Welcome to the whack-a-mole world of cyber security. As soon as experts find ways to push back against one variety of threat, another ingenious and deadly cyber-attack methodology emerges.
This has led to a vast proliferation of advice, frameworks, software products and opinion. Our own cyber security team has seen how this can lead to ‘paralysis by analysis’. Where on earth do organisations start with this?
So, for Cyber Security Awareness Month 2024 – a US initiative that has grown into a worldwide one since 2004 – we’re going to clear the decks of the detail and get back to the fundamentals of solid cyber security.
We’ll start with some excellent recommendations from America’s Cyber Defense Agency, the state department responsible for Cyber Security Awareness Month. We’ll then follow with a deeper look at the best practice principles behind hardened cyber security. This is information you should consider when looking for advanced cyber security from a provider.
Throughout, we’ve included links to other Intersys articles to give background to some of these concepts.
Cyber security fundamentals: four things to do right now
As recommended by America’s Cyber Defense Agency, your organisation’s cyber security will be considerably hardened if you do the following.
1. Implement strong passwords
A strong password is random, at least 12 characters and includes uppercase, lowercase, numbers and symbols. It should never be repeated across accounts – use a unique password for each. Password managers are an excellent and secure way to help you manage passwords across many accounts. If you can’t use a generated password, think of a phrase or a song lyric to make your password easy to remember, but hard to guess.
2. Turn on MFA
Multi-factor authentication (MFA) is a second line of defence after strong passwords that makes you significantly less likely to get hacked. Use it on email, social media and financial accounts. You’ll usually find settings to toggle MFA on or off. Keep it on.
3. Recognise and report phishing
According to a UK government report, phishing is by far the most common type of breach or attack. Be cautious of any unsolicited messages requesting personal information and don’t share sensitive information with unknown sources. Report phishing attempts to your cyber security team and delete the message. If you’re going to invest in employee cyber awareness, put phishing awareness front and centre.
Also, take a look at our post 10 Phishing Email Examples and Why We Know They’re Fake.
4. Update software
While it’s tempting to delay updates, don’t. Ensuring your software is up to date ensures you have the latest security patches on your devices, to protect you against known and emerging threats. Regularly check for updates if automatic updates are unavailable.
Cyber security fundamentals: five things to know right now
While the above is solid advice for any organisation, whatever its size, many will want to go much further. This is where we enter the world of cyber security audits, PEN testing, security information and events management (SIEM), AI monitoring and a sometimes-bewildering list of technical terms and acronyms.
You can expect your professional cyber security teams to know about and handle these processes and applications. But what you should know about when seeking advanced cyber security, is the fundamental framework that must underpin all of these actions.
The framework that follows has the beauty of being both completely understandable by the layperson and also at the heart of advanced cyber security. Use it to assess if a provider is following global cyber security best practice.
It’s time to talk about NIST.
What is the NIST Framework?
The USA’s National Institute of Standards and Technology (NIST) promotes innovation in science and technology. Its NIST Cybersecurity Framework (NIST CSF) is considered the leading global framework for cyber security best practice. You’ll notice it’s broad. This is intentional, so its recommendations can be implemented in any organisation. But NIST features solid advice. Essentially, it’s the foundations upon which any cyber security strategy should be based.
The core structure of NIST is made up of five categories. These are not intended to be performed in sequence, but ‘concurrently and continuously’. With a good strategy, all of the below is happening all of the time.
The NIST framework forms the backbone of Intersys’ cyber security service offering.
IDENTIFY
Understanding cybersecurity risk to systems, people, assets and data. Actions may include identifying:
- Physical and software assets, to establish an asset management programme
- Cyber security policies to define a governance program
- A risk management strategy
PROTECT
Support the ability to limit or contain the impact of potential cyber security events and describe safeguards for the delivery of critical services. Actions may include:
- Implementing data security protections to ensure confidentiality, integrity and availability
- Managing protective technology to ensure the security and resilience of your IT estate
- Empowering employees through training and education
DETECT
Define how to identify a cyber security incident in a timely manner. Actions may include:
- Implementing security continuous monitoring capabilities
- Ensuring anomalies and events can be detected and understood
- Verifying the effectiveness of protective measures
RESPOND
Take action following a cyber security incident to minimise impact. Actions may include:
- Making sure response planning processes are followed during and after an incident
- Managing communications during and after an incident
- Analysing the effectiveness of the response
RECOVER
Maintain plans for resilience and to restore affected services during incidents. Actions may include:
- Implementing recovery planning processes and procedures
- Making improvements based on lessons learned
- Coordinating efficiently during recovery activities
Conclusion: what should I take away from this article?
- ACT NOW. If you haven’t already, implement the five cyber security best practice fundamentals recommended by America’s Cyber Defense Agency. They will harden your security considerably.
- KNOW NIST. You don’t need to memorise every word. But if at any point you are looking for outsourced cyber security, ask your potential provider about their methodology and reference NIST. If you draw a blank or encounter waffle or evasion, move on.
With that, we wish you a happy Cyber Security Awareness Month 2024. Keep reading the Intersys blog and our regular Cyber Security Monitor newsletter for professional and up-to-date security advice.
Intersys is an ISO 27001-certified cyber security and IT provider offering a wide range of services, including our enterprise-level cyber security as a service (CSaaS). We also offer a cyber security baseline assessment service for SMEs which is based on NIST and NCSC (UK’s National Cyber Security Centre) guidelines.