In today’s sophisticated digital landscape, cybersecurity threats have evolved past traditional brute-force login attempts. Hackers are relentless in their attempts to breach business systems and manipulate employees into providing confidential information. As nearly 25 percent of business owners in the U.S. have experienced some form of cyberattack since the start of the COVID-19 pandemic, it is crucial to ensure systems are secure and that staff can easily recognize a phishing attack before they take action and expose private information.
While there is no way for an organization to eliminate all cyber threats, there are many actions that can be taken to mitigate risk and strengthen its overall cybersecurity posture. It is important for business executives, especially CIOs and CISOs, to ensure their organizations have a proper cybersecurity protocol in place.
What Business Leaders Must Include In Their Cybersecurity Checklist
The COVID-19 pandemic caused a massive increase in phishing attacks. In 2021, over 90 percent of all cyberattacks originated from a phishing email. As a result, businesses require an extensive cybersecurity plan that not only aims to prevent breaches but also informs employees on how to manage and respond to incidents.
This comprehensive cybersecurity checklist will help organizations adopt a workplace culture focused on cybersecurity this year.
1. Use An Encrypted Email Or Messaging Server
Email is used by employees every day, meaning they are always at risk of falling victim to an attack. Using an encrypted email or messaging server to communicate work-related information and passwords will limit the chance of a message being intercepted and/or deciphered by a cybercriminal. Email servers that use spam filtering technology will automatically locate and remove emails that appear to be phishing attacks from employees’ inboxes to decrease the possibility of unwanted emails reaching those individuals.
2. Adopt A Decentralized Cybersecurity Strategy
2021 revealed critical deficiencies in the centralized cybersecurity strategy that many organizations had implemented. Organizations that grant the same user permissions for their programs across all departments often struggle to lead innovation and are often more vulnerable to brute force attempts. Allowing the chief information security officer (CISO) to manage and oversee user privileges can prevent certain departments from receiving permissions and access to data they do not need.
3. Create A Cybersecurity Strategy Independent From IT Strategy
It may seem natural to include mention of cybersecurity in your organization’s IT strategy since it concerns safeguarding primarily digital information. However, cybersecurity holds a separate set of risks that are often more intricate and involve more immediate incident response times. To avoid conflicts of interest, cybersecurity is best handled by another key player – the CISO, who should address cyber risks at the business level and develop plans for mitigation and response. Protecting against these risks will likely require support from IT, but also other areas of the business, such as operations and human resources.
4. Develop An Effective Cyber Incident Response Plan
An incident response plan can help staff more effectively detect, respond to and recover from cybersecurity incidents. In some industries, it is required by law to have a proper plan in place, — however, all organizations that use technology to access sensitive data should follow incident response guidelines. The incident response plan should clearly state how to document and mitigate cyberattacks, as well as outline the steps required to take when working toward getting systems and software running immediately after an incident.
5. Train Employees On Cybersecurity Awareness
COVID-19 prompted a new wave of phishing and ransomware attacks as cybercriminals have taken advantage of distracted and stressed employees. While spam filtering can identify some malicious emails, others that appear authentic will find their way into an employee’s inbox. As one wrong click on a malicious email could expose an organization’s sensitive information, employees should undergo thorough and ongoing cybersecurity training with a focus on mitigating potential attacks by keeping a close eye on their email. Employees should be trained not to open emails or click links in emails from unknown senders and to report potential phishing attacks to leadership.
6. Implement A Zero Trust Architecture
The Zero Trust security model is designed to incorporate a “never trust, always verify” concept into an organization’s culture. This cybersecurity framework instructs network administrators and IT staff to block access to all devices by default, regardless of whether they are connected to an authorized network. A Zero Trust policy encourages two-way authentication, also known as mutual authentication, to verify authorized access from devices. This can be achieved by authenticating devices through public certificates or a username and password, as well as inspecting and monitoring traffic through a remote monitoring protocol.
7. Ensure A Strong Password Protocol
Organizations should utilize a password manager to guarantee strong protection over personal and company passwords. This type of system will store and encrypt all passwords, preventing anyone from gaining access without first verifying their identity through two-factor authentication. Employees will only need to remember one master password, and the stored account logins and passwords, which are generally a sequence of randomized alphanumeric and special characters, cannot be traced back to the password manager.
8. Enable Automatic Operating System Updates
Operating system updates are often deployed to minimize or remove vulnerabilities from previous versions. For most employees, remembering to check devices for newer operating system versions can be difficult. Therefore, ensuring each company device has automatic updates enabled will reduce the likelihood of a breach. When devices are updated, malicious software that is built for a specific version will be identified and removed by the operating system in a future update.
9. Use A Secure Connection For Company Devices
Devices issued to employees by the company should never be connected to a public network. COVID-19 required many people to work from home, and therefore it is important to ensure that employees are only connecting to a private in-home network, mobile hotspot or virtual private network (VPN) recommended by the organization. Employees should follow a secure protocol when visiting websites by looking for HTTPS in the URL or a lock icon in place of it, as well as follow the Zero Trust architecture if it has been adopted by their organization.
10. Back Data Up To An Encrypted Drive
In the event an employee must reset their drive for any reason, they must be able to immediately recover their data from their last save points. IT should be responsible for backing up information and should review backup logs and test them routinely to verify that the data is current and can be recovered at a moment’s notice. This way, data can easily be recovered in the event it is breached and/or deleted from the system.
11. Keep Antivirus Software Up-To-Date
Having antivirus software on a device does not always yield protection as new viruses are produced by hackers every day. Updating antivirus software will provide employees’ devices with new information on malware, spyware, ransomware and other types of viruses to increase their chance of being removed. Similar to operating systems, antivirus software can be set to update automatically.
12. Limit The Number Of Network Administrators
No employee outside the IT department should have the ability to change details about the network or install applications outside the company’s approved list. By limiting the number of administrators for the network and following a decentralized cybersecurity strategy, security risks will be significantly reduced and the company will have more visibility over its devices. Another best practice involves auditing and deleting accounts from employees who have switched workstations or are no longer employed by the organization.
13. Enable Auto-Lock For Company Devices
Computers that have not been in use for a short length of time (approximately three to five minutes) should automatically lock their screens and force users to log back in. This will prevent potential onlookers who are either inside or outside the building from seeing what is displayed on the device. Additionally, forbidden users can access the computer remotely while it is logged in, which is why the device should not be active while not under direct supervision from the employee.
14. Dispose Equipment And Data Securely
Devices that contain sensitive information should not be thrown out when no longer in use. The hard drive should be completely formatted to remove all data, and it should be either shredded or electronically recycled. Without physical destruction of the hard drive, any associated data can be fully recovered using a SATA cable. It is important, however, to ensure the data from the drive is backed up before destruction.
15. Conduct Regular Cybersecurity Assessments
Systems and software should be audited on an ongoing basis to look for new risks. While the newest version of a particular software may seem safe to implement, some updates may accidentally break an organization’s systems or expose them to threats due to an unstable release that is being rolled out. It’s a best practice to speak with an independent cybersecurity consultant when auditing a network as they bring extensive knowledge and can make informed recommendations.
16. Employ Third-Party Penetration Testing Services
If a third-party cybersecurity firm can breach into systems, a malicious individual likely can as well. Penetration testing, otherwise known as “ethical hacking,” can be employed to identify any vulnerabilities in a network and work to effectively remove them before being discovered by any unauthorized users. While this can be an expensive service, the cost does not compare to the millions of dollars in fines that a data breach comes with.
Speak With A Professional Cybersecurity Consulting Firm
All businesses are susceptible to cyberattacks, but leaders need to do everything within their power to mitigate risk and lessen the impact of any potential incidents. Hartman Executive Advisors offers cyber risk assessments that employ a wide variety of techniques to accurately assess an organization’s business-specific cybersecurity threats. Reach out today to request a consultation and move forward with a clear and strategic approach to managing cybersecurity this year and beyond.