After experiencing a cyberattack, Massey Services, based in Orlando, Florida, implemented a number of practices to mitigate the risk of a similar event. Adam Scheinberg, VP of information technology at Massey, has broken these network security practices down all by the letter E.
Edge Monitoring – The edge of your network is where your network turns into the internet.
“We need to know what’s happening there,” Scheinberg says. “If we’re getting pummeled all day long with requests from China, that should not happen. Let’s not even allow that traffic to get to us. Let’s be aware at the edge.”
Email Filtering – Don’t allow attachments to get through that shouldn’t. This includes password-protected ZIP files, VBS files, EXE files and attachments that have viruses built into them. These should be filtered out before they reach employees’ inboxes.
Encryption – Sensitive data should be encrypted when it is stored and when it’s being transferred. If it is stolen, hackers shouldn’t be able to see anything.
Embrace An Aggressive Patching Schedule – Scheinberg says they patch systems in real time. Employees may be able to snooze an update a few times but then it will force a reboot.
“If there’s an issue with their computer, it needs to be patched now,” he says. “It feels worse than it is.”
Egress Awareness – Be aware of where your data going. If a bunch of data is going to Belarus, that’s a problem.
Exfiltration Knowledge – Know what data is moving. If your CEO went to Turkey and there’s an email going to Turkey, that’s not a concern. But if you see your customer database moving to Turkey, that’s a problem.
Endpoint Protection – Have real time security for every device on your network. This includes phones, iPads, laptops, desktops and servers. Software should be monitoring these endpoints, know when to alert someone and when to cut a device offline entirely.
Exercise Caution in Password Reuse – Passwords should not be repeated anywhere.
Enforce Multifactor Authentication – Scheinberg says this was a harder sell to enforce in 2019, but nowadays more people are familiar with having to do multifactor authentication.
External Penetration Testing – Every quarter, Massey pays people to hack them. They inform the company about what worked and what didn’t and how they can remediate the problems.
Enhance Access Control and Permissions – People shouldn’t have access to things they don’t need access to. The more things are locked down the safer the company will be.
Eliminate Shared Accounts – Scheinberg says a spreadsheet that has passwords multiple people share is a great way to get information compromised. If it’s all listed in Google Sheets all you need is for one person’s Gmail to be hacked.
Expunge Account Rights – Rather than the IT team having administrative accounts and everyone else having regular users accounts, Scheinberg says now everyone has basic user accounts. If they want to do anything that requires advanced permissions, they have to log into a separate account that they do not use for day-to-day use.
Examine and Update Response Plan – Scheinberg says it’s much easier to respond to a cyberattack if you know the playbook. Know which partners to call, who needs to be notified and what services should be prioritized.
Elevate the Bar for Remote Connectivity – Make sure the people who are connecting remotely to your network meet the requirementsas you don’t want them to infect others.
Establish Proper Logging Solutions and Retention Timeframe – A million events in a log are not helpful. What you want are actionable things versus receiving hundreds of notifications you end up ignoring.
Extend Security Policy to Remote Devices – Remote devices need to have the right level of security.
Employ Centrally Managed Cloud Hosted Password Manager – This allows you to know the password to your password manager, but none of the passwords for the other accounts. Each password is strong and completely unique.
“That password manager has stronger security than anything else in my life,” Scheinberg says. “It requires four different bits of information to be able to access it. That sounds like a pain. But once you put the workflow into place, I couldn’t live without it. Just the idea of having to remember that many passwords is exhausting to me.”
Extract You Backups – Your backups should not be sitting next to your production data because if you lose your data, you will lose your backups.
Educate Users – Teach your employees what they should and shouldn’t do.
Experiment on Users – Test what you’ve taught your employees by sending fake emails from time to time. Initially Massey would catch 20 percent of their users, and they have dramatically improved since then.
Eschew Unnecessary Alerts – Scheinberg says you don’t want alerts you’re not going to act on because this teaches people to ignore alerts. You only want alerts that make you say, ‘We got to act.’
Erase Unneeded Data – Designate a day to serve as a digital spring cleaning and have your team delete files that are older than a certain date. Scheinberg says legally it’s more likely to harm to you than do you any good.
Engage Partners – Just like how you have accountants to help with taxes, form relationships with those who can augment your IT team’s skills.