BlogLine

FMG’s Top 5 Cybersecurity Awareness Month tips to avoid “spooks and spoofs”

10/22/24

By: Danielle A. Ocampo

October is Cybersecurity Awareness Month, which means this month (like every month!) is a great opportunity for organizations to focus on their data security and privacy practices. Through our representation of businesses of all types and sizes around the country in their ransomware and data security incidents every year, we see a lot of common themes and areas for improvement. Here are our “Top 5 Tips” for celebrating Cybersecurity Awareness Month and improving your organization’s cybersecurity: 

1. Update Your State of Patching. Firewall vulnerabilities remain a hot target for threat actors. That’s not expected to change in 2025. Maintaining and auditing the state of your firewall patching is critical to eliminating easy access into your systems. Review your processes to ensure your patch management protocols receive and deploy firmware updates sooner rather than later. In the event of an incident, preserve all firewall logs to the best of your ability or consider a Syslog.  

2. Develop and Practice Your Incident Response Plan. If your company does not yet have an incident response plan, get one. (Hint: we can help you with that!) But just having one written down is not good enough; you have to practice it too! Just like your building may practice for a fire drill, you should run through a tabletop exercise of likely scenarios with key members of your incident response team. (Bonus tip: we can help you with that too!) We also recommend that key members of your incident response team keep copies of your most up-to-date incident response plan printed out or in another secure location. If your system requires a shutdown in the face of a security incident or if you are a victim of ransomware, you likely won’t have access to the plans saved on your now inaccessible system. Prepare for the worst and have your plans handy for execution. Additionally, think through how you will communicate to those within your organization to administer your incident response protocols and procedures.  

3. Know Your Data. Asset inventory is essential to knowing what data you have and where it is located on your system. When a ransomware occurs, for example, you are better positioned and less likely to rely on a threat actor for information about what was accessed or taken. Mapping your data also allows you to better protect it.  

4. Minimize Your Data. In the FTC’s recent settlement order In Re Marriott International and Starwood Hotels, the FTC required Marriott/Starwood to “implement a policy to retain personal information for only as long as is reasonably necessary to fulfill the purpose for which it was collected” as a consequence of several data breaches to millions of customers’ personal information. Many times, threat actors can ‘smash-and-grab’ legacy data, which leaves companies surprised as they were not even aware this data still existed on their networks. Data minimization as a routine practice and process across all cross-functional teams with your organization promotes data hygiene. This greatly reduces the risk of ‘smash-and-grabs’ of overlooked, unused, and obsolete data.  

5. MFA Doesn’t Go Away. In the world of cybersecurity, multi-factor authentication (MFA) remains a must. While threat actors have developed ways to bypass MFA in some circumstances, there are still ways to harden your systems from those workarounds and some MFA is still better than no MFA. Find the one that best fits your organization’s system needs based on the data you own or possess and aligns with your Privacy Policy notices.  

Don’t wait until 2025 to ensure your cybersecurity measures are in place and up to date. Beyond these tips, evaluate what resources your organization already has. There are zero-cost actions that your company can do today to protect your network: employee trainings, password changes, review access controls for least-privilege, and more. With rouge threat actors employing new tactics such as AI to enhance and scale threats cheaply, the best thing you can do as an organization is stick to the basics, and the basics start with awareness.  

For more information, please contact Danielle A. Ocampo at danielle.ocampo@fmglaw.com or your local FMG attorney.