Cybersecurity

Cyberattacks have drastically grown and are specifically targeting government entities. The majority of cyber-related claims are due to phishing, ransomware or third-party breaches, according to the Iowa Communities Assurance Pool (ICAP). Cybercrime is expected to approach $10.5 trillion in damages by 2025. That’s the bad news. The good news is an estimated 79% of all cyber-attacks could be prevented by having a good cybersecurity plan.

Public entities need a network security plan to help address the most common vulnerabilities hackers exploit. While no plan can provide complete protection, this one will help entities prevent some of the more common ways your network can be attacked.

First step: Assess

What you don’t know can hurt you. This is why the first part of protecting your network starts with knowing what’s on it by document all of your hardware, software and applications.

• Create a list of all the computers such as PCs, laptops, connected devices like printers, fax machines, and mobile devices, smartphones, tablets that you have on your network. All of these are entry points into your network.
• Document all of the programs that are installed directly on computers and used by everyone.
• Keep a list of all the applications that people use on their tablets, phones and web applications (Dropbox, Google Drive, etc.).
• These lists should become living documents, changing as you add and remove systems and applications.

Once you have all of your hardware, software and applications documented, you’ll want to analyze and examine them for vulnerabilities.

• Locate all unused equipment and completely wipe them. If you plan to use them in the future, store them in a secure location. If not, properly dispose of them. Some attackers scout landfills looking for old hard drives on desktops, laptops, phones and more. Many IT disposal companies will shred hard drives.
• Review all of your applications and software. If any of them are no longer being used, they should be thoroughly uninstalled from every device, cloud storage, on-premise storage, servers, etc. This reduces your on-going maintenance tasks. If you are still using the applications, update them.
• Ensure the passwords used for accounts are secure. When feasible, each unique account should require a separate and secure password. ICAP’s information technology risk control specialist has noticed passwords written down — unencrypted and not secure, posted on equipment and never changed.
• If you have multiple applications or programs performing the same task, dedicate just one as your main option and the other as your backup option.
• Create a records management plan for your electronic and paper records that includes documented retention schedules. Review them annually and securely destroy any outdated records utilizing shredders or a third-party shredding company. Secure all remaining paper records.

Secure, Update, Repeat.

• Update and change your passwords often to limit the time a hacker has to use it for criminal purposes before it’s changed to a new one. Keep your passwords complex. Use new and different passwords for each account. Don’t store them on sticky notes or digital documents. Implement two-factor authentication, where possible.
• Update operating systems, software and firmware such as network equipment, cameras, scanners and printers. Set schedules and reminders for you and the staff. Make them required, if possible.
• Update hardware when possible; newer chipsets are usually less vulnerable. Older hardware often has more information about its vulnerabilities available to hackers. Older hardware isn’t always capable of running the most up-to-date software, which decreases your security.
• Install and maintain a full version of endpoint security for all devices with automated virus signature file updates. Do not use free versions of antivirus software.

Monitor

You’ll also want to manage what’s happening behind the scenes. This includes keeping track of new installs, the number of users, preparing a safety net and educating your end-users.

• Implement a mandated process to oversee new application installations. Provide software or document to guide employees. Include the devices and locations of each new install in your initial discovery lists from the assessment step.
• Limit your users. The fewer accounts you have, the fewer opportunities there are for vulnerabilities and attacks. Grant administrator access and other rights only to the people who absolutely need it.
• Back. Everything. Up. Ideally, all of your data should be backed up to a secondary source that’s separate from your primary source. In the event that your main source is compromised, hacked, breached or even malfunctions, you’ll have a safety net to help get everything back up and running as quickly as possible.
• Employ a cybersecurity awareness training program. Services like KnowBe4 use an online platform to help you integrate baseline testing using mock attacks and web-based training, as well as continuous assessment through simulated attacks to build more resilient and secure “human firewalls.”

Colette Klier is ICAP’s senior manager of IT Risk Control. If you’re looking to improve your cyber risk and are an ICAP member, contact us and we’ll help set up an IT risk control visit with one of our IT Risk Control Specialists.