To celebrate this milestone—and contribute to the cause—here are 15 tips for helping to prevent and/or mitigate cyberattacks.
1. Know your data and your weaknesses.
To protect your data, you must know what you have, where it is, how critical it is to your business, who controls it, who can access it, and what you’re currently doing to protect it.
Document this information as your starting point for ensuring the security of your data and IT systems. This will help you identify your IT systems’ vulnerabilities, so you know where to focus your security efforts.
2. Get defensive.
Up-to-date firewalls, ad-blockers and script-blockers in browsers, and email security products can block known malicious senders and strip known malicious attachment files types. Employ whitelisting to prevent software downloads. Isolation “sandboxing” technologies can prevent the download and execution of ransomware from phishing links, web drive-bys and watering hole attacks.
If you don’t have the expertise to monitor and update your defenses, consider using a managed services provider to on the responsibilities.
3. Employ strong password security.
Everyone in your organization should use strong passwords, making them as long and as random as possible. Don’t just use the typical upper- and lower-case letters and a couple of numbers. Sprinkle in special characters as well. Change passwords frequently, an avoid reusing them.
Leverage two-factor or multi-factor authentication, if possible, to mitigate the risks of poor password selection and password re-use.
4. Backup your data regularly.
Backup data frequently and store it in multiple offline locations where infected systems wouldn’t be able to access it. Test your backup and data restoration plans regularly to ensure they work the way you expect them to work.
If you have some data that’s more important than other data, consider implementing a tiered backup data service that gives priority to the data you need most.
5. Control removable media access.
Establish policies to control the use of removable media devices, such as flash drives, external hard drives, and smart phones, and their access to your networks. Scan all devices for malware before plugging them into computers. For particularly sensitive systems, consider disabling removable media altogether.
6. Monitor user accounts and limit privileges.
Restrict employee access to just the data required to do their jobs. Limit the number of privileged user accounts. Monitor user activity. Have a list of all accounts an employee has access to and remove permissions when that employee leaves the company.
7. Educate and test employees.
Educate employees on the cyber threats they may encounter at work and at home. Make sure they understand how malware is spread. Impress upon them why password security is important, and why they should avoid public wireless networks.
Help them understand how to detect suspicious activity and avoid phishing and other social engineering tricks. Perform phishing and other assessments to test their cybersecurity awareness and validate the effectiveness of your cybersecurity training efforts.
8. Thoroughly investigate new providers.
Conduct thorough reviews of contracts with technology vendors and service providers. Make sure there are consequences for failure to provide the products or services promised. Also ensure they can and will comply with any relevant regulations. Ensure you understand the breakdown of responsibilities between your company and the vendor or service provider.
Don’t be afraid to ask for references, compliance documentation, a breakdown of their physical and technical security, or tours of their facilities.
9. Keep your systems up to date.
Employ robust, secure standardized builds for servers, workstations, laptops and all network infrastructure to help prevent unauthorized access by malicious users. Equally important, maintain the secure configuration of your systems by immediately employing security patches and other updates as soon as they become available.
If possible, update your hardware and infrastructure every few years to stay current with the latest technological and security developments. When disposing of hardware that stores data, remove the hard disks and destroy them. This includes removable storage media such as USBs, DVDs and CDs. Have these materials destroyed by a reputable security firm.
10. Establish and enforce BYOD policies.
If you have employees working remotely, especially if they are connected to your company’s network through VPNs and workspace browsers, implement comprehensive BYOD policies. These policies are essential for protecting sensitive corporate data in the event a mobile deice is lost, stolen or compromised.
11. Monitor and test everything.
Continuously monitor all systems and networks to detect changes or activities that could cause vulnerabilities. Conduct penetration tests or other vulnerability assessments to identify weaknesses.
Use these exercises to finetune your detection and response capabilities.
12. Prepare and test your incident response plan.
Establish a plan for dealing with cyberattacks that outlines what to do, how to do it, who’s responsible for doing it, and all follow up actions. Make sure you have the necessary information, materials, skills and capabilities in place to respond quickly and effectively. Test your plan regularly, using different scenarios, and update it as necessary.
13. Stay compliant.
If your organization is subject to regulatory requirements, make sure it complies. Many regulations, government mandates, and industry standards entail meeting rigorous technical requirements for data security and privacy. If your organization is in compliance, there’s a good chance it has strong defenses in place to mitigate cyberattacks. Keep in mind that requirements change, so compliance isn’t a one-time thing.
14. Get physical.
Physical security is integral to cyber security, because it helps prevent unauthorized access to your IT systems. Install restricted door access that requires biometric screening or assigned key fobs to monitor who enters your facilities. Implement 24-hour, monitored video surveillance. If you’re working with third-party vendors, such as a cloud service or colocation provider, make sure their facilities are physically secured as well.
15. Partner with IT security experts.
Consider contracting for managed IT services, ranging from cloud-based firewalls to DDoS protection. Managed services providers invest in the latest and greatest, so you’ll have access to leading-edge security without the expense of hiring and maintaining in-house expertise and technologies.
Added bonus: because the service provider handles the monitoring and management of your IT security, your IT staff and resources are freed up for other endeavors.
There’s Always More
Simply implementing a few of the tips offered in this blog can help strengthen your defenses against cyberthreats, even as they continue to evolve and change. But don’t stop there. Take advantage of the many resources available to help you beef up your IT security. That includes those associated with National Cybersecurity Awareness Month.