“The digital age is upon us” – this statement has never been more relevant than it is now.
Covid-19 has been the driving force behind the digital transformation of millions of businesses around the globe and while remote access has been prioritised it’s important that we understand the risks that come with this new found modus operandi.
With businesses struggling to identify where to apply their resources in order to keep their respective cogs turning, many organisations are unsure where to place information security on their priority spectrum. Now the dust has settled and most businesses have found their place during the Covid-19 pandemic, let’s take a second to figure out how to tackle this. But first we need to remember two things…
“Never Waste a Good Crisis” – A Winston Churchill phrase bad actors know all too well. In 2021 it’s expected that a ransomware attack directed toward a business will take place every 11 seconds, up from 40 seconds in 2016.
“The Healthcare industry has always been particularly at risk from cyber-attacks, this has been vastly amplified due to Covid-19. Hospitals/Clinics are gatekeepers to some of the worlds most sensitive data while simultaneously being some of easiest organisations to compromise.” – Jean-Michel Azzopardi CEO of Kralanx Cyber Security.
Okay, lets dive in; For simplicity’s sake, we’re going to divide this list into three parts to keep things simple and digestible.
Anti-Virus – The longest journey begins with but a single step – Chinese proverb. Anti-viruses are the most basic of tools; There is zero excuse for not having one installed. The main differential here is “updates”; It’s worth paying to protect against the latest and greatest threats because those are the exploits which will be used against you. A bunch of free and paid tools exist and you should choose the right one according to your situation. Free tools, include AVG, Malwarebytes, Bullguard etc. If you’re an enterprise, spend a little – it will be way cheaper in the long run.
VPN – Choosing the right VPN isn’t all so straight forward. If you want a full guide on how to do that check out the howtogeek bible on VPNs. Encryption standard could be important to you depending on your industry but, for the most part, it’s speed you really care about. Nothing is more annoying than a slow internet connection; if your chosen VPN isn’t lightning quick, chances are it’ll never get used which defeats the purpose in any case. You should thoroughly test the throughput of a particular service before committing. It will make all the difference. Some known winners in this space are ExpressVPN, Bullguard and Tunnelbear.
Password Manager – Passwords are the bane of existence for most boomers – fact. Most people outside of that age bracket tend to think the same fact applies to them and while we’re not yet at a password less stage in the world, it’s important to remember the importance of a password manager. Some great tools out there to generate, store and manage your passwords and we couldn’t be thankful enough that they exist. Check out 1password, Lastpass and BitWarden.
Gap Analysis – Lets face it, infosec is an intensely complex subject. Understanding your current security posture and comparing it to where you should be is an ideal starting point for most companies looking to take on the challenge of securing their information. A good gap analysis takes some time and will involve a mini audit per se which, as we all know, can be a dreadful ordeal. Choosing the service provider who understands your industry will make all the difference in allowing you to maximise off easy wins, which in this industry can save you big $$$.
API Security– Working from home is now the new normal and API security has taken centre stage. Whether your API is public facing or not, get it pen tested! We can’t stress the importance of this. APIs are a direct link to your database which, for most organisations, is its crown jewels. Gartner estimates that within a year, 90% of web apps will be more exposed to API weaknesses direct via UI. Get your mission critical APIs tested biannually at least.
Backup + Disaster Recovery Planning – More than half of all cyber-attacks are committed against small to midsized business & SMBs, 60% of which go out of business within six months post breach. Backups should be a daily occurrence. 199.7 Million ransomware attacks took place in Q3 2020. If you weren’t the subject one of those attacks, you can rest assure that it’s simply a matter of time. Make sure that you have a rock-solid disaster recovery plan because at some point disaster will strike and you will need to find a way to recover. A solid DRP, ensures you don’t have to pay whatever BTC ransom said bad actor would ask for.
External CISO– Trying to find a good CISO is like trying to find a needle in a haystack. CISO’s are elusive, few in numbers and rarely understand your industry. They are also notoriously expensive. Most organisations don’t need a full time CISO but they need an infosec reference who can sit at a board meeting and chime in when needed. Sub-contracting a CISO for a few hours/month may be all you need.
Managed Detection & Response – Think of this as a security operations centre on steroids. It’s the equivalent of outsourcing a cyber army and equipping them to the teeth with the sole purpose of defending your business and neutralising threats. Players in this space include Paladion, McAffee and Arctic Wolf.
CEO – Kralanx Cyber Security
Jean-Michel has worked with IBM, SAP and Acunetix and has negotiated cyber security deals with companies and governments across Asia including Apple, Huawei and some of the largest fortune companies around the world. Having been involved in a number of start-ups, he prides himself in striking a balance between corporate standards and SME efficiency.