- Create a culture where people feel comfortable escalating concerns and reporting suspicious emails, even if they turn out to be legitimate. One way is to create a mailbox that is monitored, perhaps by a chief information security officer (CISO) or a virtual CISO.
- Be very specific about policy and acceptable tools for company communication. For example, employees who forward emails to Gmail or Yahoo accounts when they work remotely could be rendering the whole network insecure.
- Put out alert bulletins to warn employees about trending phishing emails and scams.
- To help employees recognize external emails, highlight in the subject line that it’s from an external source.
- Walk through the warning signs of a phishing scam frequently:
- Did you expect to receive communication from this person?
- Do they normally make requests via email?
- Is there pressure to conform to a timetable?
- If it doesn’t seem right, then pick up the phone and call someone.
- If it involves outside vendors like a bank, ask the bank to put in controls for emails from you and call to validate that it’s from you.
- What you receive in an inbox has passed through filters, but that’s not foolproof. • Endpoint detection and response (EDR) monitoring is becoming necessary because of devices and laptops and can help immediately identify a potential incident and reduce impact.
- Another important concern is data retention. Create a data retention schedule with the help of counsel and/or regulatory staff. Don’t keep data in backups if you don’t need it anymore. Less data is less costly to maintain. More data creates more risk.
- As a rule, organizations should hold mandatory general cybersecurity training for employees on an annual basis with specific ransomware tests or segments held quarterly.
- Training can be computer-based or offered as a slideshow, but either way, training should be accessible to employees who want to revisit them on their own time.
- General security awareness training can be one size-fits-all, for all staff.
- Training should focus on phishing as email is the biggest vector for ransomware and remains the easiest, cheapest method for targeting victims.
- To measure the effectiveness of employee phishing training, look at click rates and post test results. Engage human resources to ensure that follow-up conversations with employees tie into employee goals and explain ramifications. If employees don’t do well, there might be consequences depending on what type of access they have and their role in the organization.
- Specific training for executives, technology teams and security teams – whether in-house or outsourced – can include tabletop exercises that focus on processes and plans.
When it comes to backups, you can’t have too many – but it’s always a good idea to have at least two. Among the many reasons you need them are data corruption, data loss and malicious events that lead to business interruption.
- Without a backup, organizations can lose data that can’t be recreated, and some businesses have failed as a result.
- When determining what to back up and how often to do it, first conduct a comprehensive review of all data on every computer, laptop and device to know what you have. Consider what you could afford to lose and continue to do business. If it’s easy to recreate or it’s not that important, it might not need to be backed up.
- Other considerations include recovery point objectives and recovery time objectives: how much data can you afford to lose and how long would it take to restore operations, given your particular business? For instance, if you back up once a day, what would you lose on any given day and how would that impact the business?
- A good rule of thumb is to back up databases every half an hour, back up everything once a week for a master copy, and back up everything else incrementally once a day.
- In the case of ransomware, threat actors want the ransom to be paid and they know that if you don’t have the ability to restore the data, they are more likely to get paid.
- It is very difficult to have on-premises digital backup that can’t be overwritten, so the recommendation is to choose off-premises, tape or a cloud-based provider for backups.
- Tape backup is a great choice because it needs to be physically removed.
- If the backup is on the cloud, it can sometimes be configured by the vendor so that it can’t be deleted for a certain period of time, or they need to make a phone call to do so.
- Backups are small, compressed files and they are prone to theft. The fewest number of people possible should have access to backups.
- Prepare for a recovery event by testing the backups. Every six months, schedule a test of the backups. It can be as simple as asking someone to recover a deleted file for you and making sure they can do so.
- Organizations that test backups are back in business much faster than those who don’t. Testing is also a good way to learn where to get the files, and how long it may take you to restore and recover data in the event of an incident. If it takes a long time to restore, that’s a good thing to know before it’s too late.
Related: The Essentials Of Cyber Security
Cybersecurity services and support
To assist our members with their cybersecurity exposures, Preferred offers the following services and support to members:
PREFERRED RISK MANAGEMENT RESOURCE CENTER
Preferred Loss Control’s Risk Management Resource Center is available to members that have their EPLI coverages with Preferred and provides the following cybersecurity resources at no cost:
- Unlimited access to cybersecurity experts via phone and email.
- Breach HealthCheck – Measurable data breach exposure and protection through instant feedback.
- Robust privacy and security templates, including a customizable incident response plan (IRP).
- Resources for keeping staff up to date on a range of issues related to privacy, data security and compliance.
- Latest news and events regarding data breaches, regulations, class-action lawsuits, cyber threats and protective technologies.
VECTOR SOLUTIONS ONLINE TRAINING
Vector Solutions online cybersecurity resources feature several courses with up-to-date lessons for browser, email and password security to improve cybersecurity awareness amongst employees and mitigate risks to your organization. Courses offered at no cost to Preferred members include the following:
- Cybersecurity Awareness for Employees: Classifying and Safeguarding Data for Corporate and Personal Use
- Cybersecurity Awareness for Employees: End-User Best Practices
- Cybersecurity Awareness for Employees: Security Awareness Essentials
- Cybersecurity Awareness for Employees: Social Engineering
For questions or to request additional information please contact your Preferred Loss Control Consultant.