5. Harden your email system
Phishing is a common way for attackers to compromise your network. Yet some organizations have not fully deployed email protocols designed to limit the number of malicious emails that employees receive. The protocols are:
- Sender Policy Framework (SPF) prevents spoofing legitimate email return addresses.
- Domain Keys Identified Mail (DKIM) prevents spoofing of the “display from” email address, which is what the recipient sees when they preview or open a message.
- Domain-Based Message Authentication, Reporting and Conformance (DMARC) allows you to set rules about how to treat failed or spoofed emails identified by SPF or DKIM.
Pescatore recalls working with Jim Routh when he was CISO at Aetna. “He was able to get the organization to move to secure software development and to implement strong email authentication by guaranteeing the business benefit would exceed the security cost if management back him in making the needed changes happen.”
Not all initiatives land, but Routh delivered. His changes led to fewer software vulnerabilities and shortened time to market. “Moving to DMARC and strong email authentication increased email marketing campaign click-through rates and essentially more than paid for itself.”
6. Understand compliance
All organizations should have policies and procedures in place to research, identify and understand both internal and government standards. The goal is to ensure all security policies are in compliance and that there’s a proper response plan to the various attack and breach types.
It requires establishing a task force and strategy for reviewing new policies and regulations when they come into play. As critical as compliance is to modern cybersecurity strategies, it doesn’t necessarily mean it should be the priority. “Too often compliance comes first, but almost 100% of companies that had breaches where credit card info was exposed were PCI-compliant. They weren’t secure, however,” said Pescatore. He believes cybersecurity strategies should first assess risk and deploy processes or controls to protect the company and its customers. “Then, [enterprises should] produce the documentation required by various compliance regimes (such as HIPAA or PCI) showing how your strategy is compliant.”
7. Hire auditors
Even the best security teams sometimes need fresh eyes when evaluating the enterprise attack surface. Hiring security auditors and analysts can help you discover attack vectors and vulnerabilities that might have otherwise gone unnoticed. They can also assist in creating event management plans, for dealing with potential breaches and attacks. Too many organizations are unprepared for cybersecurity attacks because they didn’t have checks and balances to measure their policies.
“When attempting to objectively determine the security risk, having an outside, impartial perspective can be extremely beneficial,” says Jason Mitchell, CTO at Smart Billions. “Use an independent monitoring process to help recognize risk behavior and threats before they become a problem on your endpoints, particularly new digital assets, newly onboarded vendors, and remote employees.”