When we think of the start of the new year, we usually think of goals, but maybe instead of focusing on just personal goals, we can shift our focus to workplace goals. Having a list of goals written down makes you 10 times more likely to accomplish said goals. So, we’ve put together a list of Cybersecurity Best Practices for easy reference. These steps will have you keeping it secret and keeping it safe.
1. Access Controls and Account Management
○ How strong are your passwords really? Rigid password policies help to ensure that your work and your data is safe from the bad guys. Passwords that hold their stock usually consist of twelve to sixteen characters, mixed symbols, letters and numbers. Lock up your sh*t, folks! You’ll thank us later. Promise.
○ Multi-Factor Authentication: . MFA supplements your password requirements, offering multiple layers of identity verification. An example of MFA is requiring a device you hold, such as a smartphone or hardware token to receive a one-time code, in addition to something you know, such as your login credentials.
○ Enforce “least privilege” and “separation of duties” concepts to prevent collusion, and limiting authorized access as necessary to get the job done.
○ Privileged accounts should be reviewed on an ongoing basis. This will ensure that only active, and authorized users have access to systems that require that level of access. That’s right, with great power, comes great responsibility.
2. Encryption – Is your organization protected? When we refer to encryption, we’re talking about the security method where information is encoded and can only be accessed or decrypted with the correct encryption key. Ensure encryption is part of your corporate policy. Sleep easy if laptops are lost or stolen by ensuring company owned laptops have pre-boot encryption installed. Buy hard drives and USB drives with encryption built in. Use strong encryption on your wireless network (consider WPA2 or WPA3 with AES encryption). Protect your data from eavesdroppers by encrypting wireless communication using VPN (Virtual Private Network). Ensure web applications are utilizing the latest version of TLS to protect data in transit. Confirm data is encrypted while at rest for critical or sensitive information stored in a database, backups, and storage systems.
3. Disaster Preparedness – Are you ready for a disaster? Sounds ominous, we know, but these are real things to consider. Your organization should have a recovery plan and testing in place. If your application goes down what do you do? With these procedures in place, it’s easier to swarm a problem in order to find resolution. Performing tabletop exercises, simulations, and live fail-over tests are key to ensure your organization is ready to tackle a disaster when it happens.
4. Education and Training – It can’t be denied that humans are the weakest link, particularly in matters of information security. Training and workshops should be a regular feature, especially on subjects like detecting phishing emails, creating and maintaining strong passwords, avoiding potentially dangerous applications, insider threats, and ensuring that valuable data doesn’t leave the company. Educating employees and users about cyber security best practices is extremely important. It heightens awareness within the organization, which enables strong, reliable, cybersecurity. This also includes that dreaded annual security awareness training that everyone must take. So, don’t ignore it, and take it with pride.
5. Incident Response Management – How do you handle a breach of security? In order to know what to do in a time of crisis, a plan should be in place so that your team isn’t grasping at straws. Plan for the worst but hope for the best. An Incident Response Plan (IRP) is a document intended to guide you in the event of an emergency. Make one—like today!
6. Manage IoT Security – The IoT (Internet of Things) is a big world of devices, but how do you enforce policies on mobile devices, such as laptops, phones, camera, etc.? Start with creating a Bring-Your-Own-Device policy. Many companies have avoided the topic, but it’s a trend that continues to push forward. Don’t avoid the elephant in the room! It comes back to educating the user. Consider allowing only guest access (internet only) for employee owned devices. Enforce password locks on user owned devices. Access sensitive information only through encrypted VPN. Don’t allow storage of sensitive information on personal devices (such as customer contacts or credit card information). Have a plan if an employee loses their device.
7. Security Compliance – It’s important…get the NIST? We mean JIST, get the jist? You need to achieve a strong security posture by following industry standards to ensure best practices, frameworks, and repeatable processes are established. And since achieving compliance is a not a one done deal, this should be incorporated into your continuous monitoring efforts to maintain compliance. Examples of these compliance standards may consist of (NIST, FedRAMP, ISO27001, CMMC, PCI, and HIPAA. When these standards are met, cyber bliss is an actuality.
8. Patches and Updates –With hackers constantly coming up with innovative techniques, searching for new weaknesses and vulnerabilities, it would be a wise decision to keep the systems and software optimized. In order to keep the network secured, make sure that your hardware and software are in good health with the latest security updates and protection features. Having a strong vulnerability management program will aid in addressing the most critical vulnerabilities and ensure software patches and updates are applied continuously.
9. Risk Based Approach – Ready to take a risk? Then try threat modeling to identify potential threats to your organization. Prioritizing these assets and what is most important to the business is of critical importance. When planned and implemented properly, threat modeling will ensure that each nook and cranny you’re your infrastructure and to your applications remains protected now and as new threats emerge. Trust us, you don’t want to risk it for the biscuit.
10. Security Policies – Create effective security policies to ensure all of your assets are well protected. Without these policies specifying behavior and security controls, we’re relying on our users to ‘make the right choice’; this can be a risky proposition. These documents become critical in the event of a security audit or even a Request for Proposal (RFP) response to win new business. If you don’t have someone on staff to build the proper set of policies, it’s worth finding an expert who can help you.
11. EndPoint Security — Saving the best for last, anti-virus and malware protection is a pivotal piece of keeping all data safe and secure. Make sure your mobile devices as well as your systems so they don’t get sick by catching a virus or any other malicious disease that’s out there.
The beginning of the year doesn’t have to be the only time your team sits down and takes stock of their Cybersecurity best practices. This checklist can be whipped out whenever you need guidance on cybersecurity Bookmark it on your taskbar, email it to your team, post it on your LinkedIn, and just remember where this list is, because you’ll want it at some point. Trust us.