With a New Year comes new cyber threats and new technology to combat them. Here are 10 of the best cybersecurity practices to ensure every business starts 2023 off on the right foot when it comes to protecting their proprietary data. Wise business owners of companies of every size in every industry will resolve to employ them now it they aren’t already in place.
1. Perform Regular Updates
By ensuring your software and applications are updated regularly on all devices from laptops and desktops to mobile devices, your business will be protected from vulnerabilities in those programs and on those platforms. Start by setting aside one day per month to update all of your company’s devices. You can schedule this to be done on off hours to avoid interrupting the regular flow of business.
You’ll also want to employ the latest anti-virus software that also includes a firewall. Check with your internal IT department or third-party cybersecurity provider such as ORAM Cybersecurity Advisors to determine when your business last had its anti-virus and firewall updated. You want to ensure you have the most recent technology at your fingertips to protect your business.
Software should be kept updated as well with the latest security patches. This will help eliminate the threat of identified vulnerabilities due to outdated software. Attackers target old software vulnerabilities to access company networks and data.
Additionally, ongoing scanning and monitoring of your networks will help to quickly identify any malicious threats that have snuck through your anti-virus and firewall. With ongoing monitoring, your IT department or third-party provider can quickly identify any threats and stop them before a breach can occur. Such security measures can help to prevent ransomware attacks, malware infections, and protect against data breaches as well as other threats your business is likely to face in 2023.
2. Ongoing Employee Training
According to IBM’s Cost of a Data Breach 2022 report, human error is the root cause of 23 percent of data breaches. The same report found that organizations that provided regular employee training reduced the average cost of a data breach by $247,758! That’s well worth the cost of giving employees regularly scheduled cybersecurity awareness training.
The threat to today’s businesses is very real but employees can be a business’s best security resource if properly trained. According to Garner, a leading computer trends analyst, “People impact security outcomes much more than any technology, policy, or process. People play an undeniable role in an organization’s overall security and risk posture. This role is defined by both inherent strengths and weaknesses: People’s ability to learn and their capacity for error.”
To fortify the human factor when it comes to your business security, you must educate your employees on an ongoing basis. Cybersecurity training was once simply a recommendation by third-party providers such as ORAM Cybersecurity Advisors, but now it’s the law in many states. This is especially true in Massachusetts where ORAM is based. Many other states such as California and New York now also require cybersecurity awareness training as part of their written information security plan (WISP).
Cybersecurity awareness training should begin during onboarding for every employee that covers everything from phishing and social engineering to weak network security and compromised passwords. This is especially true for your remote workforce.
There should be frequent training opportunities and reminders, even if they are brief such as a once-a-month, computer-based training that only takes a few minutes. Every employee should also be provided with deeper training annually to prevent attacks. Additional training should occur whenever a potential threat is identified or a cyber incident has occurred within the company so there are no repeat events.
3. Deploy a Zero-Trust Security Architecture
“Just 41 percent of organizations in the [IBM] study said they deploy a zero trust security architecture,” according to the aforementioned Cost of a Data Breach 2022 report. “The other 59 percent of organizations that don’t deploy zero trust incure an average of $1 million in greater breach costs compared to those that do deploy. Among critical infrastructure organizations, an even higher percentage of 79 percent doesn’t deploy zero trust. These organizations experienced on average $5.40 million in breach costs, more than $1 million higher than the global average.”
Zero Trust is a security model that has become popular with government agencies and enterprise businesses alike because it takes a holistic approach to implement the best data security. The idea is to consider all people, devices, and networks to be compromised. That is the basis of Zero Trust; understand it as if everyone, every device, and every network has already been compromised, and implement monitoring and access management across your business to protect it.
Not only is Zero Trust imperative for protection against external and internal attacks against your business, but modern compliance laws dictate that security and access management are no longer optional. That means 24/7 monitoring and managing access both digitally and physically to prevent data loss.
4. Consistent Data Backup
It’s imperative to regularly back up your business data. Why? Because if the worst should occur and there is a data breach, data loss, or ransomware incident, your company can quickly recover its data and get back online with little interruption to business.
By backing up data on a regular, consistent basis, you can protect your organization from costly data breaches, ransomware, and other cyber incidents. You don’t want your company left without access to vital business information from customer records to invoices and other financial records. Such documents are typically vital to business operations and without them, your company could come to a screeching halt.
Best data backup practices include the following:
A. Offsite Storage Using Cloud Solutions- Using cloud-based storage protect data in the event your central server is compromised. This is also helpful in the event of natural disasters such as earthquakes, hurricanes, fires, etc. that would forever lose data if it were stored only at the local level.
B. Use the 3-2-1 Rule- This rule of thumb means keeping three copies of data on two different devices with at least one off-site storage option.
C. Encrypt Backups- Encryption adds an extra layer of security to make it more difficult for bad actors to read your data even if they do access it.
Data should be backed up at least once a week at a minimum but daily backup is even better. While you can perform manual data backups, there is software available to make automated backing up of data every 24 hours seamless. This can be scheduled after work hours to avoid interference with daily operations.
5. Employ Multi-Factor Authentication
Though multi-factor authentication, otherwise known as two-factor authentication, has been around for a while now, many people and businesses are still failing to use it to their advantage. While it requires an extra step when it comes to logging in, it adds an extra layer of protection to your data.
Require the use of multi-factor authentication for logging in to all company accounts and devices for every employee. A password alone is not enough to keep hackers out of your organization with modern digital threats.
6. Push Password Best Practices
Remind employees to employ password best practices such as using a different password for logging in to each device, software, or platform. They also need to replace weak passwords with strong passwords using a combination of uppercase and lowercase letters, special characters, and numerals. Have your IT department or third-party provider update your business platforms and software to require a password reset for each employee at least every six months. Give them access to a password manager to keep track of all logins and passwords with simplicity.
7. Get a VPN
Virtual private networks (VPNs) are terrific for connecting your business network with the outside world while providing a higher level of security for your data. This is especially true given the nature of the modern remote workforce and the common availability of public Wi-Fi.
With a VPN, all traffic between the VPN server and user devices is encoded. This means if it is intercepted by a cybercriminal, they won’t be able to read the data. This could save your business from a seriously costly data breach and possible fraud.
8. Think Before You Click
One of the most costly cyber crimes facing organizations today is the business email compromise (BEC) attacks and phishing emails.
“Breaches caused by business email compromise had the second highest mean time to identify and contain, at 308 days,” according to the IBM report mentioned above. “Business email compromise was also the second costliest initial attack vector, with breaches costing an average of $4.89 million. Breaches caused by phishing had the third highest mean time to identify and contain, at 295 days, and had the highest average cost by initial attack vector, at $4.91 million.”
Avoid clicking on suspicious links in emails, even if you know the sender. This is because they may have had their email compromised and the problem could be spreading without them realizing it. If someone you know and trust sends you an unexpected email with attachments or links, don’t click on them without calling the sender first to verify that they actually sent the email. The “think before you click” also applies to text messages and websites.
Bad links, attachments, and websites can be sources of viruses, malware, and ransomware. These threats can infect your business network and spread to partner and customer networks while they steal your internal data. Again, train employees to think before they click.
9. Always Log Out
Before walking away from your desktop, laptop, or mobile device, be sure to log all the way out. Stepping away from your computer to grab a drink, visit the restroom, or have a discussion can leave data vulnerable to insider threats or worse. Train employees to also log out.
Leaving yourself logged in to company devices with proprietary business data is an invitation to would-be hackers. There is software available that allows you to set a timer for devices that go unused for a period of time. These timers should be employed after more than one minute of inactivity on company devices. This helps protect your business and even your employees, partners, and customers.
10. Seek Professional Assistance
Ultimately, many businesses have IT departments that are overwhelmed or are simply too small to employ their own IT and security employees. Whether your company’s existing IT department needs occasional support or your business needs complete cybersecurity services, ORAM Cybersecurity Advisors and other third-party providers offer a variety of services affordable for different budgets. These providers can keep your business secure while meeting cybersecurity regulations required in your industry in your state. They can often provide software at a reduced cost to help keep your business network updated and more secure.
For a free, no-obligation initial consultation, visit ORAM Cybersecurity Advisors online or call (617) 933-5060.