The threat of cyberattack is a reality for any business. These incidents occur daily and are becoming more sophisticated as cybercriminals evolve. How can media companies protect themselves? Greg Scasny, a cybersecurity professional, shares some best practices to provide clarity and actionable takeaways.
Greg has more than 20 years of experience in IT and information security. He earned a bachelor’s degree in Electrical Engineering and Technology from Purdue University. His career includes multiple achievements and developing new cybersecurity tools for businesses, including cybersecurity training presentations for NASA, the IRS, law enforcement groups and other government agencies. He’s also a frequent speaker on cybersecurity topics at industry events. He appears as an expert for various news and radio stations.
Greg is currently the CTO of Blueshift Cybersecurity. Please note that the guidance provided here is from Greg and is based on his experience. You should always consult with your IT department with specific questions.
Cybersecurity Best Practices Q&A
We posed these critical questions to Greg, and here is his opinion.
How common are cyberattacks?
Extremely common. They happen by the hundreds of thousands every minute. Many successfully defend them, but some don’t. There were over seven successful ransomware attacks every hour in 2020. In 2021, there have been more zero-day attacks, which describe vulnerable software that doesn’t have a fix available, and attackers know about it. Additionally, supply chain attacks are increasing as well.
We block almost 2 million events and attempted attacks on our company every month, and we are a small company.
What are simple enhancements companies can make to strengthen cybersecurity?
Unfortunately, there is a difference between “simple” and “easy.” Simple things like cybersecurity awareness training, understanding how to use (and how not to use) passwords and two-factor authentication help people and companies bolster cybersecurity. However, those things are usually not easy to implement. People are hesitant to change, and that leads to companies putting off things that could really help.
Should companies implement multifactor authentication?
Yes! Everywhere that is possible. Realize that all multifactor is not the same. For example, avoid multifactor authentication using SMS messages to send a code. Instead, time-based codes like Google Authenticator, Duo, etc., or hardware-based tokens like YubiKeys, are ideal.
What are best practices for ensuring employees understand threats?
Training is a must, but that training should be engaging. Companies need to get employees involved in the security process. The boring, cookie-cutter training isn’t going to cut it anymore.
Everyone, from the CEO to the maintenance staff, is responsible for security. I heard a talk a long time ago, and the presenter had a great idea. Start a drawing every month in your company. Everyone who reports a security event gets their name in the drawing.
Give away $100 or $500 or whatever is in your budget to the winner chosen at random. People will get engaged, and it will be one of the least expensive cybersecurity engagements most companies have. It takes that kind of out-of-the-box thinking to get people tuned into the topic.
What is ethical hacking?
Ethical hacking (also called penetration testing and, on the high end, red teaming) is the process of having a “good-guy” (white-hat) use or mimic the tradecraft of actual attackers (black-hats) against your company.
The purpose is to find weaknesses in a company’s defenses that could lead to a successful cyberattack and remediate them. The best way to find them is to have an ethical hacking team that you hire to do that exercise versus waiting for an actual attacker to do it.
What are some resources that companies can use when fortifying cybersecurity?
Many companies I talk to have no idea where to start. The best advice I can give is to pick a framework and work toward becoming compliant with that framework. There are many out there, and some are incredibly complex, but several are digestible by almost any sized organization, including:
- NIST Cybersecurity Framework
- Cybersecurity & Infrastructure Security Agency (CISA) has a free software tool, CSET, that walks you through many different frameworks, including NIST’s.
The main thing is to get started today. There is no time to waste in fortifying your defenses, as the attackers are not waiting. They are out there, and they are persistent.
What’s the difference between phishing and spear phishing?
Phishing describes the sending of a generalized email to many people in hopes of getting someone to click a link, download a weaponized document or give up their credentials.
Spear phishing is targeting an individual or group of individuals with very specific, tailored information to legitimize the email. With this front of legitimacy, recipients are more likely to click, download, etc.
Cybercriminal groups are now using AI to produce convincing, automated spear-phishing emails based on website and social media content. Long gone are the days of poor spelling and grammar phishing attacks. Phishing is still the number one method of infiltrating an organization by cyber adversaries.
What are DOS attacks?
DOS stands for denial of service. A DOS attack cripples the internet-facing systems of a company (or sometimes individuals), disrupting business.
The recent Facebook outage was like a DOS. While not a malicious attack, the effect was what a real DOS attack looks like.
Many DOS attacks are called DDOS, or distributed denial of service, attacks. In this scenario, adversaries use a large “army” of botnets they control all over the globe to send massive amounts of traffic to their victims from thousands of internet-connected machines. DDOS attacks are tough to defend and expensive to mitigate against actively.
What are the common “weak” points of infrastructure?
People. The human factor is always the weakest point in the chain. After that (and most of these are human-related), the weak points are:
- Weak/reused credentials (passwords)
- Lax network defenses
- Vulnerability detection
- Inability for IT to receive, understand and respond to security telemetry
- Remediation/incident response gaps
Many think that they have a firewall and anti-virus, so they are good. They would be wrong. Every data breach and successful cyberattack since the beginning of tracking them have two things in common — the victims all had firewalls and anti-virus.
What kind of documented plans or policies should companies maintain regarding cybersecurity?
Having documented plans and policies is only good if you live by them. It’s important to write out your policies so you follow them. Policies that collect dust on a shelf are not helping anyone.
Again, the frameworks mentioned above are great resources on that. One plan everyone should have and practice is an incident response plan. It is imperative to act quickly and decisively in the event of a cyber incident. Having a plan and practicing it via a tabletop exercise is a great way to ensure you’re prepared in the event of a successful cyberattack.
Connect with Greg
*The information in this article is not legal advice. This article contains best practices that industry experts recommend.