As a business owner, IT and cybersecurity can be a challenge. While technology is mainstream in today's business climate, most small businesses do not treat IT or cybersecurity as a business priority. LSBDC helps small businesses plan and prepare to ensure cybersecurity becomes an asset rather than a liability. Below are some best practices for business owners that can make cybersecurity operations manageable.
Best Practices for IT & Cybersecurity
1. End-user training
It’s important to provide regular training to your employees on the latest trends within cybersecurity, so they can be more aware as they operate. Important things to cover include phishing, password security, device security, and physical device security.
Employees need to know what potential cybersecurity breaches look like, how to protect confidential data, and the importance of having strong passwords.
It’s recommended to have organized workshops with your company at least once every six months.
2. OS and Application patches and updates:
The single most important—and simplest—action you can take is keeping your computers’ applications and operating systems up to date with the latest security patches. If your computers are still running on Windows XP, Windows 7, or Windows 8 you are at risk. Microsoft stopped supporting this version of Windows long ago, and is no longer providing security updates. The venerable Windows 7 will soon suffer the same fate. If you do nothing else, at least update your systems with the latest versions and security patches.
3. Antivirus updates:
Simply having an antivirus application is not enough—it must be updated with information on the newest viruses and other malware. This usually requires a subscription. If your subscription has lapsed, renew today and make sure your antivirus software downloads updates automatically.
4. Strong password policy:
Make sure all your passwords are changed from their defaults and are not easy to guess (“password,” “admin,” and “1234” are poor choices). Where possible, implement multi-factor authentication to further increase security.
5. Access control measures:
Data access should be limited to specific users. Unlimited user access leads to damaging consequences, such as accidental or deliberate release of sensitive data. Consider keeping highly sensitive data systems protected.
6. Minimize administrative access:
Most users should not have administrative access to computers, networks, or applications. Limiting this access can prevent users from installing malware or accidentally turning off security measures. Typically, users are assigned “superuser” or “standard user” accounts which can define the roles that employees can have.
7. Network segmentation and segregation:
Your organization should have a network segmentation and segregation strategy in place to limit the impact of an intrusion. It will ensure that the most sensitive and confidential data is not accessed
8. Device security:
Implement disk encryption and remote-wipe capability on all company devices to render them useless if they are lost or stolen. Establish a strong, sensible policy regarding the use of personal devices for work (known as “bring your own device,” or BYOD).
9. Protect mobile devices:
Company-owned and personal mobile devices should be protected with strong screen locks or biometric authentication as well as remote-wipe capability. Establish and enforce no-nonsense organizational policies around the use of mobile devices.
10. Secure communications:
Set up email encryption on your email applications and train your staff on how to use it. Never use email to share sensitive data, and avoid using devices outside the company’s control for email
11. Strong IT policies:
These policies define how company IT assets can be used and what constitutes inappropriate use.
12. Staff training on cybersecurity awareness and policies:
Humans are the weakest link in any security scheme. Keep your staff vigilant with periodic training on your IT policies as well as how to spot cyber threats such as phishing
13. Properly configured layered and configuration security:
Layered security is implemented by having layers of security that provides different levels of protection. It’s essential for your organization to use some type of layered security, such as a firewall to protect against cyber-attacks.
As a best practice, it’s important to have anti-virus/malware software in place, a firewall, and lastly an intrusion prevention system (IPS).
The implementation of layered security can be tricky, and it’s best to engage with an expert before deployment
14. Internal and External Vulnerability Scans:
It’s recommended to conduct internal and external vulnerability scans at least once a quarter to look for weaknesses in your system. The scans are implemented through a computer program to find any type of threat that could exist.
Internally, these scans detect if there were harmful programs downloaded onto a computer, or they can externally detect the strength of the network segmentation and segregation.
15. Data backups:
Regularly backing up your data to a secure, encrypted, and off-site location can aid in recovery from a cyberattack as well as other humans and natural disasters. It’s also essential for compliance with certain government regulations.
16. Cyberattack response planning:
A cybersecurity breach response plan is a regulatory requirement in several industries. Furthermore, it identifies a clear path of how to mitigate the damage from a successful cyberattack and how to get your systems up and running immediately. Defined escalation levels cater to an auditor and regulatory requirements.
17. Cybersecurity insurance:
This is a prudent investment to cover financial losses in the event of a cyberattack.
18. Keep your hardware and software up-to-date:
Servers and workstations need to stay patched, the firewall needs the latest firmware, and software needs the latest bug fixes. If you fall behind on updates, the system becomes vulnerable to both performance and security issues. Mind your warranties and support subscriptions, too – letting them lapse will only increase your risk of prolonged downtime.
19. The more “standard” your environment, the better:
Complexity in your technology environment – at both the hardware and software level – will make support more difficult, and possibly more expensive. It could also make your team less productive; if everyone has the same products, they’re able to learn from each other and use the tools more effectively.
20. Keep your office culture in mind, too:
When it comes to choosing your equipment and software packages, consider how they will uphold your company’s culture. Does your team have a flexible work environment, which you can support by providing laptops or tablets to your staff? Does your core communication tool need to support silly off-topic banter, or does it need to be more restrictive?
Do you suspect you or your small business have been victim to a cyber crime?
Here’s who you need to contact right now:
- Mail Fraud/Mail Theft: U.S. Postal Inspection Service 1-877-876-2455
- Business E-Mail Compromise: www.ic3.gov
- Counterfeit Currency/Credit Card Scams: U.S. Secret Service 504-841-3260
- Computer Intrusion (> $5000 loss): www.FBI.gov/tips or 1-800-CALL-FBI
- E-Mail Scam (no $ loss): www.ic3.gov
- E-Mail Scam (> $5000 loss): www.FBI.gov/tips or 1-800-CALL-FBI
- E-Mail Scam (< $5000 loss): www.ic3.gov & Call Louisiana State Police Fusion Center 800-434-8007
- Espionage Tips: www.FBI.gov/tips or 1-800-CALL-FBI
- Imminent Threat or Crime in Progress: 911
- Identity Theft/Fraud/Scams: www.IDTheftCenter.org or 1-888-400-5530
- Telephone Scams: www.FTC.gov
- Proliferation/Sanction Violations: www.FBI.gov/tips or 1-800-CALL-FBI
- Terrorism Tips: Homeland Security Investigations 866-347-2423 or www.FBI.gov/tips
- PROTECTING LOUISIANA WWW.INFRAGARD-LA.ORG