By Nathaniel C. Gravel, CISA, CISM, CRISC
With an estimated 2,200 cyberattacks taking place each day – one every 39 seconds – the task of creating and deploying a defensive strategy for your business can be intimidating. Still, the threat is too great to ignore, not to mention the fact that most states have strict data security laws that must be followed. But where do you start? What are the first steps you should take to begin layering protective measures around your network and data?
One shrewd move you can make is to invest in a penetration test. Conducted by an independent cybersecurity consultant, a “pen test” is a simulated (but harmless) attempt to gain entry to your computer network. The results can help identify and prioritize vulnerabilities in your system, giving you a list of gaps in your defense that should be addressed before they are breached by actual cyber criminals. This “risk map” can be used to drive the cybersecurity process within your organization.
- Make cybersecurity a management priority. Stop thinking that cyber threats are simply another IT problem. Cybersecurity is not a technical issue, but a risk management process. It must start with a commitment from the top so that everyone in the company understands its importance and adjusts their own behavior accordingly. This also includes a vow to invest in staff training – 70% of all cyber intrusions occur due to human error.
- Plan for the worst. Start with a bad ending in mind by assuming you are going to be successfully attacked and a cyber intrusion will occur. How will you recover? By developing a detailed business continuity plan. You already have contingencies in place for other disasters (fire, flood, etc.) and should have a separate plan for cyberattack. This starts with secure backup of your data, preferably made daily to a cloud server that is separate from your internal system. Backed up data will help you recover quickly from an attack or even a ransomware attempt.
- Keep your systems up-to-date. Older computers, networks, servers and software are the easiest for cyber thieves to crack. Most device manufacturers and software providers do a good job of identifying weaknesses in their own products and providing updates and patches to their users. You should have a program in place to automatically update your systems and software, and to replace older versions that may have outlived the ability to be protected.
- Apply multi-factor authentication practices. Also known as “MFA,” multi-factor authentication is the process of requiring a password plus a separate code to access a computer or network. The code is sent every time the user logs in – a little time consuming but highly effective in controlling access to sensitive information.
- Follow the principle of least privilege. Employees should only have access privileges to those files necessary for them to do their jobs. Minimizing the number of people who have access to sensitive files gives you the ability to better monitor activity and identify unauthorized attempts to enter the files. The concept of “least privilege” should also be applied to members of the management team.
- Build a layered endpoint defense. An “endpoint” is the physical device – laptop, tablet, smart phone – that connects to and exchanges information with a computer network. It is also a point of maximum vulnerability to cyberattack. Invest in a strong anti-virus program and detection and management software that can alert you to unusual or unexpected activity.
- Develop a Written Information Security Plan (WISP). All these steps should be written down as policies and procedures in a written document. Many states require a WISP to be completed and regularly updated for any organization that possesses personally identifiable information (PII) for employees, customers, or vendors. PII can range from social security numbers and health care records, to credit card and bank account numbers. It all must be protected, or you risk expensive fines and the high cost of restoring data and your reputation.
Nathaniel Gravel is a cybersecurity expert and consultant with Gray, Gray & Gray, LLP, a consulting, accounting and business advisory firm based in Canton, MA. He can be reached at email@example.com.