After a tough few years in cyber insurance markets where many insureds were met with steep rate increases upon renewal, many companies are looking to shore up their cyber defenses and (hopefully) make their risk profile more attractive to underwriters in the process. 

Others may have faced a cyberattack in prior years and are hoping to prevent the costly system disruptions and the reputation damage that comes with a breach from occurring again.  

Whatever the case, it’s clear cybersecurity controls are a necessary part of doing business today. And yet, so many firms remain unprotected, either before or after an attack.  

A Nationwide Agency Forward survey from September found that less than three in 10 small business owners have cyber coverage and only 71% of middle market businesses are purchasing these critical policies.  

When it comes to improving your cyber defenses, these five critical tools can go a long way in protecting your critical digital infrastructure.  

1) Implement Multifactor Authentication  

Rachel Bush, AVP, Threat Detection & Response, Nationwide

Multifactor authentication (MFA) is one of the easier cybersecurity solutions to implement, Rachel Bush, AVP, Threat Detection & Response at Nationwide, said.

As she explained, “Multifactor authentication is the concept of when someone logs in with a username and password, you challenge them to provide a second piece of identification.”  

Not all MFA systems are created equal. Government agencies and organizations dealing with sensitive information may use a device called a YubiKey, which is a piece of hardware that can be plugged into a USB port when prompted to log a user into the system.  

Companies that don’t need as much security may opt for a phone call or text message-based MFA, that calls or texts a person’s cell phone after they enter a password.  

“They really have to choose a solution that meets their risk profile,” Bush said.  

Some systems can create additional vulnerabilities, however. “My least favorite method of multifactor authentication is to a personal email, and that is simply because people tend to reuse those credentials,” Bush explained.  

A person may, for instance, use their Gmail address and password to login to a social media account like Facebook. If Facebook is breached, then the threat actor will try the username and password combination obtained from the attack on a number of different sites. If they get access to the personal email they can confirm email-based MFAs and gain access to a company’s systems.  

2) Have an Endpoint Detection and Response Solution Deployed 

One piece of critical cybersecurity infrastructure companies should deploy is an endpoint detection and response system. This tool is so critical, Bush said, “If you only had room in your budget to buy one additional security solution, I would prioritize an EDR above all else.”  

Endpoint detection and response systems continuously monitor your assets, looking for signs of threats such as malware.  

As Bush explained: “These are a suite of tools that go a level above what you get when you think of a typical antivirus tool. You have the ability to use these tools to block malicious activity and also use them to coordinate a response even at scale across your company. 

“So if you’re observing something like a malware campaign where multiple assets in your company are becoming infected with malware, an endpoint detection and response solution would allow you to take an action to isolate that or to block that activity.” 

3) Disable or Restrict the Use of Remote Desktop Protocol  

If you’ve ever called IT and had them remotely access your computer, you’ve likely used a remote desktop protocol. The ability for IT and other team members to move a cursor and set up systems from afar was key to onboarding new employees and working remotely during the pandemic, but it’s also a major security risk.  

If a threat actor gains access to a computer that has remote desktop protocol capabilities they can leapfrog into other systems, allowing them to jump around your network and gain as much intel as possible.  

“It’s a really helpful tool for support, but it is very commonly exploited by a threat actor who has gained initial access to a network,” Bush said.  

Companies should disable remote desktop protocols as much as possible to limit a threat actor’s ability to infiltrate their network. If it needs to be used, additional layers of security should be in place to help prevent attacks.  

“There are layers of security controls you can put around RDP to shore it up,” Bush said. “You need to implement those or disable it.” 

One way to add additional security to a remote desktop protocol system is to use what Bush called a “jump host.” With this system, those trying to utilize remote desktop protocols for legitimate purposes need to log in to the centralized jump post using a username and password they received from a vault before they can access other devices.  

4) Invest in Employee Cyber Security Training 

In many cases employees are the last — and most vulnerable — line of defense against a cyberattack.  

“Individuals working at your company are really often your last line of defense, and they need to operate with a degree of awareness of the threats that they might face and how those threats can materialize into attacks against the business,” Bush said. 

Even the most basic cybersecurity training should include efforts to educate your employees on the risks of password reuse and phishing attacks. Though a common practice, password reuse can make companies extremely vulnerable. If credentials are reused, a threat actor can gain access to multiple systems with a single login.  

In a phishing attack, a malicious actor will send an email in an attempt to garner personal information like login credentials or credit card numbers. Employees need to be trained to recognize such attacks so that they don’t reveal any sensitive information.  

“Your associates should really act with a degree of skepticism for every email they receive. They should question, is this legitimate? Do I see hallmarks on this email that should make me believe that this isn’t who I think it is? Does the link that they’re asking me to click on look suspicious because it’s formatted in a strange way, or it points to a domain that looks unfamiliar?” Bush said.  

More sophisticated trainings will include sessions on how workers can avoid revealing personal information over social media. A threat actor may monitor social media feeds of company executives to try to fuel a spear-phishing campaign — a type of targeted attack that uses personal information to try to trick an employee into handing over sensitive information.  

“LinkedIn is actually a huge source of reconnaissance for threat actors,” Bush said. “You need to be operating with the same kind of scrutiny that you would if you were talking to a complete stranger out on the street.”  

5) Utilize Local and National Cybersecurity Resources 

Maintaining your company’s cybersecurity hygiene is a never-ending job. Organizations must remain vigilant to ensure they’re defended against new types of attacks that could put their businesses at risk.  

There are a number of free resources available to help companies secure their technology infrastructure and data.  

The Cybersecurity and Infrastructure Security Agency (CISA) is one source Bush recommends. A government agency, CISA runs Shields Up, an initiative which offers businesses insights into how to best update their cybersecurity infrastructure and keep their firms protected.  

“Shields Up provides a lot of good information about best practices to protect yourself or protect your company,” Bush said. “Use the resources that are freely available from government agencies and other institutions.”  

There are also industry-specific intelligence sharing organizations that can help guide businesses in sectors that are particularly vulnerable to cyberattacks.  

A health care industry intelligence sharing organization may be comprised of hospitals that share vulnerabilities they’ve noticed and how they’ve updated their security infrastructure to address them, in case that information can help others in the group become stronger.  

“We broadly share intelligence with one another to aid in collective defense,” Bush explained. “What are we seeing related to attacks being launched against one another? What indicators of compromise are we able to pull out of campaigns that we might be seeing?” 

Small- to medium-sized businesses may want to dedicate most of their efforts to making sure they have basic cybersecurity controls in place, but larger companies may begin looking to take more sophisticated actions like profiling threat actors. That way, they can know who is likely to attack them and prepare for those specific scenarios.  

“There is a lot of material about threat actors. Threat actor groups are profiled by different companies. They’re given different names and there’s information on them around trends. Who have they targeted, what companies have they attacked? What are their tactics, techniques and procedures?” Bush said.  

These tips are just the beginning of a strong cybersecurity program. Companies should be continually investing in and educating themselves on these ever-evolving risks if they want to remain abreast of the threats. &