The pandemic has changed the way that we will operate our companies forever. In a Gallup Poll taken in the week of March 30 – April 2 of this year, sixty-two percent of employed Americans currently say they have worked from home during the crisis. That number was double what it was just two weeks prior.
“As I always say, where digital changes occur, hackers will certainly follow.”
In the cybersecurity industry, we’ve seen a huge increase in cybersecurity threats targeted at remote users such as Coronavirus phish bait and disinformation campaigns such as 5G hoaxes to lure users to malicious clickbait. We are seeing issues with remote users either not properly using Virtual Private Network (VPN) connections or not being able to use multifactor authentication solutions because system administrators have misconfigured them on the backend. All of these areas are attack vectors for hackers.
You have to think of cybersecurity like an onion. To some, it just stinks and makes us cry, but to the rest of us it’s like the ingredient that adds flavor to make the perfect computing recipe. For the recipe to come out right, the onion must be fully developed and be applied in multiple layers. (I don’t’ know about you, but I am pretty proud that I was able to pull off that metaphor!)
To avoid the next business disaster by eating a poorly cooked security dish, I offer the top 3 things that you should do immediately to protect your company from cybersecurity exploits with remote users. However, before you read, I want to make a disclaimer. I will mention things here that my company uses itself and even sells (because we have a corporate rule to never sell a solution that we do not use ourselves). That said, I would be happy if you used the tools even if you never bought them from Assura. They are good tools that stand up. If the quality of these tools ever changes, then we will select something else to protect our company and I will straight up tell you that too.
This aligns with two of our core values – “Eat Our Own Dog Food” and “Don’t be an A**hole.” We take this very seriously.
- Improve Your Email Security: Much like the onion, email security has to be done in layers. There is no one security solution that will protect you and your users from every potential email exploit. While many folks will rely on the solution that comes with their hosting service (think about Microsoft’s out-of-the-box mail security or the email security built into G Suite) or they have a third-party solution like Barracuda or ProofPoint, you also need to complement it with an Artificial Intelligence (AI) based solution that provides an adaptive and self-learning platform. I am a big fan of IRONSCALES, an Artificial Intelligence (AI) powered solution that has the best catch rate we’ve seen (and believe me, my security testing team has tried to evade it). Not only is it catching up to 25% more suspicious emails than many other solutions, but it also has the ability for security administrators to remove phishing emails from inbox before it even reaches the users. At Assura, we use IRONSCALES in conjunction with the email security that comes with Microsoft 365 (formerly Office 365), and Microsoft Advanced Threat Protection. IRONSCALES catches the stuff that other solutions don’t so that’s why we use it to augment our mail security posture.
- Endpoint Security: When suspicious code lands on your systems (i.e. desktops, laptops, servers, etc.), you need to take the advice of the immortal Barney Fife from the Andy Griffith Show who said, “You gotta nip it in the bud!” He said it so many times there is a YouTube song of him saying it. I kid you not! So, what does endpoint security look like? Endpoint protection includes next-generation antivirus, threat detection and blocking, investigation, and response. For instance, we use Cylance, an AI-based NextGen antivirus platform, and recommend it to our clients. Cylance catches stuff that other endpoint security solutions miss, even if it’s a brand-new virus that’s never been seen before. They even have a consumer product that uses the same AI-based engine and it is at a low price point.
Other NextGen solutions include Carbon Black, CrowdStrike, and Sentinel One.
Here is what I do not recommend: antivirus solutions with that you have been using since the 1990s. (I wanted to name names, but legal told me that was a really, really bad idea – so read between the lines here.) Unfortunately, the publishers of these solutions have tens (if not hundreds) of millions of dollars invested in maintaining their old, tired code. They try to keep up with newer solutions by bolting on newer functionality. Unfortunately, what you get is a mishmash of software loaded onto your computer that slows it down and still isn’t as effective as a NextGen solution.
Also, beware of some solutions offered by IT Managed Services Providers (MSPs). Many MSPs employ NextGen antivirus solutions, but many use software with 1990’s-era methods of detection because it’s cheap. Some as low as $0.75 per endpoint. As the old saying goes, you get what you pay for. If you have an MSP, make sure they’re using a NextGen solution to protect you. To be honest, I’d rather you use Microsoft Defender, which comes with Windows 10. It’s not the most effective solution on the market, but it sure as heck is more effective than the 1990’s-era names. Never fear – the ones I do recommend will meet even the leanest budget.
Oh, and by the way, for you Mac users? Yes, they get viruses and yes, there is good antivirus software out there for Macs (Cylance being one). Don’t believe the urban legend that Macs are immune to malware. Same for you Linux users.
- End-User Awareness Training and Regular Phishing Tests: I have saved the absolute most important thing you need to do for last. Your employees are your first line of defense in identifying and stopping threats. At Assura, we joke that the purpose of security awareness training to install a “B.S. detector” for cyber threats. Security Awareness and Training can be done online or by webinar. This training is coupled with phishing campaigns to allow users to practice their “B.S. detection” skills and measure the effectiveness of the training. If a user unknowingly clicks on a link or opens an attachment in a phish test email, it will bring them to a screen that gives them a teachable moment on how to spot this type of threat the next time.
Training and phishing tests are recurring activities and not just a once-and-done exercise. Training should include not only a plan and training for basic security awareness but also job-specific security training and updates on new and emerging threats. This type of training and awareness HAS to be easy, fun, and engaging. Most people who have been in the workforce and deal with some of the older platforms have lived through awful online training where they have had to sit in front of a computer for two hours hitting the forward button on something that they weren’t even paying attention to from the beginning. This can take the most docile employee and make them want to go off like a postal worker in 30 minutes flat.
There are two front runners in the marketplace that we like and use Breach Secure Now! and NINJIO. I have really started to like the NINJIO training because the content is based on real-world events using Hollywood-level production that keeps it engaging for users of all ages. We embraced NINJIO since we wanted to provide a solution to our firm and clients that is a bit fresher and a little edgy. However, I do not think you can go wrong with BSN. Some people will probably wonder about the SANS Securing The Human training that for years was seen as the gold standard for all cybersecurity training. For end-users, I think they have lost their market share as their training has not remained timely and engaging and they can be crazy expensive. That said, I think that SANS is better suited for advanced security training for system administrators, developers, and cyber professionals. There is also KnowBe4, which has a mature awareness and training platform that we used for many years and still use it with several clients. However, we’ve begun to implement content with NINJIO because of how engaging it is.
Cybersecurity is a moving target and we always have to focus on being one step ahead of the hackers. If you at least start to work on improving security in these three areas, it will make a significant difference in your security posture for remote employees. In future posts, I will talk about building on these security solutions to grow your onion so that your security recipe is delicious. (I tell you. I should get a pat on the back for that metaphor.)
Until next time… Stay agile. Stay safe. Stay sane.
– The Disaster Lady (Karen)