1. Make your team aware of the risks – they are your human firewall. It is imperative to understand certain basics, and to train others as well. People should know to avoid cyber-risky behaviour–such as opening attachments and clicking on links found in unexpected email messages, downloading music or videos from rogue websites, or buying products from unknown stores with “too good to be true” prices and no physical-contact information. However, don’t rely on training as a sole line of defense against such a fast moving threat landscape.
2. Don’t give everyone the keys to the castle. If an employee goes rogue–or if a hacker breaches the security of a single person–you want to contain the damage. Give people access to the computer systems and data that they need in order to do their jobs, but not to everything else. The same goes for family members and home computers.
3. Backup and Backup often. Backup often enough that if something went wrong you will not panic about lost data if you need to restore from a backup. Do not keep backups attached to production networks–if malware (e.g., ransomware) gets into the network it could corrupt the backups as well. It is best to have offsite backups as well as onsite.
4. Encrypt sensitive data. Store all sensitive data in an encrypted format. If you have doubts as to whether something is sensitive enough to warrant encryption, err on the side of caution and encrypt.
5. Use a proper password policy. Conventional wisdom is to require complex passwords for all systems–but that leads to people writing down passwords or reusing them; instead consider other strategies such as asking people to select combinations of words, numbers, and proper names (e.g., “twoburgers2gow1thfries”). For extremely sensitive systems, consider stronger forms of authentication such as multi-factor authentication.
6. Devise, implement, and enforce social media policies. Inappropriate social media posts can cause many problems–such as leaking sensitive information, violating compliance rules, and assisting criminals to carry out attacks.
7. Bring Your Own Devices. If people are allowed to use personal devices for work-related activities, make sure there is adequate security installed on those devices. As with social media, do not rely on policies–enforce them with technology. Portable devices should have software optimized for mobile systems and should have remote wipe capabilities (and do not forget to enable the remote wipe!).
8. Stay ahead of hackers and hire a pro. If possible, hire an information-security professional to assist with designing and implementing your approach to cybersecurity. The cost of professional advice may pay for itself many times over in terms of time, money, and aggravation saved down the road. Hackers and other criminals leverage technical expertise–don’t be at a disadvantage against them.
9. If you do nothing else, remember ‘Catch, Patch, Match’. These are three proactive actions every organization can do to reduce the risk of a cyber intrusion.
Catch malicious software before it has a chance to be a problem. All computer devices (laptops, tablets, mobile phones etc.) that you use to access sensitive information (or that will be attached to network with other devices that do) need security software. There are several popular, inexpensive packages that include anti-virus, firewall, anti-spam, and other beneficial technologies.
Patch all your web applications with updates promptly- your operating system too. Do it now, intruders can take advantage of vulnerabilities in software.
Match the right risk behaviours e.g. manage carefully which people you give access to passwords to. Passwords in an intruder’s hands, can spell disaster. passwords.
10. Finally, consider Cyber insurance. As the likelihood of a cyber incident increase and the expense of dealing with a breach gets higher, the value of transferring the risk to an insurer makes increasing sense in much the same way that existing business insurance policies for fire, flood and theft are a vital itinerary in the risk management toolkit. Getting the right broker is important. A good specialist broker will save you time in determining what is right for your business.