It’s amazing, if not terrifying, how fast the cybersecurity industry has exploded over the last 20 years. It’s literally gone from “maybe we should add passwords to our website” to “a significant business risk” in what seems like the blink of an eye. Entire career paths have been created within the industry so that most organizations now have multiple, specialized vendors supporting their enterprise cybersecurity program.
The fusionSpan Blog
A Few Steps to Improve Your Cybersecurity in 2023
With all of this change and increasing complexity, it’s no wonder many association executives and leadership teams can struggle to understand exactly what their organization should be doing to protect their data, people, and brands.
Approaching the halfway point of the year provides an opportunity to reassess your situation and commit to some new approaches to the problem. I’d like to offer association leaders a few potential resolutions to consider for the last half of the year.
Assess Your Security Risks
For the association that has some on-premise compute infrastructure still remaining, such as file servers, compute servers, VOIP systems, and the like, I’d highly recommend having a security risk assessment performed so you’re fully aware of your cyber risks as defined against an industry standard control framework such as CIS or NIST. If an organization doesn’t know where their biggest risks are, found by an objective cyber professional, then how can they ever be sure the cyber protection plans they are creating are truly addressing their biggest concerns? Unfortunately, because of supply and demand, many corporate/commercial oriented security vendors are charging exorbitant amounts for these types of assessments. Make sure and find an association or non-profit oriented vendor that right-sizes the effort to your organization.
If you’ve already had an assessment done or don’t believe your environment is complex enough to warrant one, then let’s talk about a few of the basic ‘cyber hygiene’ areas you want to ensure you’ve got covered. This is by no means a comprehensive list, but it’s a great place to start a conversation with your IT staff or support vendor.
Take Internal Precautions
Let’s talk about protecting yourself from your people. I know, that sounds a bit harsh, right? Most organizations like to think of their people as one of their greatest assets. This may be true when viewed through the lens of your mission, but when viewed through the lens of cybersecurity, they tend to make mistakes and therefore are your greatest risk. Make sure that multi-factor authentication is turned on for every single user. Also make sure that it’s required to connect to your VPN. Far too many organizations require MFA for email access, but don’t for VPN – the doorway to your network! Ensure their laptops are encrypted using Window’s bitlocker. Ensure that screens are auto locking after 15 minutes of inactivity. Lastly, and possibility my favorite, if you’re an O365 shop, please consider paying for the Defender for Office Plan 1 license for each user and turn on Safe Links and Safe Attachments. This is one of the very best ‘bang for the buck’ security services provided by Microsoft.
Secure Your Network Administrators
Now let’s talk about your network administrators. Make sure none of them are using administrator accounts as their everyday account. They should be using non-privileged accounts for their basic emailing and other work and only log in as a privileged administrator when they have specific administrative tasks to perform. I’d highly recommend ensuring they have changed every single default account password that could be in your environment. Every system comes with a default administrator account with a default password. Not changing these basically guarantees every hacker has an entry point to your environment. Let’s make sure they are disabling accounts as soon as people leave and checking for and disabling dormant accounts as well.
Assess Your System Vulnerabilities
How about your systems and your networks? You should have a vulnerability scan for both externally visible IP addresses as well as your internal networks on some kind of regular basis that aligns with your size and complexity. Short of phishing scams, exploitation of known vulnerabilities is the second leading vector for security compromises. I can’t emphasis this next one enough. Not only should you have a solid and consistent backup strategy, but you must ensure your backups are being stored in a network segment that is not available to standard users. If you don’t do this, the next time you get ransomware you can kiss your data goodbye. Lastly, please ensure all security patches are being deployed weekly. This is fundamental to the health of your organization.
So, I know that was quite a list. Feel free to use it as a conversation seed with your IT team or vendor. Have them explain all their security hygiene practices against a basis set of controls. A great place to get those would be the Center for Internet Security Critical Controls Implementation Group 1. Happy Half Year and I hope your security resolutions bring you cyber health in last part of 2023!
Brian Scott
Brian Scott provides expert CIO and CISO services based on a technology career spanning 35 years with the last 20 at the C-level. He specializes in Cybersecurity, Software and Data Engineering, Cloud Services, Data Architecture, System Integration, and Association IT Strategy. He has 22 years of experience within the nonprofit and association markets, is a patent holder in event technology, and a past board director for the International Association of Exhibitions and Events as well as the Center for Exhibitions Industry Research.
More postsSubscribe to our blog
Stay updated with our weekly releases directly to your inbox!
