As technology continues to advance rapidly, cybersecurity is gaining more importance globally. The emphasis on security stems from the need for organizations to be prepared for when, not if, a breach occurs.
Unfortunately, human error is often the cause of breaches. Understanding how to combat cyberattacks is crucial, as protecting sensitive information is everyone's responsibility in our data-driven world.
In honor of Cybersecurity Awareness Month, we’ve compiled the top security tips you can implement to be more secure. By incorporating these tactics, you decrease the likelihood of your information or actions causing a catastrophic breach.
#1 Enable multifactor authentication (MFA)
Multifactor authentication adds an extra layer of security by verifying a user's identity through methods like receiving a verification code or clicking a link when logging in. Enabling MFA is crucial because the absence of it increases your vulnerability to risks.
“Attackers don’t break in; they log in,” said Joseph Avanzato, a forensics expert at Varonis, during a live session on understanding a threat actor’s mindset.
Enable MFA for services that offer it and use an authenticator app if available. Report any unusual login attempts immediately. For organizations, it's best to require MFA and restrict the option to disable it.
#2 Avoid org-wide sharing links.
It’s tempting to create a link accessible to anyone, rather than just specific users, in the event that additional stakeholders need access.
However, Microsoft reported that only 1% of org-wide permissions granted are actually used. A vast amount of business documents contain sensitive information that shouldn't be accessible to everyone in the org, let alone anyone on the internet.
Removing the ability to create org-wide links can significantly reduce your org’s blast radius. In the average company, 157,000 sensitive records are exposed to everyone on the internet through SaaS sharing features, representing $28 million in data-breach risk.
Rather than opting for an over-permissioned link, users should share files directly with those who need access to do their job and invite others to access on a case-by-case basis.
#3 Be suspicious of links and unknown contacts.
Social engineering and phishing tactics are still some of the most effective ways hackers gain access. Common signs of phishing include a peculiar sender address, a sense of urgency in the request, and prompting users to click a link.
Phishing simulations are an effective way for organizations to educate teams on the impact of engaging with suspicious communications and encourage users to proactively look for scams.
As a consumer or employee, it’s important to vet any unknown senders who contact you via text, email, and more. All it takes is one click to give threat actors keys to the data kingdom.
#4 Report suspicious activity when it happens.
To expand on tip number three, it’s not enough to shrug off a suspicious text message and call it a day.
Most phishing attempts target more than one user in an organization, so if you receive one, report it to your IT department. Some companies have plug-ins within their email service or a dedicated inbox to forward suspicious activity to.
Even a simple response to phishing attempts can backfire, so avoid engaging in any type of conversation. Additionally, never share information or make purchases without verifying the contact’s identity.
#5 Not everyone needs to be an admin.
Administrative access in cloud platforms like Salesforce is powerful. At many organizations, existing admins can grant access to others in these tools without IT oversight.
This results in too many users having escalated privileges and access to sensitive information. In Varonis’ DSPM Snapshot Report, we found that 60% of an average company's administrative accounts do not enable MFA, making it easier for attackers to compromise internally exposed data.
Many orgs are unaware of the shared responsibility model, which holds SaaS providers accountable for securing a platform's infrastructure and providing a highly available solution, while consumers are responsible for protecting and securing their data within.
When someone in your organization requests admin access to an application you manage, assess if the request is justified and consider setting an expiration for the permissions to maintain security. Coordinate with your IT and security teams to ensure all administrators understand the shared responsibility model and adhere to the established permission protocols.
#6 Assess the access you give third-party apps.
Imagine signing up for the latest social networking app, and to bypass filling out a lengthy form, you can simply connect it to your Gmail account, thus opening up access to your information stored within this app.
But while setting this connection up is easy, it’s challenging to understand how the apps are configured and what access they have to information stored in your connected service.
There is also the risk that apps contain vulnerabilities that threat actors could exploit. Through a single click, access can be granted to these malicious applications.
The Varonis Threat Labs team created an attack scenario in which we created a realistic-looking app and used a phishing technique to convince a user to install an app and grant full access to their Microsoft 365 environment. While our scenario was a simulation, most hackers and ransomware groups wouldn't stop at gaining access and would further exploit the information they find.
As the use of third-party apps rises, it’s essential to assess your connected apps and the risks involved with them. We recommend analyzing the permissions for each app and ranking their risk level as low, medium, or high.
With Varonis, organizations can see how many employees use a third-party app and view their activity levels via automation or manual reporting. To avoid breaches, users who haven’t opened a high-risk app in the last six months should have their permissions revoked. You may want to consider disconnecting the app altogether if it’s not being used.
#7 Use public Wi-Fi networks with caution.
As technology has evolved, the public expects access to Wi-Fi nearly everywhere they go, said Matt Radolec, Varonis’ Vice President of Incident Response and Cloud Operations, in an interview with CNBC.
He added that users aren’t reading the terms and conditions or checking URLs when connecting to free Wi-Fi options, increasing their chances of compromise.
“It’s almost a game to see how fast you can click ‘accept’ and then ‘sign in’ or ‘connect.’ This is the ploy, especially when visiting a new location; a user might not even know what a legitimate site should look like when presented with a fake site,” Matt said.
Be cautious of free Wi-Fi networks you connect your device to, and make your computer forget them from your stored networks once you have finished your session.
#8 Be wary of what you share with gen AI tools.
Large language models (LLMs) like ChatGPT can use your data to train their systems. If you share sensitive information during a chat, your data might unknowingly appear in another session or, even worse, in a hacker's hands.
Tools like Microsoft 365 Copilot are also designed to access everything the user can, which is often far too much. Ensure your organization is ready to deploy AI tools safely before, during, and after rollout.
Data privacy is a major concern regarding AI. Organizations recognize the need to safeguard privacy while maintaining AI functionality, which can be challenging.
“We want to leverage LLM technology,” Varonis Security Architect Brock Bauer said during a webinar on LLM risks in the cloud. “We want to give the productivity capabilities to our users, but we also need to protect the privacy of the data they're accessing.”
When using AI, always keep your sensitive details out of chats. Security teams should set up AI policies in their orgs and ensure employees are trained to properly use approved gen AI solutions.
#9 Perform routine updates when prompted.
It can be pesky to see an “automatic restart” window pop up right in the middle of an important task, but the longer you wait to update your computer, the more misconfigurations remain unpatched.
Patches are solutions to vulnerabilities discovered in different software and cloud platforms. In 2021, our research team identified a bug in Salesforce dubbed Einstein's Wormhole. This bug exposed calendar events that could contain highly sensitive data such as attendee names, emails, meeting URLs, passwords, and replies being sent to organizers. Before the bug was patched, meeting information with potentially sensitive information was exposed to the entire internet.
Being proactive with your device and software updates decreases the likelihood of being compromised due to a misconfiguration.
#10 Use a password manager.
Password managers let users create complex passwords for all their sign-ins, preventing threat actors from accessing their accounts.
Whether you use a password manager or not, it is important to create different passwords for different sites, opt for additional security measures like MFA, and set up alerts when logins occur from unknown devices or locations.
These small best practices for password generation can be key to preventing data compromise in a breach.
Don’t wait for a breach to occur.
With breaches on the rise, it’s crucial to prioritize cybersecurity. Following these preventative cybersecurity tips can help you have stronger security practices at work and at home.
For organizations, pairing effective training with top-tier security technology creates an ideal cybersecurity solution.
Want to learn more? Get started with a free Data Risk Assessment to see if Varonis is the right match for you.
-1.png)
