If you are a decision-maker, you might consider this article a checklist for the safety of your data and your business. These 10 simple practices can be your organization’s lifeline in these times of extreme technology sophistication.
A strong password policy
- Multifactor authentication; add extra layers of security to your passwords such that even when cybercriminals manage to access your password, they are bombarded with added security measures such as a second and third authenticating factor
- Password management; manage who gets privileged access to sensitive data, when, for how long and revoke access when no longer necessary. Simplify password management for your employees. Encourage employees to avoid sharing credentials to their devices for the sake of convenience
- Changing passwords regularly; encourage employees to regularly change their passwords which reduces chances of cybercriminals accessing it
- Create strong passwords; characterized by a combination of both uppercase and lowercase letters, numbers, and symbols. Use long memorable phrases to create passwords rather than short strings of random characters for added security. Use mnemonics to remember these long-phrase passwords
- Use one password for each individual account
Use secure network connections only
Your business Wi-Fi network should be private, encrypted and hidden. Use Virtual Private Networks (VPN) for remote access or when outside the business premises
Install firewall protection for your networks
This is the first line of defense for your business or home networks that will prevent hackers from accessing your websites and other platforms.
Always install software updates
We have all ignored software installation updates once or twice before, they can be annoying. The sophistication of cyberattacks in that viruses and malware are disguised as legit software updates has also made users wary of accepting software updates. Ensure updates are from your service provider before accepting the installation. A study by the World Economic Forum showed that 4 new samples of malware are created every day. These updates are designed to stay ahead of new malware upgrades.
Invest in security systems
Establish both physical and virtual security systems within your business. If you have an on-premise data center or specific locations of sensitive data, limit and monitor access to such locations using security cameras, biometrics. Outsource data security service providers such as ourselves to protect all common vectors of attack such as emails
Enforce third party controls
This is simply limiting access to sensitive or confidential data. This can be achieved through;
- Privileged access management; monitoring who has access to privileged information, for how long and ensuring access is revoked when no longer necessary may be time-consuming but you will be thankful for it at the end of the day
- Principle of least privilege; this principle simply states that new employees be given the lowest access to information necessary. This access can escalate overtime where necessary.
- Zero trust security model; this policy is more restricting than the principle of least privilege in that it requires that only employees who have initially been verified are allowed access to privileged accounts or information
- Monitoring third-party access; this can be achieved through behavioral biometrics where the interaction of users with input devices in your business is constantly monitored by your security time. Even without this pricy solution, it is still possible to monitor third parties accessing your data on a day to day basis
- Acceptable Electronic use policy/ Bring your own device(BYOD) policy; this policy regulates the use of mobile devices, wearables such as smartwatches or fitbits as well as other internet of things(IoT) devices within the organization. Cybercriminals today can hack smart devices in an attempt to access more valuable data in your business and in your home.
Promote cybersecurity awareness and culture among employees
- Education and training
You may be wondering why even IT professionals require continuous training and education. This is because the sophistication of cyberattacks is evolving just as, if not faster than antivirus/antimalware software. Your employees must be kept in the know to avoid falling for the now common less obvious forms of cyber attacks such as phishing. IT professionals must constantly evolve as malware present today is antivirus resistant, to say the least.
- Promoting cybersecurity as a culture
When something becomes a culture, employees become proactive and do it voluntarily rather than out of obligation. Employees who are aware and trained in cybersecurity best practices will become vigilant and will willingly report incidents, even if they are just false positives. Better to be safe than sorry right?
- Procedures for incident reporting
These procedures should be simple and well known to every member of the organization. They should encourage employees to immediately report incidents by prioritizing the integrity of your business over the consequences of their mistakes.
- Open discussions
Have open discussions with employees concerning cybersecurity. This will create a safe space for them to air out challenges or any other issues that will save you millions in the long run. Your employees can turn from being your business’ weakest link in data security to your first line of defense.
Conduct periodic risk assessments
Employing a risk-based approach to your data’s security will analyze your data as an asset and determine viable threats before they occur. It will also test the strength of measures put in place to mitigate the occurrence of said threats and allow you to make adjustments where necessary
Conduct regular data backup
Having a backup system or solution is integral to data safety in case of a breach. No business is invincible, especially where natural disasters are involved. Employ the best solution for your business, whether backup hard drives, NAS devices, cloud data backup or disaster recovery from a trusted service provider. Have a solid business continuity plan in place and be prepared for worst-case scenarios
Compliance with state laws and regulations
These include, for example, the General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individual citizens of the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas. Kenyan record-keeping and management policies also mandate businesses to have long term storage for business emails, that is, archiving. Compliance with such legislation will save your business legal action, loss of data and even revenue in the long run.
So out of 10, what did your organization score? 10? 9? 5 maybe? Whichever the score, it is never too late to do things differently! The security of your data lies in your hands, your employees and your service providers’.