Eight Critical IT Security Protections Every Business Should Have in Place
For most businesses, cybercrime is a very real threat, but as we have seen time and again, many organizations are underestimating the potential damage.
A single cyber-attack—one slip-up from even a smart, tenured employee clicking on the wrong email—can open the door to a company’s undoing.
If a business falls victim to a cybercrime attack in which client data is compromised, its leadership will be investigated and questioned about what they did to prevent it from happening. If the answer is inadequate, they can be found liable. The company might be required by law to inform clients that their private records, financials and data have been exposed. Client relationships will be put in jeopardy, and the competition will look to leverage the opportunity. And, unless the victim company has a very specific type of crime insurance, no help will come from the bank.
On the other hand, just a few preventative measures can help minimize (or outright eliminate) these reputational damages, losses, litigation and costs. We asked Michael Mullin, president, Integrated Business Systems, Totowa, NJ, and Kai Pfiester, founding partner and cyber security expert with Black Cipher Security, Cherry Hill, NJ, for suggestions on how to minimize your exposure to cyber security risks.
- Educate your people.
“Almost all security breaches in business are due to an employee downloading or opening an infected file or link from a website or email,” says Mullin. “Phishing e-mails – designed to look like legitimate messages from websites or trusted vendors – are common, and spam filtering and antivirus cannot protect a network if an employee mis-clicks. Education is paramount. This includes both on-boarding of new staff members, and ongoing communication and testing of the entire team.”
Pfiester warns that “there need to be proper policies and procedures to guide employee on how to act in situation like this. For example, when a malicious email is identified, the employee should be required to forward the offending email to internal/external security team so they can block the sender and take other proactive measures to protect the network.”
- Adopt an acceptable use policy (AUP).
An AUP outlines how employees are permitted to use company-owned PCs, devices, software, Internet access and e-mail. “Policies should limit the websites employees can access with work devices and Internet connectivity, and
should be enhanced with content-filtering software and firewalls,” Mullin says.
“Policies are useless without enforcement and consequences. They need to have proverbial ‘teeth’ to ensure people comply,” adds Pfiester. “When employees know there are negative consequences for putting the company at risk, they will be more inclined to follow the policies and thereby maintain the security of the organization.”
- Do not allow employees to access company data with unmonitored personal devices.
Thanks to the convenience of cloud computing, employees can gain access to company data remotely and from their own personal devices. But, warns Mullin, if an employee accesses a critical cloud application via a personal device that is infected, the hacker can gain access, too. “Companies that allow employees to use personal devices and home PCs need to make sure those devices are properly secured, monitored and maintained by a security professional,” he says.
Pfiester suggests that two-factor authentication should be implemented for all cloud-based portals and applications that support it. “This ensures that if a hacker manages to capture or guess any login credentials and reuse them to gain unauthorized access to those systems, he will be thwarted,” he explains.
- Require strong passwords and passcodes to lock mobile devices.
Passwords should be at least eight characters, and contain lowercase and uppercase letters, symbols, and at least one number, says Mullin, or “as long and as complex as you can make them,” says Pfiester. On a cell phone, requiring a passcode to be entered will go a long way toward preventing a stolen device from being compromised. Network administrators also should require a password reset every 30-60 days, says Mullin.
“Long, complex passwords can be generated and stored in a password vault application such as LastPass or Dashlane,” says Pfiester. “But it is absolutely critical that these password vault applications be protected with strong two-factor authentication.”
- Keep your network and all devices patched and up-to-date.
New vulnerabilities are frequently found in common software programs like Adobe, Flash, Microsoft and QuickTime. When system and application patches and updates become available they should be installed. Under a managed IT plan, this can all be automated, which eliminates missed updates, Mullin says.
“Keeping your computer systems and applications up to date is essential and greatly reduces risk associated with malware and exploits,” adds Pfiester. “But it should be noted, this is just one component of a good cyber security program.”
- Have a business-class backup both on-premise and in the cloud.
In a ransomware attack, a hacker locks up a company’s files and demands a fee to restore them. But if the files are backed up, this becomes a non-issue. Automated backups also protect against employees accidentally (or intentionally) deleting or overwriting files, and against natural disasters, fire, water damage, hardware failures and a host of other data-erasing disasters. Mullin says.
Backups are very important but they are not a panacea for ransomware attacks, says Pfiester. “There are countless cases where the hackers also encrypted the backups,” he says.
To mitigate the risk of backups being ransomed, they should be taken offline or totally segmented from the main network and secured in such a way to prevent unauthorized access.
- Incorporate a business-class firewall and proper updates.
Firewalls are the frontline defense against hackers, blocking everything not specifically allowed to enter (or leave) a computer network, and a business-class firewall is an essential element of a quality cyber security program, say the pair.
Like systems and applications, firewalls need ongoing monitoring and regular updates as part of a company’s routine IT maintenance.
“Hackers have gotten very good at tunneling through firewalls, so must be configured correctly, and compensating controls must be implemented to address the security vulnerabilities it cannot fix,” says Pfiester.
- Implement advanced end-point protection.
End points are personal computers, network servers and other devices connected to the Internet. When they are exposed, systems and data become vulnerable. Unlike traditional anti-virus solutions, advanced end-point protection platforms do not require prior knowledge of an attack to detect and remediate it. “They apply machine learning and artificial intelligence to continuously outflank attackers,” says Mullin. “As such, they are even ready to stop threats that do not yet exist.”
No matter what solutions you use, some malware is likely to get through your defenses, says Pfiester. “When that happens you need to have detection and response capabilities to root out hidden threats on your computer or network,” he says.
The Bottom Line
Cybercrime has become so widespread that it may not be possible for any business – large or small – to avoid being a target. A virtual army of hackers and sophisticated crime rings are working around the clock to overcome known protections.
The good news?
All the above safeguards are easy and inexpensive to implement. By doing so, you can protect your data, your reputation and your business.