In today’s sophisticated digital landscape, cybersecurity threats have evolved past traditional brute-force login attempts. Hackers are relentless in their attempts to breach business systems and manipulate employees into providing confidential information. With more than 80% of cyberattacks involving phishing, it is crucial to ensure systems are secure and that staff can easily recognize a phishing attack before they take action and expose private information.
While there is no way for an organization to completely eliminate all cyber threats, there are many actions that can be taken to mitigate risk and strengthen overall cybersecurity posture.
This comprehensive cybersecurity checklist below will help organizations minimize risk in 2021 and beyond.
1. Create A Cyber Strategy Separate From IT
It may seem natural to have IT focus on cybersecurity, since it concerns safeguarding primarily digital information. However, cybersecurity is a business risk, and IT is just one aspect of it. To avoid conflicts of interest, cybersecurity is best handled by another key player – the chief information security officer (CISO), who addresses cyber risks at the business level and develops plans for mitigation and response. Protecting against these risks requires support from IT, but also from other areas of the business, such as operations and human resources.
2. Develop An Effective Cyber Incident Response Plan
An incident response plan can help staff more effectively detect, respond to and recover from cybersecurity incidents. In some industries, it is required by law to have a proper plan in place, — however, all organizations that use technology to access sensitive data should follow incident response guidelines. The incident response plan should clearly state how to document and mitigate cyberattacks, as well as outline the steps required to take when working toward getting systems and software running immediately after an incident.
3. Train Employees On Cybersecurity Awareness
COVID-19 has prompted a new wave of phishing and ransomware attacks as cyber criminals take advantage of distracted and stressed employees. While spam filtering can identify some malicious emails, others that appear authentic will find their way into an employee’s inbox. As one wrong click on a malicious email could expose an organization’s sensitive information, employees should undergo thorough and ongoing cybersecurity training with a focus on mitigating potential attacks by keeping a close eye on their email. Employees should be trained not to open emails or click links in emails from unknown senders and to report potential phishing attacks to leadership.
4. Ensure A Strong Password Protocol
Organizations should utilize a password manager to guarantee strong protection over personal and company passwords. This type of system will store and encrypt all passwords, preventing anyone from gaining access without first verifying their identity through two-factor authentication. Employees will only need to remember one master password, and the stored account logins and passwords, which are generally a sequence of randomized alphanumeric and special characters, cannot be traced back to the password manager.
5. Enable Automatic Operating System Updates
Updates for operating systems are often deployed to minimize or remove vulnerabilities from previous versions. For most employees, remembering to check devices for newer operating system versions can be difficult. Therefore, ensuring each company device has automatic updates enabled will reduce the likelihood of abreach. When devices are updated, malicious software that is built for a specific version will be identified and removed by the operating system in a future update.
6. Use A Secure Connection For Company Devices
Employees should only connect to the corporate network using company devices, and company devices should not be connected to a public network. COVID-19 has required the majority of businesses to work from home, and therefore it is important to ensure that employees are only connecting to a private in-home network, mobile hotspot or virtual private network (VPN) recommended by the organization. Employees should follow a secure protocol when visiting websites by looking for HTTPS in the URL or a lock icon in place of it.
7. Back Data Up To An Encrypted Drive
In the event an employee must reset their drive for any reason, they must be able to immediately recover their data from their last save points. IT should be responsible for backing up information, and should review backup logs and test them routinely to verify that the data is current and can be recovered at a moment’s notice.
8. Keep Antivirus Software Up-To-Date
Having antivirus software on a device does not always yield protection as new viruses are produced by hackers every day. Updating antivirus software will provide employees’ devices with new information on malware, spyware, ransomware and other types of viruses to increase their chance of being removed. Similar to operating systems, antivirus software can be set to update automatically.
9. Limit The Number Of Network Administrators
No employee outside the IT department should have the ability to change details about the network or install applications outside the company’s approved list. By limiting the number of administrators for the network and its devices, security risks will be significantly reduced and the company will have more visibility over its devices. Another best practice involves auditing and deleting accounts from employees who have switched workstations or are no longer employed by the organization.
10. Enable Auto-Lock For Company Devices
Computers that have not been in use for a short length of time (approximately three to five minutes) should automatically lock its screen and force the user to log back in. This will prevent potential onlookers who are either inside or outside the building from seeing what is displayed on the device. Additionally, forbidden users can access the computer remotely while it is logged in, which is why the device should not be active while not under direct supervision from the employee.
11. Dispose Equipment And Data Securely
Devices that contain sensitive information should not be thrown out when no longer in use. The hard drive should be completely formatted to remove all data, and it should be either shredded or electronically recycled. Without physical destruction of the hard drive, any associated data can be fully recovered using a SATA cable. It is important, however, to ensure the data from the drive is backed up before destruction.
12. Use An Encrypted Email Or Messaging Server
Email is used by employees every day, meaning they are always at risk of falling victim to an attack. Using an encrypted email or messaging server to communicate work-related information and passwords will limit the chance of a message being intercepted and/or deciphered by a cybercriminal. Email servers that use spam filtering technology will automatically locate and remove emails that appear to be phishing attacks from employees’ inboxes to decrease the possibility of unwanted emails reaching those individuals.
13. Conduct Regular Cybersecurity Assessments
Systems and software should be audited on an ongoing basis to look for new risks. While the newest version of a particular software may seem safe to implement, some updates may accidentally break an organization’s systems or expose them to threats due to an unstable release that is being rolled out. It’s a best practice to speak with an independent cybersecurity consultant when auditing a network as they bring extensive knowledge and can make informed recommendations.
14. Employ Third-Party Penetration Testing Services
If a third-party cybersecurity firm can breach into systems, a malicious individual likely can as well. Penetration testing, otherwise known as “ethical hacking,” can be employed to identify any vulnerabilities in a network and work to effectively remove them before being discovered by any unauthorized users. While this can be an expensive service, the cost does not compare to the millions of dollars in fines that a data breach comes with.
Speak With A Professional Cybersecurity Consulting Firm
All businesses are susceptible to cyberattacks, but leaders need to do everything within their power to mitigate risk and lessen the impact of any potential incidents. Hartman Executive Advisors offers cyber risk assessments that employ a wide variety of techniques to accurately assess an organization’s business-specific cybersecurity threats. Reach out today to schedule a consultation and start 2021 with a clear and strategic approach to managing cybersecurity.