Beware of fear-based cybersecurity sales tactics

Buying intrusion detection software and third-party antivirus software aren’t necessarily the way to go to improve your company’s cybersecurity.

That’s according to Shawn Scott, CEO of Badger Infosec, who spoke recently on cybersecurity at Trailhead, the coworking space in downtown Boise.

“Beware of anyone using fear to sell you a product,” Scott said.

Purchasing an intrusion detection system also means paying for an employee to tune it, as well as to monitor it, Scott said. Without that additional investment, the software itself isn’t particularly useful, he said.

Similarly, Scott recommended that companies use built-in tools, such as Microsoft Windows Defender, rather than third-party tools because they are free. In general, he recommended that organizations make use of tools they already have, such as the built-in encryption bundled with many systems, and ensure that system hardware and software are updated regularly.

Another advantage of encryption — aside from protecting the data itself — is that if data is stolen but encrypted, it doesn’t count as a breach, Scott noted.

Scott also recommended that companies classify data, because not all data requires the same level of protection. For example, certain data is required to be protected in regulated industries, like personally identifiable information such as Social Security numbers. Other industries, such as health care, have requirements for protecting data such as health information, while financial institutions are required to protect financial information.

Companies should define special classes of data, have a policy for how to mark it, and define ways for it to be shared and transferred, Scott said. Setting up more stringent protections on just the most important data requires less work, and having special protections on sensitive data also makes it easier to prosecute hackers should it be stolen, he said.

Scott does recommend “password vaults” such as LastPass, rather than expecting users to create — and remember – long, complex passwords. In addition, he recommended that organizations implement multi-factor authentication, which uses an additional device such as a cellphone or a hardware token as well as a password, to increase security.

More important than any hardware or software, though, is user training, Scott said. Users are the primary vector for adversary attacks because, unlike hardware and software, they can’t be patched, only trained. He recommended regular, in-person training.

“Click-through, computer-based training and recorded videos once a year don’t cut it,” he said.

It’s also important for organizations to create and publicize policies around appropriate computer use, because it is unreasonable to expect users to follow rules they don’t know, Scott said. Companies also can’t expect users to know what’s common sense. Examples of such policies would include not using home computers on the corporate network, and using secure file transfer when exchanging data, he said.

Companies also need to perform regular backups, preferably more than one, in multiple locations, Scott said. His recommendation was 3-2-1: three copies of all data, two of them on-site but using different types of media and one not on a network, plus one copy offsite, he said.

Scott also recommended companies use configuration management to ensure employees are all using only approved hardware and software, there are no unauthorized devices on the network, and devices are regularly patched and updated to protect against bugs and other security flaws. Patches are important because most attacks are through known vulnerabilities, he said. In addition, network and device privileges should be limited to keep unauthorized people from making changes to their configuration.

Attacks on small businesses nationwide have been increasing over the past decade, with 67 percent of small- to medium-sized businesses reporting an attack, and 58 percent reporting a breach in the past year, Scott said. In particular, businesses such as accounting firms that hold private data for multiple companies have been targeted.