and make sure you have a strong security policy.

While all great advice, these suggestions mean nothing without being concretized.

So what can we do to DISALLOW security breaches? Here are just a couple of recommendations.

Generally speaking: Call for responsibility

Concretized: employees should submit their mobiles to IT for installation of corporate security tools

Corporate employees today have more possibilities with their working devices than ever- before laptops became omnipresent and smartphones were commonplace, IT workers only had to care about protecting working endpoints and servers. It was up to the individual employees to decide how to secure their home desktops.

This is no longer the case. Many companies have adopted a BYOD (or bring your own device) policy, making employees’ personal devices a “volatile” part of the corporate infrastructure, coming in and out of the office sometimes several times a day. Personal smartphones and tablets are used to store working data, both personal and corporate passwords, and other sensitive information. So, it is troubling that mobile protection often lags behind.

wide1

What else can we do to minimize the chances of a breach? Take a look at our practical guide!

Today, employees have more freedom than ever before – and that means they need to take more responsibility for their own safety than they may have done in the past.

It is highly recommended that IT departments extend their corporate-level protection to employees’ personal devices, but it is only possible if the employees are proactive about bringing their personal devices to the IT department’s attention.

In a nutshell, employees should be made aware that their company’s security policies extend to their personal devices as soon as they begin using them for work matters, and that securing company data is a paramount task for their IT department. This task is impossible to successfully complete without the employees’ taking personal responsibility and cooperating.

Generally speaking: Plug the holes and automate everything

Concretized: Identify the weakest points in your infrastructure, and use a “multi-barrel gun” of security solutions with vulnerability scanning, patch management, and application control functions.

Plugging the holes in your infrastructure is a time-consuming, but necessary evil. First of all, it is important to identify where the weakest point of the entire chain is, i.e. where your network and data can be compromised. This is exactly what hackers do – why not think ahead of them?

Do you have software vulnerabilities? – Okay, which ones? Has Microsoft Office/Word been updated? -Yes. How about Oracle Java? Updated last week – Okay. Or no? How about Flash? – New updates are available. Applying… done. Now, what else? Ah, there’s Windows update. Then there are employees’ mobiles…what a chore.

Hopefully the patch management tools are in place, patching everything by hand is a torture and a huge waste of time.

wide2

Diminishing the attack surface may seem a chore, but there are practical approaches to make things less time-consuming. For more hints and tips take a look at our Practical Guide.

Okay, we succeeded; this “chain link” is strengthened, and known holes have been plugged. If there are unknown issues, vulnerability scanners are a go, as well as application control that would limit the possibility of dangerous behavior in the software used.

With tons of software used within a company, automation and application control is a necessity, although according to Kaspersky Lab’s 2014 Global IT Risks Report, only 58% of companies in the world has it implemented in full.

Generally speaking: Prevent rather than react

It is way smarter and less expensive to safeguard your business infrastructure from future attacks rather than reacting and mitigating post-incident.

Disasters happen; every company in the world can be sure that it will be targeted – if not today, then tomorrow. We already know most of the routes bad guys slither in through: software vulnerabilities (both PCs and mobiles are affected), weak passwords, phishing, unsafe use of mobile devices (such as accessing sensitive data via unprotected public networks), etc. Altogether these tactics are often called the “attack surface”, and diminishing this surface is exactly what a “good security policy” entails.

It’s crucial to remember that everybody makes mistakes – even the smartest people can yield to a silly phishing message – and timely patching may not help against the narrowly targeted cyberattack that uses a zeroday.

But by always keeping the possibility of an attack in mind, as well as strengthening the weakest links with the robust and multifunctional security software available, businesses have the capability to prevent bad things from happening, rather than having to react once it’s too late. Prevention shouldn’t be underestimated as an effective course of action; it is always less expensive than recovering from a successful attack post factum.

Tips