As we’ve discussed, most evidence suggests cybercrime is on an upward trajectory both here in the US and around the world, with projections suggesting cybercrime is likely to cost the global economy around $10.5 trillion in 2025, up from around $3 trillion in 2015. To prevent your organization becoming part of such a sobering statistic it’s important to have a robust range of security measures in place to keep the hackers at bay.
There is no single-fix action you can take to defend against cyber threats. Keeping malicious intruders away from your sensitive data requires continuous vigilance and a long-term commitment to cybersecurity best practice. While developing a culture of cyber security diligence among your workforce is a vital line of defense, there are a number of other mitigatory measure that you, as a business owner, can take to reduce your organisation’s cyber risk profile.
Here are 6 vital steps to achieving cyber security success in your business.
Stay on top of software maintenance
Over the course of a software product’s lifecycle, its developers release updates to correct flaws, add new functionality and close off security loopholes. These updates should be applied as quickly after becoming available as possible to applications, operating systems and other programs to ensure they continue operating optimally and to limit the opportunity for hackers to exploit known vulnerabilities.
Occasionally, cyber criminals identify software vulnerabilities before the developers, and launch what are known as “zero day” attacks. To avoid falling foul of such attacks, encourage your IT team to monitor cybersecurity news so that countermeasures can be deployed to guard against these vulnerabilities until the software developers release a fix.
Limit account privileges
The user accounts most sought after by cyber criminals are those featuring admin privileges. Such accounts allow users to change system configurations, manage security controls, access files and add/remove programs: capabilities that could prove disastrous in the hands of a cybercriminal.
To minimize the risk associated with such accounts its best to host admin privileges in dedicated accounts featuring limited internet-connected features. That way, you’ll reduce the number of entry points available to hackers and decrease the possibility of a criminal compromising such an account.
If for reasons of practicality you find it necessary to give multiple users admin privileges, try to limit the number of accounts hosting such privileges to as few as possible – small businesses should have no more than 2 or 3 admin accounts.
Use Multi-factor authentication (MFA)
Multi-factor authentication requires users to submit 2 or more items of identifying information in order to gain access to a device or corporate resource. MFA has become more common in recent years, and is a particularly useful tool to verify the identities of individuals requiring remote access to resources.
The first item of identifying information is normally a password. This should be complex yet easy to remember, but hard to forget, and employees should be encouraged to change passwords periodically for further risk reduction.
The second item of identifying information could take various forms depending on the capabilities of the platform/device in question. It could include:
- Something inherent. This could include biometric data such as a fingerprint or face scan.
- Something in the user’s possession. This might involve the exchange of a code between the program and a device or account registered for verification purposes. A common example is the use of a verification code sent to the user’s smartphone by text message.
- Location or device data. Some MFA systems can be configured to prohibit access from unauthorized devices or locations.
Establish an Information security policy document
An information security policy document formalizes the protocols and practices to be followed by any employees interacting with your business’s IT systems. This document should feature provisions for all elements of information security, covering the likes of identities, remote access, BYOD policy, acceptable use, the sharing of corporate information with outside bodies and secure password management.
ISO 27000 provides an internationally recognized standard for the implementation of robust information security structures and supporting documentation. ISO 27001 even offers certification, allowing you to demonstrate your business’s commitment to information security best practice to external parties.
Perform periodic security audits of remote devices
In the modern workplace, employees often use a number of portable devices in addition to their office desktop to carry out their duties. Managing secure access to company resources through such devices can be challenging, but by establishing a few ground rules and auditing devices on a periodic basis you can ensure your sensitive data is not being mishandled or put at risk.
Begin by creating a “whitelist” of applications and services your team need access to. Then, audit remote work devices individually, ensuring unnecessary functionality and programs are deactivated or removed. This will potentially reduce the number of vulnerabilities available for hackers to exploit.
Then, optimize each device to enhance its security. Replace default passwords with more secure alternatives and deploy multi-factor authentication where available. Also, make use of screen lock features designed to lock devices following a certain number of incorrect login attempts. You should also disable features like “autorun” which execute files hosted on removable media automatically, as this feature could introduce malware to your devices or network completely unchallenged.
To make remote device governance less of a burden, consider using an MDM (mobile device management) platform such as Microsoft Intune. This will allow your IT team to remotely manage portable devices and configure them for maximum data security.
Third-party Cyber security awareness training
With the time pressures that accompany managing a business, it can be difficult to find the time to perform cyber security awareness training in-house. Thankfully, a huge number of third-party providers offer cyber security awareness training designed to give employees the ability to identify and take action against cyber threats with confidence.
Training providers often make educational material accessible via online portals, allowing you fit learning around your team’s work commitments, and affordable, subscription-based pricing means there’s usually little financial commitment required.
Exceptional managed IT with a strong cyber security focus
Here at Office Automation Technologies, we know that in can be tough balancing data security obligations with the daily challenges of running a business. Since 1994 we’ve been helping businesses across the Denver metro area meet their data security obligations in some of the most highly regulated sectors. Contact us today to find out how we could help your business thrive with technology that’s secure, stable and conducive to your business goals.