As we approach year-end, many small and medium sized business owners and managers are coming to the realization that their best intentions for creating a cybersecurity program in their organization have fallen short. This was the year, you promised yourself, that we get a handle on computer and network security.
Well it is not too late to get a start, and here is a short to-do list to help you get started.
Your users are the principle entry point used by cyber attackers.
- Phishing resistance training – Cybersecurity awareness training that emphasizing identifying and avoiding phishing emails may be the best bang for your buck. Including a phishing test for your team, or providing ongoing phishing testing will help them learn to avoid opening the door for an attacker.
- Effective passwords – I’ve written about this issue too many times to count. Creating longer passwords, using a password management tool such as LastPass, and using two-factor authentication will lock down your network. This is especially important for email accounts, as these are prime targets for an attacker.
- Permissions – Users should not be administrators, because if their credentials are stolen, the attackers using their user identity will be an administrator too. Setting up network shares for the “Everybody” group will also allow access for an attacker using valid network credentials. Do not give everybody global access because it is “easier.” Grant access only to the data that the employee needs to perform their job. Use an Identity Access Management system.
Protecting your devices from hijacking and unauthorized use is the next area to focus on.
- Mobile and BYOD – Make sure you segregate BYOD (bring your own device) devices to their own Wi-Fi network. Laptops should be encrypted to prevent data loss from lost or stolen devices. A mobile management system will allow your IT staff to track and remotely wipe lost or stolen smartphones, tablets, and laptops.
- Secure your endpoints – This means computers and laptops of course, but also includes mobile, cloud, and IoT (Internet of Things) devices as well. This means installing a good endpoint security software on devices that support it, and using secure configurations on IoT and other devices that cannot. No more default user names and passwords on IoT and other network attached devices. Using an endpoint security monitoring tool such as AlienVault can alert your IT staff to intrusions as they happen.
- Patching – Windows, application, and browsers updates need to be installed in a timely fashion. The goal is under 30 days. Best practice is to patch immediately if you can. These updates are almost entirely security updates, and every missing patch has an exploit kit available to take advantage of it.
- Web sites – Secure your website. Recent privilege escalation vulnerabilities in the popular Joomla CMS web publishing means these sites are at risk without patching. WordPress sites are another popular target. Sucuri and WordFence are great products for securing your website.
Protecting your information is the next step in your plan.
- Encryption – Encrypted data can not be used without the encryption key. This prevents attackers from finding useful information if your data is stolen.
- Backups – Backing up your data is something that should be happening already to protect you from device failure, but it is also critical in the event that one of your employees opens an attachment in a phishing email that unleashes one of the crypto-ransomware exploits.
Have a plan for your next incident.
- Computer Incident Response Plan – It is not a question of if, but when your next incident will happen. Heck, you may have one happening right now and not know it. Nobody is too small to be a target, because the attackers may just want to use your systems as a storage point for illegal acquired identity documents or child pornography. Developing a plan means that key players in your organization know what to do when it happens next time.
- Cyber Insurance – How are you going to fund the costs of an incident response that may run into the tens or hundreds of thousands or more? Cyber Insurance can provide that funding.
Just start at the top and work your way through the list. Take the first step, and keep at it, and before you know it you will be at your cybersecurity destination. Then you can start over ans work on improving your cybersecurity program.
ShareNOV
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com