Changing the Security Mindset: everyday should be security day! 

Written by: Louis de Backer & Amaury André

Hackers are getting so creative and are seeking more and more ways to make profit on the back of your organisation. A lot of the techniques used by them are really sophisticated and can be hard to recognise, even for IT-people! We will be discussing the most valuable measures you can take as an organisation to protect your employees, but you can also do this at home (on a smaller scale)! 

Malware, you said? 

Malware is a catch-all term for harmful programs designed to disrupt, damage, or gain unauthorised access to computer systems. Common types include viruses, trojans, ransomware, worms, spyware, and adware, each with distinct harmful purposes — like spreading infections, stealing data, or locking files for ransom. These forms of malware pose constant threats, requiring cybersecurity measures to prevent their damaging effects. Imagine that your company has self-written programs, or a significant part of your business runs on a single application. What if you could not access these things anymore?  

Have you ever thought about the impact and the cost? Well, it’s hard to predict this, but on average the cost of implementing these measures when it has already gone south is 100x more expensive than when you implement these things beforehand.

What should you protect against malware?

1. Endpoint Protection:

Endpoint protection stops malware from infecting your devices by detecting and blocking threats before they cause harm. Imagine a security guard that keeps an eye out for bad stuff trying to sneak in and mess things up, but then virtually. 

2. Immutable logs & backups:

Organisations are still failing to implement adequate logging measures, which makes it difficult for incident responders and defenders to identify the attack and see what the impact is. Sophos analysed this and in 42% of incident response cases, organisations didn’t have the logs needed to properly analyse an event. With immutable logs, it is (almost) impossible for attackers to alternate these logs and cover their tracks.  Immutable backups are backup files that cannot be changed under any circumstance. It’s crucial that these backups remain unmodifiable, enabling them to be immediately deployed onto production servers in the event of a ransomware attack or data loss. 

Same goes for backups. Your organisation might have thought of making backups, but what is their worth if they are susceptible for hackers? That’s where immutable backups come in handy. 

3. Patch management:

Patch management means regularly updating your devices with the latest fixes and improvements to keep them strong against vulnerabilities. It’s the maintenance that helps close doors that hackers might use to sneak in and cause trouble. Motivate your employees to instal updates asap when they’re released. 

4. Access control:

Access control is about setting boundaries and permissions for who can access what on a system. You can compare it with having locks on doors — only those with the right keys (or permissions) can enter certain rooms or use specific resources, keeping sensitive areas secure from unauthorised entries. This is not only applicable for physical objects; it’s also about the access rights of employees in applications, etc. 

5. Vendor Security Assessment:

Vendor security assessment or management involves evaluating and overseeing the security practices of companies you work with. With a vendor assessment, you check the safety record of a contractor before hiring them for a job — you want to make sure they follow good security practices to protect your own data and systems when they’re involved in your projects. 

6. Incident response planning: 

Incident response planning is like having a fire drill. It’s preparing a step-by-step guide for what to do if something actually goes wrong, like a cyberattack for instance. It helps teams to know how to react quickly and effectively so they can minimise damages and get things back on track. 

Social engineering? Never heard of it.  

Social engineering is a clever manipulation tactic used by cyber-attackers to trick people into revealing sensitive information, granting access to protected systems, or performing actions that compromise security. It plays on human psychology rather than technical vulnerabilities, using deception and persuasion to exploit trust, curiosity, or fear in order to achieve malicious goals. I hear you thinking, I thought IT was only about technical things? No, it’s also about protecting the people that use technology. These are some of the things you can do: 

Policies and procedures:

Policies and procedures for defending against social engineering (also for malware and many other things) are like rulebooks that teach people how to spot and handle tricksters. They guide employees on what to do (or not to do) when faced with suspicious requests or attempts to manipulate them into revealing sensitive information. These guidelines help create awareness and build a defence against sneaky tactics used by cyber-attackers. 

Awareness campaigns:

They’re educational efforts aimed at keeping people informed about cybersecurity risks and best practices. These campaigns help everyone understand potential dangers and how to protect themselves and the organisation from cyberthreats. 

E-mail security controls:

Email security controls are filters that sift through your emails, catching suspicious stuff before it reaches your inbox. They’re measures such as spam filters, encryption, and authentication protocols that keep emails safe from threats like phishing, malware, and unauthorised access, making sure only the good stuff gets through. 

Multi-Factor Authentication:

Multi-factor authentication (MFA) is like having more than one lock on your door. It adds extra layers of security by requiring multiple forms of verification, like a password and a fingerprint or a code sent to your phone. It ensures that even if one method is compromised, there’s an additional barrier to protect your accounts and data. 

What can I use to help me improve my security posture? 

You might be overwhelmed by all these threats and measures we explained, especially if you were not aware of it yet. Fortunately, cybersecurity experts created frameworks and guidelines to help you strengthen your security posture.     

Let’s review, in a nutshell, what the most useful cybersecurity frameworks are: 

• ISO/IEC 27001: You have probably already heard of this standard. It is the most well-known standard regarding information security. With ISO/IEC 27001, you will set up an effective Information Security Management System (ISMS). The most interesting benefit, after improving your security posture, is the possibility to get certified ISO/IEC 27001. With this certificate, you can prove to all your partners that you are trustworthy regarding the handling of information. It will also help you getting new partnerships!
  Did you know CRANIUM can help you with this? Check here our ISO 27001 solutions.
   

• CCB Cyberfundamentals: Now available on SafeOnWeb@work, this Belgian framework gathers security measures from other well-known frameworks like NIST Cybersecurity Framework, CIS Controls, and even ISO 27001/27002! In there, you will find security measures with guidelines and references to help you implement them. Moreover, you can choose between 4 levels of cybersecurity posture to match it with what you are aiming. 
   
• SafeOnWeb: It is not a framework, but we should at least give something to regular people who simply want to adopt good security practices, given that the frameworks presented above are more intended for businesses. SafeOnWeb is a Web site where you can find tips on how to prevent and respond to cyberattacks. You can even test yourself! 

With these frameworks, you will cover most of the security measures from above and will get a good start on improving your security posture. However, for a medium or high security posture, you will need help from experts to enhance and to maintain it.  

I am secured. What’s next? 

Security is a day-to-day job. You will never be fully protected against cyberattacks or cyber-incidents, and once you have a solid base, you need to maintain it by: 

• Adopting and testing measures and procedures.  
• Staying up to date with the evolution of threats, but also the evolution of regulations.  

• Following trainings and awareness sessions so you can have enough knowledge on different relevant topics.  
• Conducting regular internal audits to ensure compliance with regulations, standards, your own policies, etc., and to verify the effectiveness.  

Need help with information security and data protection? CRANIUM has many solutions that can help you with this!