Cyber Security Advice For Your Business:
Super Bowl 50 is over and with it the 2015 football season. I can’t help but see some parallels with defending your business from Cyber Criminals and good defense in football. In general both types of defense are made up of parts that must work together to deliver an excellent result. A defense that is composed of one really strong part and 6-10 weak parts will not give you the desired results. It really does require multiple best in class components operating together as one cohesive unit to deliver superior results.
So that this is explanation won’t seem overly complex I’m going to give you the highlights of the seven things that I believe are critical for your business to have a great defense against the cyber criminals. None of these are complex and you may be surprised at how basic they are.
First on my list is installation of patches and updates on all endpoint devices on a weekly basis. What I mean when I say endpoint is any device that connects to your network; smart phones, tablets, laptops, PCs etc. These devices should be receiving software patches and updates on a weekly basis and some person or some method must be in place to confirm that this is happening consistently. You don’t want to assume because we know what that can make us look like.
Number two is having up-to-date anti-malware software on all endpoints. When I say anti-malware I’m referring to antivirus which typically includes the ability to discover all types of malware. I feel confident you already have this kind of product in place. The more important questions are; are you monitoring and managing it, do you know that it is up-to-date on all your devices, are the signatures less than three days old?
Third on my list is complex passwords that change regularly. How frequently these change is up to you unless you are in an industry regulated by an external governing body. In most small businesses the frequency is really more about preference and convenience and so I would suggest for a small business a semiannual password change is frequent enough. However I would force additional changes whenever a key person leaves regardless of the reason. Additional policies that I would recommend are; preventing USB drives from automatically being recognized when plugged in, forcing pass codes on all mobile devices, automatic locking a user account for 10 minutes after 3 failed password attempts and wiping smart phones or tablets after 10 failed logins.
Fourth would be a current model firewall with deep packet inspection. Firewalls tend to age much like personal computers and really should be replaced on about a five-year cycle. Processor speeds, RAM and sophistication of software change rapidly so if your firewall is more than five years old you’re not taking advantage of all the advances that have been introduced.
Fifth on my list is content filtering of Internet traffic. This means not allowing your employees to go anywhere and everywhere on the Internet. This doesn’t need to be incredibly strict but if you were to ask an HR consultant they would tell you that blocking obvious non-business websites protects you from lawsuits as well as helps to improve employee productivity.
Sixth on my list is a management approved plan of action for BYOD. BYOD stands for bring your own device and there needs to be clear written policies around employees using their own devices on your network. Having clear written and signed policies means that when you have a problem or breach everybody understands what the steps are to rectify the problem.
Last but certainly not least is employee training. You need to train your staff to be skeptical of all requests for sensitive information regardless of where they come from. Gartner group a research organization indicates that 97% of corporate breaches occur through the human element not lapses in technology. Training and educating your employees is a critical component of your cyber security plan.
Train your people to be skeptical of all requests for sensitive information, keep your workstations patched and updated, Keep your anti-malware software up to date, set network policies via software so that USB drives won’t auto recognizing, secure passwords are required, password change regularly, erase smart devices that have more than 10 failed logins in a row, confirm that your firewall is less than five years old, implement content filtering of Internet traffic and finally write up an approved plan of action for BYOD and a plan of action if an intrusion is detected. No cybersecurity plan is impregnable, if the bad guys can break into the US department of defense they can certainly break into your network. Your job is to make your network less attractive than 90% of the other networks out there and thereby redirect the bad guys to someone else.