It was an honor to be recognized as number 8 in the cybersecurity Power 100 and many people have since asked me to share what I consider to be essential cybersecurity knowledge for all organizations.
I have assembled best practices from multiple industries, compliance and law enforcement organizations. These include FINRA, NIST, FCC and the FBI.I also took into account state regulations and guidelines from New York (NYCRR 500) and Connecticut (Cybersecurity Plan). These are many of the basics - please contact us if you have questions.
- Have a business continuity plan.
Plan for an outage – it could in the form of a hack, weather, flood or service disruption of some kind. Eventually, all businesses will have to deal with such a problem.
- Keep computer operating systems and software patched!
This is the lowest hanging fruit of keeping a good cybersecurity culture because these patches are often made to deal with known threats to Microsoft Windows, Adobe Flash and other software. Unfortunately there are cases where one unpatched system caused billions of dollars in financial damage. There needs to be a formalized patching system in place.
- Understand that every person in an organization is a potential target.
All workers who have access to the internet, have an email or corporate chat account are targets for hackers. They can click on a phishing email which is not specifically aimed at them or spear phishing which is more targeted to their tastes. One worker – that is all it takes to shut a business down – for hours, days or weeks. The City of Baltimore has been effectively shut down for weeks because one person clicked on something they should have ignored.
- Ensure social media accounts are private.
Be careful what employees share on Facebook, etc. This information can be used to craft messages which target users. Typically, they come in the form of phishing emails which can be used to hack a computer, network, bank account and steal identities. Sadly, due to leaks of mortgage, email and other information, it has become very simple to target almost all computer users.
- Regularly use a security awareness training solution.
Targeting humans with enticing but malicious messages has become very easy so you must use a service to train users on how to avoid them. We use our own Phish360 to send fake phishing emails and train users who click. We have found our templates can be 90-95% effective in terms of getting users to click. It is at this point where the training takes places and they learn what to look for.
The best way is live, interactive classroom type education. There is NO substitute for this. Videos are often ignored and webinars may be as well.
Think of this as a network inspection. Hackers are continuously probing networks to get in. Organizations must do the same and lock the doors before a hacker goes through one.
Every network is complex and dynamic – changes in behavior such large file transfers outside of business hours to areas where you do not do business such as eastern Europe or China can be red flags and must be dealt with rapidly.
Hackers are constantly probing the entire internet – looking for companies who have misconfigured firewalls and other equipment. Without testing yourself – best done by an outside firm, the hackers are likely to exploit any problems before they can be resolved.
- Hire the best IT services/cybersecurity company you can find.
There are huge differences in managed service providers (MSPs) and managed security service providers (MSSPs), how they manage, train their teams and protect customers. Even if you have internal IT and cybersecurity, outside experts who consult are exposed to new best practices continually. They typically have so many customers that they see new threats earlier than any single company can.
- Know your cyber insurance situation
It is important to understand if your general liability policy covers cybersecurity and also, it is important to know about a few trends in the market. More attacks are coming from nations such as Iran, Russia, China and North Korea. In one large case, NotPeta which caused more than $11 billion in damage, the insurance company classified the attack as an act of war and refused to pay. This after Mondelez said it had been hit twice by NotPetya, with 1,700 of its servers and 24,000 laptops rendered “permanently dysfunctional”. In other cases, insurance policies pay out far lower amounts for social engineering attacks, catching companies off guard.
- Cybersecurity is a cultural issue
The entire organization must understand they are part of the solution to preventing hackers from getting into a company’s network and shutting it down or stealing information. Without teamwork – there will be holes which could be exploited by an attacker