Last updated on August 7, 2023
Hackers went berserk in 2021. For Q3 2021, the number of data compromise victims (160 million) was higher than Q1 and Q2 2021 combined (121 million), according to the ITRC Data Breach Analysis Report. Also, the study shows that the total number of data compromises related to cyberattacks went up by 27 percent compared to 2020.
Unfortunately, the increasing number of data compromise victims is not the only concerning finding for 2021. The Cost of a Data Breach Report 2021 released by IBM and the Ponemon Institute states that the global average cost of a data breach in 2021 was $4.24M, the highest in 17-year-long recorded history. The United States was the top country in the average total cost of a data breach for 11 years. In 2021, the average cost of a data breach in the United States was a whopping $9.05M, more than twice the global average.
Costs, numbers, and impacts all increased in 2021, and every available source indicates that this trend will continue through 2022. If you do not want to fall prey to hackers in 2022, you must act now.
We prepared 6 practical steps every company can take to protect their data infrastructure and avoid financial and reputational losses from data breaches, ransomware, and other attempts at gaining unauthorized access.
Enable Multi-Factor Authentication (MFA)
Most attacks start from a malicious actor gaining access to an unprotected or poorly-protected resource in a company. A weak password, inadequate maintenance, or ill-defined security policies can all lead to your account getting compromised. Once the bad guys gain access to one part of your infrastructure, they can move laterally to other parts, damaging or stealing data along the way. But there is a simple way to avoid this.
Enabling Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) blocks 99.9% of attacks on your account, even if the bad guys already know your password. Deploy Multi-Factor Authentication across your company infrastructure to mitigate security risks and stop the hackers at the threshold.
We have written heaps of content on MFA, but the gist of it is this:
There are three categories of evidence you can demonstrate to prove that you are you. These categories are called authentication factors. The three authentication factors are something you know (e.g., your password), something you have (e.g., your smartphone), and something you are (e.g., your fingerprint).
Without MFA, anybody can sign in to your account as long as they know something you know – your password.
With MFA, a person who wants to sign in to your account must demonstrate at least two distinct authentication factors. Demonstrating only one authentication factor like a password is not enough to gain access. When MFA is enabled on your account, a hacker who broke your password still will not be able to sign in because they are thwarted by the second factor.
A popular implementation of the “something you have” category is the Mobile Push authentication method. After you install the Rublon Authenticator mobile app on your smartphone, you can receive push notifications from Rublon. When you log in to an application integrated with Rublon, you first provide your password. Then, a Mobile Push authentication request is sent to your mobile device. You can inspect the information displayed on the notification (location, time, username) and then accept or deny the log-in attempt.
One of the great strengths of Rublon Authenticator is that it supports Out-of-Band Authentication. If you use Rublon Authenticator for MFA, then your authentication occurs on two separate communication channels, which gives a big boost to security. Last but not least, you can enable a PIN and Fingerprint Lock that will require you to enter a PIN or scan your fingerprint every time you open the app.
Opt for Adaptive Authentication (Risk-Based Authentication)
Multi-Factor Authentication (MFA) is secure and robust as it is. Still, every modern organization requires different security controls for different applications and users. Enter Adaptive Authentication.
Adaptive Authentication gives you more control over how MFA is performed. You can approach Adaptive Authentication in two ways. The first way involves the security system automatically assessing risks and changing security options in real-time thanks to machine learning algorithms. The second way allows administrators to define risk levels and access policies based on perceived threats associated with each scenario. Rublon’s solution to the challenge of Adaptive Authentication utilizes the second way.
Rublon Access Policies allow your administrators to create, modify, and assign a set of Custom Policies. Each policy contains options pertaining to a different aspect of access control: the possibility to remember user devices (which bypasses MFA for some time), the ability to activate and deactivate available authentication methods per application (e.g., high-risk applications should only be protected with the most secure authentication methods), the possibility of defining IP ranges for whom users will by bypassed (to ensure easier internal access).
Adopt Zero Trust
Zero Trust is a security model that assumes no implicit trust should be given to users, applications, and devices without a thorough, repeated, and continuous verification (authentication, authorization, and security control).
Any user, application, or device, no matter if new or old, should be continuously controlled and verified. The reason for adopting this “never trust, always verify” strategy is simple. During an attack, hackers often target accounts with privileged access and administrator rights. Gaining access to an account with elevated privileges allows hackers to take control of critical infrastructure in a company. The zero-trust security model assumes that no trust should be given to an account only because it has elevated privileges.
Furthermore, Zero Trust introduces the idea of always granting the least privileges required to accomplish a task. For example, only allowing users to read a file without the possibility of editing it. Other benefits of Zero Trust include microsegmentation, centralized access to cloud apps, and increased coherence of company infrastructure.
It is important to remember that Zero Trust is not a single standardized solution but a loose set of principles a company can adopt to better its security. Implementation of these principles may differ. For example, Rublon can help you comply with Zero Trust principles by introducing the combined protection of Multi-Factor Authentication (MFA), Single Sign-On (SSO), and Access Policies.
Prepare an Incident Response Plan
One of the core principles of the Zero-Trust security model is to always assume a breach has already happened. Operating under the assumption that the company has already been compromised helps you adopt detection and response strategies to protect your infrastructure and employees. Key findings, security practices, and design decisions can be later reshaped into an incident response plan.
You must safeguard your company against cybercriminals long before they even attempt to do evil. An incident response plan allows you to reduce your exposure to cyberattacks and mitigate financial and reputational damage by outlining standard procedures and processes to perform in the event of a security incident. In addition to that, an incident response plan encompasses steps to be taken before an incident happens, such as acquiring tools and resources that may help you handle an incident, implementing intrusion detection and prevention systems, and creating a log retention policy.
The National Institute of Standards and Technology (NIST), an agency within the U.S. Department of Commerce, provides usable cybersecurity standards and security best practices guidelines that can help improve the security of organizations from various industries. The NIST SP 800-61 (Computer Security Incident Handling Guide) defines the following stages of handling an incident: Preparation, Detection and Analysis, Containment, Eradication, Recovery, and Post-Incident Activity. We recommend you follow these steps to form your protection, detection, and incident response mechanisms.
Ensure Regulatory Compliance
Every company in a given industry must abide by this industry’s standards and regulations. Healthcare must comply with HIPAA, federal agencies must observe the requirements of NIST, and retail organizations must demonstrate PCI DSS compliance. These regulations tend to change over time, and before you know it, you may be hard-pressed to abide by a new set of regulatory requirements.
Mercifully, some product vendors ensure that their solution is compliant with the regulatory requirements of your industry. This moves the burden of abiding by the regulations from a company to a team of specialists.
For example, Rublon offers a Multi-Factor Authentication (MFA) solution that complies with industries all across the spectrum and ensures regulatory compliance for these industries.
Conduct Cybersecurity Awareness Training
There is one more step you may want to consider. A cybersecurity awareness training for your employees. Humans are the weakest link in cybersecurity, hence the importance to increase the security consciousness of your employees. With phishing being one of the most popular attack vectors for criminals in 2021, it is now more than ever important to instruct employees on how to work safely and not give in to the malicious tricks hackers may use.
Cybersecurity education powers a better, safer world.
6 Steps Toward a More Secure Company
With Multi-Factor Authentication (MFA), Adaptive Authentication, a Zero Trust strategy, an incident response plan, regulations-compliant workforce, and cybersecurity-trained employees, you can improve your company’s security posture and prevent future cyberattacks in 2022.
Time spent on cybersecurity will return tenfold in the form of security-conscious employees and happier customers who will not worry about their data and money.
Follow these 6 steps to prepare your company for whatever may come this year. Take a step toward a safer future today.
