6 Steps for Improving Cybersecurity Awareness
Just as anyone would consider it prudent to lock their house to keep their family and valuables safe, all companies need to consider cybersecurity risks in safeguarding themselves, their employees and customers. Cyber intrusion attempts have become pervasive and any device that’s linked to the internet is vulnerable, from servers to laptops and tablets, cell phones and even smart devices in your home and office. Breaches can often result in stolen or destroyed information, theft of cash and ransom demands. Further, a hacked computer can be used to infiltrate other computers without anyone’s knowledge.
There are several ways a company can implement procedures to strengthen its cybersecurity. Some preventative measures have been around for a while and just require good diligence. Other actions are more in line with newer technologies that we need to be aware of. Having good procedures in place will not only reduce the likelihood of breaches, but also reduce the residual costs and exposure to the company should an intrusion happen. Companies need to consider their unique profile, compliance requirements in light of information security laws, their investors and shareholders and customer agreements.
Provide Training and Education
The most useful action is probably the easiest, provide training to create awareness of everyone in your organization. Deterrence measures will only be effective to the level of your weakest entry point. Along with taking measures to secure access, everyone needs to be aware of scams used by hackers. One common hacking technique is phishing, wherein someone makes contact purporting to be a known officer, official or vendor requesting sensitive information or directing payments to a new bank. A good policy is to require any such requests to be confirmed verbally and approved before actions are completed. Training also assures that everyone knows how to immediately respond when an intrusion attempt does occur.
Protect All Devices
Most intrusions come in through company servers and computers. The same computers are often used for business and personal use, increasing the risks from visiting nefarious sites. Make everyone aware of the risks associated with using the same device for business and personal activities. Keep business and personal email accounts separate. Never respond to or download from unknown senders. Acknowledge that these same procedures will also help protect your own personal information. Keep all systems current with updates and patches, and limit the ability to install new software that may be malicious.
Use Encryption When Saving and Transferring Information
Use firewalls and encrypt transmitted information. All modern web browsers and operating systems come with built-in encryption. The server can be set up for security access and can ask for a valid login and password from clients before allowing them to access it. There are many third parties that will help you apply and integrate useful technology with little disruption to your business and employees.
Know Your Third Party Providers Capabilities
Ensure that cloud-hosting providers meet all security capabilities. There are various laws and standards around general privacy, securing personal information and health records. Request and review data center reports on their practices and certifications and include strict requirements when engaging outside providers.
Use Strong Passwords and Authentication
Employ services that create and manage complex passwords. Always use passwords on wireless networks, consider making wireless access points hidden, and have a separately managed access point for guests. Apply multi-factor authentication that requires a second authenticating device to access your core applications from a new location. Use a third party to help manage your enterprise security, including random password generating platforms. Assure that passwords are enabled and changed on all devices that use your network, including smart lights, voice-activated points, copiers, scanners and HVAC. Smartphones and tablets are often attached to business applications, data centers and banking sites. Require managed passwords be used to access both the device and the apps that render them useless if lost or stolen.
Ransomware attacks have become much more common to smaller targets, making these procedures even more imperative. Minimize business disruption by backing up core systems and data following a strong protocol. Encrypt the data backups to prevent exposure of the information.
Finally, knowing that a breach may be inevitable, have a strong plan in place that assures a quick and complete response which will minimize any further losses. Have the plan, including an easy to use policy, distributed to all employees and conduct policy reviews at least annually.
Written by Neil Goldenberg
CFO Advisor for DecisionCFO, LLC.