New Fiscal Year – New You: Cyber Edition

It’s a new fiscal year. Now is a great time to review your entity’s cybersecurity incident response plan as well as in-place controls. It’s important to routinely analyze in-place controls and examine new controls to prevent and/or reduce the likelihood of a cyber incident.

The most important thing is to get started. Let’s start with the basics.

Education and Training

Students often fall victim to the summer slump – forgetting what they learned during the school year while on summer vacation – the same can happen to your staff.

Since most cyber incidents are initiated through interactions with end users, ongoing cyber awareness training is essential to maintain awareness and keep cybersecurity at the “top of mind” for all.

The VRSA Online University provides free, unlimited training for members and provides multiple cybersecurity awareness training modules for members to access.

Account Security

Ensure that all privileged accounts have the highest level of security enabled.  Bad actors target these accounts since they typically have administrator or elevated privileges in both the application and the underlying infrastructure.

Require the use of complex passwords/passphrases and use multi-factor authentication (MFA) for all accounts using an authenticator application, not text, email, or phone call verifications.

As shown below, using complex passwords/passphrases significantly increases the amount of time required for a bad actor to hack the password using brute force techniques.

Many entities still rely on the minimum password length of eight characters. Even using the maximum complexity, those passwords can now be hacked in less than a day.

To further protect your passwords, update your password policy to use a minimum of 12 characters (numbers, upper- and lower-case letters, and symbols), dramatically reducing the likelihood the password will be hacked.

Encourage users to use passphrases with 14 or more characters which, even without using other complexity factors, significantly increases the amount of time required to hack the account. The added benefit of passphrases is they are easier to remember than complex passwords.

Stolen or acquired passwords can cause more than one system to be vulnerable if the same username and password are used. In an attack called “credential stuffing,” a bad actor uses stolen or acquired login credentials to access unrelated systems such as online banking.

While it may be easier to recycle the same username and password for multiple logins, encourage staff to use different passwords or passphrases for sensitive or confidential information, and limit their use both personally and professionally.

Layering MFA on top of complex passwords helps mitigate cybersecurity risks if a user’s credentials are compromised.  Anyone trying to log into the account on a new device will be required to authenticate with more than just their password.  The most secure authentication method is using an authenticator app such as Microsoft Authenticator or Google Authenticator since other methods are easier to divert or compromise.

System Patching

Because new vulnerabilities are identified daily, it is critical that your entity has sound policies and procedures around patching software and operating systems.  Monitor for new vulnerabilities by subscribing to alerts from a reliable source such as cisa.gov.

Ensure that you are evaluating if the technologies identified in those alerts are in use at your entity and take the appropriate steps to patch against the vulnerability.  It is important to note that applications, operating systems, and hardware are all targets of bad actors and may need to be patched to address newly identified vulnerabilities.

Ensure that you are only using current releases of software and operating systems.  Running on versions that are no longer supported (e.g., Windows 8, using Internet Explorer instead of Edge, etc.) exposes your entity to significant risk as these platforms are no longer receiving updates/patches for vulnerabilities.  If you are using cloud-hosted applications, be sure your hosting provider has solid practices around cyber security practices as well since they are also frequent targets for bad actors.

Backups

In the event of a compromise, your best recourse may be to restore your systems to a time before that event.  Ensure that you are regularly backing up critical systems and device configurations.  Backups should be encrypted and a copy should be stored off your network to prevent corruption.

Having the backup stored in a secure, isolated cloud location that could easily be accessed if needed provides additional protection as these files are not on your network and are less likely to be corrupted if your systems are compromised.

VRSA continues to provide members with the broadest property and liability coverages, including cyber. In fact, we were the first Virginia self-insurance pool to provide cyber protections as well as a cyber defense attorney to manage incidents. We offer a security self-assessment, sample incident response plans, training, and more. For more information on ways to protect your environment, check out our Cybersecurity page on the VRSA website: https://www.vrsa.us/members/cybersecurity/.