Not all cybersecurity budgets are made equal, and for some that means having too many or too few tools. For others this means having few employees or being the lone ranger responsible for better security awareness in the company. Here are options that fit every budget:
Invest in VPN to protect your peers and staff
This seems like a no-brainer but VPNs should be standard for all organizations, especially with the normalization of cloud computing and remote work from all employees. While not every WiFi hotspot can be trusted, one cannot expect employees to stop all work due to an insecure connection. But how can you demonstrate value to your board or management? Try setting up a “trustworthy” WiFi pineapple at your next company party for a live demo of Man In The Middle. Yes, MITM is still possible today even with HTTPS.
Assess assets with an Incident Response Plan
If a hacker were to be detected in your systems this moment, what would your next step be? Having an incident response plan in place, communicated and rehearsed would hopefully have you calm and collected knowing what action to take with systems backed up. Applying that mindset that someone is already accessing your systems and being prepared in how to respond is the best way to stay on top of threats.
With this in your toolbox, you will be able to show stakeholders what information could be compromised should a hacker get into “X” or “Y”. Best of all, it doesn’t require external resources to execute, and if you don’t know where to start, here’s our guide on how to build an Incident Response Plan.
Implement a responsibility disclosure program
There’s a lot of talk about bug bounty programs and leveraging ethical hacker knowledge but having a full program in place comes with a price tag and demand for human resources to fix complicated issues that skilled bug bounty hunters will find. Without being able to show the value or ROI, how can you get the budget needed?
We recommend starting with a responsible disclosure program on your site. This option invites ethical hackers to report vulnerability issues without concern for legal repercussions and they do it out of goodwill. With knowledgeable staff, this can be set up without external resources and you’ll receive feedback via vulnerability reports from ethical hackers. This could also help make an informed case for future improvements such as a bug bounty programs, more frequent pentesting or implementing an automated solution. Need inspiration? Detectify has a publicly available responsible disclosure policy in place.
Threat modelling before it happens
Threat modelling is often done by security teams and with the rise of DevOps, it’s being incorporated into developer workflows as well. With this tool, teams look at assets, threats and vulnerabilities in the software. This answer what exactly needs to be protected, what are the external/internal threats to protect against as well as what vulnerabilities exists that need to be fixed. This tool can also be used by non-security team members to get them in the mindset of continuous improvements and protection of assets.
Automated web vulnerability scanning
In 2018, our Detectify Crowdsource white hat hackers submitted almost 450 new vulnerabilities to better the breadth of our web vulnerability scanner. From Crowdsourced modules alone, we had 50,000+ vulnerability findings in our clients’ assets scanned. You can imagine all the JIRA tickets that had to be issued and handled, and it was a helpful way for the security manager to get an overview of the security status of web applications. The vulnerability reports summarize what could be exploited by a hacker and then managers can prioritize remediations accordingly in workflows.
Using an automated web vulnerability scanner can save you time from detecting known vulnerabilities and allows your security team more time to dig deeper for issues that require more creativity and cannot be automated. A modest investment for a web application scanner is relatively less costly than a multi-million or billion user breach such as we saw in 2018.
Results from automated scanning to show the security status of your web applications and can be compared with the results of annual security audits and penetration testers to get more value out of the latter.
Security training as part of employee on-boarding
One way to scale up security awareness in an organization is to include it in the on-boarding process and educate employees outside of the core security team. For some that could mean everyone besides the CISO. However, there’s a growing trend for developers and designers to care about application security (in fact that’s how Detectify got started!) and supporting them on this journey is valuable. Here are some ways to make security skills accessible:
- Host internal knowledge sessions and providing a working environment where developers can hack their own code
- Build up security champions
- Employee-led sessions on how to hack or learn about information security
- Eliminate the blame-game when a security issue occurs and enable ownership of writing secure code
- Run Capture-the-flag (CTF) events for participants to practice offensive and defensive coding skills
Developers aren’t the only ones who need training. Be sure to include training people of all levels from interns to C-level on the real-life implications of phishing, password management and social engineering.
Sharing knowledge is caring for colleagues
Even a security company needs to encourage better security practices for awareness from staff but not everyone has time for 1-to-1 sessions to communicate it all. At Detectify, we’ve been able to scale up security knowledge sharing by creating explanatory video on OWASP Top 10 and other known vulnerability on the Detectify Youtube channel for colleagues and anyone else security-interested. We also have internal lightning talks on our security test updates, hack demos and weekly security tips from our security researchers to encourage everyone to think security-first.
Start an internal RSS feed or channels for security news and interesting write-ups
With the rise of digital workplaces like Facebook Workplace and Slack, it’s even easy today to share interesting articles and learning resources. To build up a security mindset in the workplace, you could set up RSS feeds to automate news from your trusted security channels like the popular Reddit community /r/netsec or get immediate notifications when research articles from Detectify Labs are published (you know we had to mention that!).
Final thoughts
Building up security awareness or a security culture is not a cut-and-paste job, and with some of the mentioned tools and internal learning resources, adoption may be easier. There are things one should pay for like VPN or an online vulnerability scanner to help with the tedious and easily preventable matters, while there are ways to be resourceful when creating cybersecurity awareness. Lastly, all levels of organization should be aware of security risks and planning as if someone is already in.
Curious to see how Detectify automated web vulnerability scanner can make security easier for you? Get started today with a free trial and check your web applications for 1000+ known vulnerabilities today.
Author:
Jocelyn Chan