What do you really need to be aware of when you consider your company’s digital security to be paramount? Security vendors have a lot of answers and accompanying products, but we take a look at the other side. What is the best investment according to a hacker?
Endpoint protection, firewalls, IPS and intrusion detection, real-time monitoring, SOCaaS and so on. There are plenty of solutions to secure your business. More is not always better, which is why we are beating Thomas Hayen, Mickey De Baets and Robin Bruynseels. As part of Easis Red and Blue teams, they are involved in phishing and hacking companies. Of course, they wear white caps and do so as part of penetration testing to increase company security. What basic issues should you definitely have in order according to the ethical hackers?
1. 2FA above all
“It all starts with authentication,” Hayen says. After all, most successful attacks run not through special software bugs, but through cracked accounts. “Implement 2FA. Any kind of multi-factor authentication helps.” The numbers are on Hayen’s side. Microsoft recently revealed that organizations that use Azure AD and embrace 2FA experience 80 percent fewer cybersecurity incidents than their counterparts that do not.
What to look for with 2FA or 2-step verification
“Sometimes organizations choose not to implement 2FA because it is not nice for users,” sighs De Baets. However, the significance can not be underestimated. “For phishing, 2FA is one of the most important forms of protection,” Bruynseels adds. “Securely in combination with Microsoft 365.”
2. Monday patch day
“Security is on many levels,” Hayen says. “To keep the infrastructure layer secure, you need to do little more than look for vulnerabilities and periodic patch administration.” Yet it often does not happen. Most of the attacks that make the front pages of the newspaper are targeted at infrastructure that is basically immune to the latest patch.
“Choose a day each week or even each month that you block in your calendar to install patches and perform a simple vulnerability scan immediately. It’s not a lot of work, but it’s so important.”
3. No security without politics
For the third tip, Bruynseels points to the importance of the right policies. “Many companies with large resources screen with tools here and there, but you can no longer do without a good policy. First you work out the policy, then you start building.
An essential form of politics is least privileges, whereby a user never gets more access than is actually necessary. De Baets: “Many users with an admin account use it on an ongoing basis to do everything, but if an administrator has been logged in and a device has not been restarted, a hacker can retrieve important data from the cache and have options. It’s easy to be aware of that.
On the other hand, password policy is relevant. “Make sure it’s right and that a user does not get tired of constantly entering passwords,” says Hayen. “Do not force people to change their password every month, because then they will choose something simple like Dog1, Dog2 and Dog3. A password manager or a company-approved box is an ideal option. “
4. An untested backup is not a backup
Tip four ensures that you are prepared when something happens. Every organization needs a backup, but running a backup tool somewhere is not enough. Hayen: “First of all, you need backups in several places.” It could be two locations in your business, but it could just as easily be a backup in the cloud.
Get hacked: what and why of pentests
adds Bruynseels. “Of course, you also need to test the backups.” All too often, organizations blindly trust their backup without ever checking if and how quickly they can restore it. A backup that you cannot restore quickly is not actually a backup.
5. Set an alarm yourself
Finally, experts hope that organizations will wake up in time. De Baets notes that all too often, action is only taken when a company has hit a wall. “We often hear that this or that event was, after all, a wake-up call. Only then does a budget follow, and organizations can rejoice that recovery was still possible, ”says Bruynseels.
It is up to the companies to wake up on time and not wait for them to get through the eye of the needle. With 2FA, a clear patch and backup strategy and a slightly considered policy, you can go a long way.