This is something I learned from experience: your most frequent security issues are going to result from
- Breaches or leaks at other large businesses (Twitter, Tumblr, DoorDash, Bitly, eVite, ParkMobile, ShareThis, TicketFly …) resulting in emails, usernames, passwords, and security question answers getting stolen
- Phishing attacks against your users, wherever they may be.
Since most people use the same passwords in many places, both can result in bad actors getting passwords to your system, no matter what account was actually stolen. Here’s how to stop that and reduce security incident-related downtime by 90+%:
- Require MFA for your system accounts and use SSO everywhere you can. This makes logging in with stolen credentials a lot harder. You turn a script-kiddy problem into a social engineering problem, which takes a lot more effort and skill on the part of the bad actors. They’ll spend the effort to get a bank account, but maybe not to get into a faculty member’s email.
- Provide a password manager like DashLane to your users, require them to use it for work-related passwords, and apply banned password lists when they create and change passwords. This makes it easy for them to use strong, unique passwords everywhere. This step protects not just the passwords they use on your system, but all the other passwords they use for work–the ones you don’t have control over–like the ones at your hosted CMS or CRM.
- Set up phishing training like KnowBe4. This provides a little more protection for the passwords you can’t control, and protects your users from scams, etc. It also protects them in their lives outside work, so it’s a good service to provide. At a school it’s especially important–I’ve found that students click on phishing emails at a much higher rate than staff or faculty, I assume because they have a lot less experience with email in general.
If you’re not already doing all these things, get them in the “In Progress” column now. By the way, keyloggers get around some of this, but that’s why you already have anti-malware running on all the endpoints and on the networking hardware, right?