How effective are your cybersecurity measures?
By Tom Wojcinski, Principal at Wipfli LLP – Cybersecurity and Technology Management
In today’s digital age, it’s impossible to overstate threats that cybersecurity risks pose to businesses. With the widespread adoption of technology and advances in digital transformation, the risk of cyberattacks has exponentially risen. Phishing attacks, malware attacks and other forms of cybercrime are among the biggest threats facing businesses.
The average data breach globally in 2023 cost organizations $4.45 million, a 15% increase over three years. And it’s not a matter of whether your organization will be attacked but rather how often and how much damage will be caused. Last year, 95% of organizations had more than one breach and 82% of the breaches were cloud based.
To address the cybersecurity risks, businesses need to be able to manage and monitor their cybersecurity systems effectively. Indeed, the latest security technology and AI can provide constant monitoring and help safeguard business assets. Some organizations choose to outsource security monitoring to managed service providers, which helps bridge the staffing gap and ensures a proactive approach to cybersecurity. Without a comprehensive cybersecurity strategy, businesses not only face the risk of financial losses but also severe damage to their reputation and their future.
Here are some key tips for shoring up your defenses with actionable steps to reduce risk and help protect your business 24/7:
1. Strengthen your email security
Email has always been a chief attack vector favored by cybercriminals. Its exposure to the internet, along with historically weak security, makes gaining unauthorized access to email accounts relatively easy. Common ways to recognize business email scams include highlighting time urgency and positioning the sender as authoritative (impersonating a CEO, CFO or another C-suite executive). The threat actor may make an odd-sounding request seem legitimate by providing a plausible reason for it, along with clear instructions on how and when to meet the request, which may involve transferring a specific sum of money.
Here’s how to make it harder for attackers to exploit your email system:
- Use a cloud-based email system: Legacy, on-premises email systems require maintenance and security patching — something many organizations struggle to do promptly. If you’re still using an on-prem email system that you need to maintain, it’s time to move to a cloud-based, SaaS enterprise email system such as Microsoft 365. The cloud provider takes care of the platform and handles security patching, so you don’t have to.
- Use multifactor authentication (MFA): Requiring users to provide two or more verification factors to gain access to an online account, application or VPN is critical to combat credential attacks that let attackers take control of your email account.
- Implement email authentication: Three technologies — Sender Policy Framework (SPF); Domain-based Message Authentication, Reporting and Conformance (DMARC); and DomainKeys Identified Mail (DKIM) — all work together to help make it harder to deliver fraudulent emails to potential victims. If you’re not familiar with these technologies, work with your email provider or an experienced administrator to enable them in your environment.
- Enable external email warnings: Email systems should be configured to alert message readers that emails originated outside of the organization. This is critical to helping users identify when a cybercriminal is impersonating the CFO and the instruction to wire $75,000 to an escrow account is a scam. It’s especially important to enable these on mobile email platforms where the apps just display the sender’s name and don’t show the full email address by default.
- Consider higher-level security monitoring: Systems such as Microsoft 365 contain behavioral analytics tools that enable your team to identify indicators of compromise in a timely manner. You should be able to see when hackers are getting into employee email through alerts about “impossible travel” by your employees. For example, if a U.S. user’s login suddenly appears to be coming from Romania, it would be flagged as a compromised email.
2. Stay on top of password best practices
Weak, easily guessed or reused passwords are the cause of the majority of data breaches worldwide. Previous data breaches, hacker forums and the simple guessing of weak passwords in a “password spray” attack are just some of the ways passwords can be exploited by a bad actor.
Even if breached passwords are encrypted by your system, this offers little protection as hardware specifically dedicated to cracking passwords is becoming ever more powerful, efficient and cheaper.
Smart businesses are shifting away from relying solely on passwords as an access tool, both because of security weaknesses and recognition that users are frustrated with frequent reset requirements. Having MFA requirements in place that include a password may still be a sound approach for enabling access and protecting your systems and data. The passwordless Windows Hello authentication system that relies instead on PINs is also gaining traction.
Take steps to help ensure that the rules around password use are strong and enforced:
- Implement password filtering: Implement password filtering, regardless of whether you use a password or a passphrase, but note that it’s especially important if passwords are the de facto standard. Password filters prevent users from setting a password that contains easily guessed strings, such as months, seasons, years, sports teams, etc., which is the primary way that bad actors guess user passwords.
- Encourage passphrases over passwords: Passphrases are comprised of several memorable words in random order, perhaps combined with a few character replacements. This produces a string that is much harder to guess or crack than those based on a single word with modifications or additions.
- Increase your minimum password length: If passphrases are adopted as standard, the minimum password length can be extended to 16, 20, 24 or even 30 characters without undue burden on users. Conversely, increasing the minimum password length can also make passphrases a more appealing option over passwords.
3. Examine your hybrid workforce practices
For many organizations, the transition to a permanent hybrid or remote workforce seems here to stay. That flexibility comes with challenges for both workers and employers.
During the height of the COVID-19 pandemic, close to 70% of full-time employees were working from home. In 2023, 35% of employees with jobs that can be done remotely are working fully from home, according to the Pew Research Center — up from 7% before the pandemic. And 41% are following a hybrid schedule.
With so many organizations managing a workforce with a large share of people working remotely on any given day, it’s critical to implement the right technology and security controls to protect that workforce and your organization’s data.
Without a road map that prioritizes your organization’s challenges and factors in technology, your employees will look for workarounds. If your organization hasn’t implemented a cloud storage solution, people may turn to personal Dropbox or Google Drive accounts which may not have adequate security controls configured, increasing the risk of a sensitive data leak.
Here are must-do data security actions for effectively managing a hybrid organization:
- Make the most of MFA: Remote work and multiple access points to your business network make MFA more critical than ever. Beyond passwords and one-time codes, biometric verification using a wider array of traits, from retina and iris scanning to voice authentication and earlobe geometry, is gaining ground.
- Implement a secure VPN: A VPN allows your employees to have access to everything they need to do their jobs, whether they’re at the office or working remotely. Make sure you protect your VPN connection with MFA.
- Migrate legacy file servers and applications to the cloud: Cloud-hosted data is accessible anywhere, which is vital for hybrid and remote workers. By migrating your physical office environments to cloud solutions — which you control and can configure security around — you enable employees to securely access data from wherever they are working.
- Use business communication technology: Make sure the technology you rely on enables voice, video and text communication for users from anywhere, as well as allows secure file storage and sharing across your organization.
4. Develop and communicate your Bluetooth use policy
Bluetooth access is not just a convenience for employees. In remote work environments, many find that wired headsets or earbuds are simply not adequate for picking up voices during meetings.
Hi-def wireless earbuds, like AirPods, that are designed to be paired with a mobile device via a Bluetooth connection are the go-to choice for many because of their higher sound quality.
If your company has eschewed Bluetooth use as a risk management strategy, consider revisiting that policy. From a threat modeling perspective, it may make sense for many organizations to allow Bluetooth use if other risk reduction methods are in place. In reality, the likelihood of an attack that could exploit your devices over Bluetooth is low. The Bluetooth protocol doesn’t go beyond 100 meters, so the requirement of close physical access to a device keeps security concerns manageable.
Key steps to take:
- Implement security requirements: These measures should include encryption and the disabling of discoverable mode. Use PINs as an extra layer of protection if Bluetooth accessories support this feature.
- Instruct users to pair devices at home or at the office: Because computers are most vulnerable when being paired with a new device, threat actors could be looking to intercept the wireless connection process, so it’s important to pair new devices in the office or at home before going to a public location. And remind people never to accept unexpected pairing requests.
- Be sure to communicate acceptable Bluetooth parameters to your employees: Include the policy in your training materials.
- Make sure employees know to turn off Bluetooth connectivity when they aren’t using it: Reiterate the message periodically, as it’s easy to forget.
5. Leverage AI in your cybersecurity
Organizations are using machine learning defensively to look at huge quantities of data about attacks that have happened elsewhere to identify patterns showing what suspicious activity looks like.
You can monitor your own systems in real time based on that AI input to proactively look for evidence of that kind of activity directed at your business.
AI has accelerated how malware developers are carrying out attacks, but also how defenders can identify them. Endpoint detection and response tools are increasingly relying on AI, along with real-time analytics, to discern legitimate, good behavior from potentially malicious behavior. They cannot only detect an attack they can also disrupt an attack before damage is inflicted.
Here’s how to leverage AI at your organization:
- Look into AI-driven anti-malware tools: AI used in malicious software can avoid detection and adapt to changing environments, which makes it harder to identify as malware. Anti-malware tools relying on AI will be a valuable tool in staying ahead in the cat-and-mouse game with attackers. Anti-malware looks at what’s running in memory and other processes, identifying malicious activity that may be very deep in the system.
- Find cybersecurity specialists who are well-versed in AI developments: The cost for risk reduction will be far less than the consequences of a ransomware attack, which can threaten an entire business. Contracting for an outsourced service may be a more cost-efficient route than trying to add permanent hires with these skills.
- Level up your threat hunting: An additional tool includes security information and event management that combs through the log activity of every device used by your organization. AI helps conduct automated, proactive threat hunting based on the collected log data to thwart malicious activity.
How Wipfli can help
As businesses navigate the ever-evolving landscape of cybersecurity risks, it’s imperative to adopt a proactive approach to defend against cyber threats. Wipfli’s skilled cybersecurity team is ready to help you assess where your greatest vulnerabilities are and provide solutions that can fortify your defenses and reduce the risk of costly data breaches and reputational damage to your organization.
Learn more about our cybersecurity services and how they can protect your business.
Sign up to receive additional content in your inbox.