Why is cybersecurity important? 9 ways to improve your cybersecurity in 2020

It’s the year 2020. In some movies, this date was marking the end of the world.

Well, maybe the situation is not as bad as that (however nasty it may look in the morning news), but when it comes to security, there are still areas that need immediate improvements. And we need to react quickly!

The same nightmare scenario

Recently, I had calls with three different customers in just one week, all of them facing the same issue. Namely, there were incidents related to ransomware.

They struggled with it at different stages, though. Some of them needed recovery, some of them were detecting the first signs, and needed help with containing them.

We hear in the news that big companies like Garmin or Canon were attacked. But ransomware may affect any organization, regardless of their size or area of operation.

What comes as a surprise is that companies face the very same issues over and over again.

What struck me the most was how similar those cases were. In fact, the companies could have avoided all the fuss if they had implemented simple solutions in the first place.

That’s why I’ve decided to draw up a short list, to guide you through the steps necessary to never let a ransomware attack paralyze your company. I strongly encourage you to share this blog post with your CISO or CEO and just make it happen!

Why do companies still fall prey to ransomware in 2020?

That’s a good question! The threat itself has not changed over the years. In 2017, there was a series of massive ransomware attacks, and since then, we keep hearing about similar incidents all the time.

Even though we know about the danger, companies still get hit by it.

I examined three incidents that happened only recently (as of September 2020), and a few other cases from the last couple of months.

What are the most common reasons for the attack?

I found that the main reasons for ransomware attacks are:

• Not implementing basic security measures
• Blaming other people for not taking care of security matters
• Lacking security processes and deployments, so in other words, leaving the front door open for malware to come.

It may sound harsh, but this is the reality.

Just ask any penetration testing professional, and they will tell you how bored they are with their job. They get the same easy targets with similar mistakes.

There are the same reports that they could use repeatedly when working with totally different companies. They would only need to change the name, logo, and a few details, because the conclusions and recommendations stay the same.

So, next time before you allocate any budget to new security hardware or software, remember to address those three points!

It is not just about technology. It is about our mindset!

Maersk had (and still does, as we continue to work with them) a brilliant team! They knew where they stood in terms of security. They were even working on it when the unthinkable happened.

I was part of that effort. We were in the middle of planning the mitigation steps to be deployed when the attack took place.

We didn’t make it in time. But there’s a lot we can learn from that experience. The problem was accepting the current state of affairs, instead of challenging it.

What happened at Maersk at other companies gave us excellent lessons to keep in mind. I divided them into two parts:

1. People and organizations
2. The technical side of the issue.

We have created a downloadable infographic to sum them up. Just click on the image to download a copy and share it with others – everyone should be aware of these best practices!

Click the image to download the full-size version

5 tips for people and organizations

Let’s begin with actions you can get started with right now at your organization.

Understand that this is about you

I can’t stress this enough. There is no organization immune to this kind of threat. You can’t keep it at bay even if you cut off your internet connection. Someone will try to do it anyway.

Ransomware attacks happen mainly for profit, so every organization with some value stored in its IT systems like documents, IP, payrolls and so on, is a potential target.

There is value in your data and IT systems. You are a target!

Engage with, listen to, and trust your people

You can’t do it alone. Believe me! You can’t do it at the IT level alone.

Do you remember my article about DevSecOps?

Let me quote from it:

You need to build an understanding of the issue and connections around it up and down the ladder.

If you manage systems, let people in charge know about the risks. Not IT risks, but real threats to the business.

If you are a leader, go to your IT and security departments and ask them honestly:

“Do you think that all the security basics are done and that all bases are covered? Be honest with me.”

Then, give them your full support to do what needs to be done.

Consider the human cost of a cyber-attack

Security in IT protects not only your data. It protects you, your organization, and the people in it.

We’re talking about a number of different aspects:

• The toll put on people who work on recovery (typically several weeks of long hours under enormous stress)
• The pressure that the situation placed on everyone, not only IT
• The economic impact on the organization in the long term.

It is all about people. You can protect your organization with IT and the right security approach.

Foster empowerment and agility

Track your needs and enable your people to address the important issues. Give them the right resources and budget.

Empower them to work on critical items from your security deficit lists where they think this has to be done.

People on the IT floor know what the organization lacks. They simply need your approval and resources. They will handle the issue once they get them.

Do you want control over the process? Then, treat it as a project and manage it with the DevOps approach.

Have a plan

A ransomware attack will eventually hit you. Remember that all this is about you.

1. Are you prepared for the inevitable?
2. Do you have your business continuity plan?
3. Do you know whom you should contact and how to start recovery?

Back in my Active Directory consulting times, 95% of organizations I worked with were not prepared for environment recovery!

I bet the number has not decreased significantly. And I am also sure that you don’t want to be in those 95% when the storm hits.

4 technical aspects to address right now

Now, let’s talk about the practical actions you can take to protect your systems. You will be able to follow them without spending a big budget, additional hardware, or software. You can introduce all these practices within your team.

Protect your users and their identities

These are a few pieces of advice which are so often shared, and yet so often ignored:

1. Enable MFA
2. Prevent the use of simple passwords
3. Do not share privileges between work and administrative accounts
4. Patch your systems
5. Use dedicated admin workstations.

These are just the basics. They apply to both on-premises and cloud environments.

In fact, these steps are nothing new. In 2016, I wrote an article that describes them further.

And even though I published that article in 2016:

1. It is still valid today
2. People don’t follow the steps
3. Those things keep causing breaches of security perimeters.

Four years have passed since I wrote the article. The issues I discussed are common knowledge, and yet – they still cause problems.

And there’s something even worse!

Microsoft did excellent work when it enabled some of those security options by default, like MFA with Security Defaults. Every new Office 365 tenant has it switched on – unless someone disables it for the sake of user convenience. I witnessed it on my own!

I was helping a friend, who is a teacher, to set up Office 365 on new equipment. It was a new tenant, and the administrator decided to switch MFA off. Why?!

Set up your access privileges properly

Implement the Tiered Access Model for your AD and Azure AD environment. The model doesn’t require new tools or licenses. It is already available in your operations.

Some people struggle with using it. Typically, because it is “overdone”. My advice is that you shouldn’t apply it to all accounts, but to the ones that will need it.

What we have noticed is that many organizations place anyone with any privileges in this model. At the same time, they don’t think about what Tier 0 means to their business.

Would you consider the AV operator a Tier 0 account? What if this AV sits on your domain controllers?

Know your environment

Having a plan includes knowing your environment. You need to know what business-critical applications you have on board.

Check the data! Gather logs and analyze them!

You will be surprised how many signals you can capture from your organization before an incident hits you. You have a real chance to protect your business.

Use services like Azure Sentinel after you handle the basics. They will help you spot the threats and mitigate them. That gives you the advantage that only big organizations had before.

Not sure if you have the right skills or people to handle it? You can find organizations that will do it for you (full disclosure – we do run a managed version of SOC). But remember to check how they secure their own environment before you outsource the job.

Use additional tools for threat protection

You might wonder: if there is a threat, why has no one created a tool to protect me from it yet?

Good question! But in fact, someone has already done it.

The tool I have in mind is not free. You might have already purchased it but have not deployed it. Just have a look at this article from Microsoft. It will show you how to use Defender ATP.

It’s time to act!

All the things I have mentioned in this article were already discussed before on many occasions.

In IT, we talk about it a lot. You hear people talk about it at conferences. Many of them are shocked when they find out that someone missed something that obvious.

You read about this issue on forums online where people discuss other cybersecurity incidents.

And yet many of us still assume that it doesn’t concern them!

The time has come to change it!

All the pieces of the puzzle are there. We have articles, best practices, checklists, and videos available. These are valuable sources of information as they show us clearly what to do and what to avoid.

However, there is one crucial thing left before your organization gets prepared for prevention or damage minimization from incidents such as the one at Maersk.

What is it?

Let me quote my friend Gavin Ashton who worked for Maersk at the time of the ransomware crisis:

Start doing!

Not sure where to begin?

We can help you with that. It is as simple as clicking here and letting us know that you need our help.

One of our consultants will reach out to you and will help you with the basic plan. Free of charge!

If you would like to find out more about the issue and understand how such incidents happen and unfold in the network, I have a great article from Microsoft for you here.

It is a good starting point for when you need a reference to begin educating yourself about security controls that you can put in place.

And never underestimate your opponent!

At various conferences, I have delivered a talk about the Maersk case and the security problem in general. I tend to conclude my speech with a quote from Battlestar Galactica:

Let’s make sure it doesn’t happen to you.

P.S. I would really like to stop doing this talk. But the reality proves time and again that we still need it.