It’s National Cybersecurity Awareness Month: Take Steps to Further Security Efforts

October is National Cybersecurity Awareness Month. Members are encouraged to take actions to bolster their data security programs. Here are some suggestions.

Develop, Strengthen Governing Policies

Policies help an organization set standards for operations and employee conduct. This is especially critical in the area of data security, as it can address technical controls and employee behaviors, both of which are equally necessary to secure an organization’s systems and data.

Cybersecurity Awareness Month is a good time for an organization to review and update its relevant policies, and to determine if the organization needs additional policies. MCIT and security experts recommend that an organization have these types of policies:

• Acceptable use policy (for computers, internet, email/text and the like) targeted at user/employee behavior
• Account validation policies provide expectations and procedures for validating the authenticity of third-party requests, especially if it involves a major security change or transfer or money (another user behavior-focused policy)
• Access control policies primarily address technical tools to prevent unauthorized access to data and systems, such as the use of multifactor authentication
• Endpoint security policies, especially for mobile devices, address technical tools that block malware from connecting to other assets
• Email security policies include tools that range from scanning emails and blocking phishing emails to endpoint protection software to stop malware
• Data backup and recovery policies help reduce the impact of a successful attack (if an organization has adequate and accessible backups, it can be less costly to recover from a ransomware or other malware attack)
• Records retention policy that sets the length various official records must be kept with an expectation that records will be destroyed after that period passes
• Business email compromise policy that brings together all of the controls and employee behaviors needed to prevent and lessen the impact of these breaches
• Security awareness training and education policy that outlines the minimum requirements of employee security training program, including content and compliance provisions
• Phishing prevention policy that provides guidelines and processes for the identification, prevention and reporting of phishing scams

Of course, a policy is only as good as how well employees understand it and adhere to it. Members should make time to educate employees about relevant data security policies and enforce the policies consistently.

eRiskHub offers free sample policies for most of those noted above and others. Members must establish an account at eRiskHub.com/mcit using the MCIT code to access its resources. Contact MCIT to get the code if needed. Once logged in, search for “policy” and links appear under the Risk Manager Tools section.

Have a File Cleanup Day

Given that email is the most frequent vector for data compromises, employees should work to reduce the amount of information stored in their email accounts, which is not a secure location. The more data there, the more opportunities a threat actor has for access to information it can use either for profit (sale of sensitive data) or to perpetrate scams against others (the names and email addresses in an inbox).

The first step an organization can take is to make it an entity-wide priority to remove data from email. To do that, an organization could:

• Establish a file cleanup day where staff must first and only clean out their email and paper files in accordance with the organization’s data retention policy before working on other tasks.
• Set aside one hour a week where everyone focuses on email cleanup.
• Make data management a regular part of employees’ work. Team leaders should remind and check in with staff to encourage them to go through their email and other files to purge unnecessary records regularly and securely save those that must be kept.

If information in emails are official records or want to be kept for business purpose, they should be moved to a more secure storage location than email. This may be the file server, client relationship manager database, etc.

Establish Ongoing Cybersecurity Training Plan

Employees are just as important as the technical tools an organization uses to prevent cyberattacks. No matter how sophisticated the email filters and security firewalls are, they cannot stop every malicious email from delivering to an inbox or blocking a fraudulent website. Employees must know what their obligations are for securing the organization’s data and systems.

Employers should establish a plan for ongoing employee training in this area. Training does not have to take a great deal of time. Just a few minutes once a month or so can make a big difference.

The key is that employees must know:

• What the threats are and effects of successful attacks
• How to recognize attacks
• How to report known or suspected attacks
• The organization’s policies and consequences for violating those policies