The risks and disastrous consequences of cyberattacks are all too clear. Furthermore, untangling the aftermath of a cyberattack can be expensive, stressful and time-consuming. For these reasons, no business, big or small, can risk treating cybersecurity as a secondary issue. While each company’s needs may be unique to its specific business operations, the following are just a few straightforward suggestions that business owners and leaders should consider:
1. Train employees. Not surprisingly, employee negligence is one of the easiest ways—if not the easiest way—for a hacker to gain entry into your company’s network. Accordingly, it is imperative that you instill in employees the importance of cybersecurity and why your company’s policies deserve more than mere lip service. This requires continued employee training (just once a year) as well as a consistent review and update of company policies and procedures regarding employee’s use of IT resources. With a significant number of employees working remotely still (and likely for the foreseeable future), establishing basic security practices and policies for employees and enforcing those policies cannot be understated.
2. Cull through your vendors. Keeping with the theme of guarding against human error, you should consider limiting the number of vendors your company uses, especially vendors who have virtual access to your IT networks or even physical access to office areas of business information. Each vendor is, itself, dealing with its own cybersecurity challenges, and you hope they are, themselves, training their own employees with the same rigor as suggested above. Nonetheless, every vendor you engage with virtually or has access to your network increases the pool of potential security vulnerabilities that put a company at risk.
3. Limit external devices. Most people routinely rely on mobile devices, tablets and laptops throughout the day, not just for work, but also for entertainment and social interaction. Each of those devices is susceptible to the perils of the internet, and not all devices are secured equally. Consider your risk tolerance with permitting employees to log into the company’s network with their personal devices and establish a policy (and follow it) on what is permitted and what level of oversight from the company’s IT department is required to ensure employee devices are not introducing malware onto your systems.
4. Passwords. Require employees to have strong passwords and update them periodically (perhaps every three months). Equally important, passwords should not be used for multiple accounts. The longer the password the better. Eight characters really is the bare minimum, so maybe consider 20 characters or even a sentence long password. There are enough song lyrics and movie lines to pick from and should be an easy lift for employees. In addition, you can require as many numbers and special characters you determine necessary to further increase password security.
5. Prepare an incident response plan. While preventing a cyberattack is a critical strategy, nothing is foolproof and, thus, knowing how to respond if and when you are attacked is equally important. Develop an incident response plan, outlining the various steps, chain of command, and outside resources that will be necessary. Developing the plan, however, is not enough, as your reaction time during a cyberattack is critical to mitigating damage and keeping business operations running as close to normal as possible. You must trigger the plan and test it periodically. As part of those tests, you may want to consider running “what if” scenarios to identify areas of the response plan that can be improved. A plan is just another dusty three-ring binder if it cannot produce results when needed, so take the time to make sure it serves its purpose.
6. Backups and disaster recovery. As part of the incident response plan, make sure there are mechanisms in place to quickly restore data and promptly continue business operations in the event of a security event or data loss. Disaster recovery and business continuity plans cannot just be buzzwords given lip-service by vendors and companies alike. Having a plan, however, is not enough and you need to test them periodically as well.
7. Virtual private networks (VPNs). VPNs are not anything new, but really are essential now, given the increase in the number of employees working remotely due to the Coronavirus disease (COVID-19). For quite some time now, many people have worked either from home or while traveling. But if you are not providing employees with a VPN to do so, then you should consider simply keeping them off your network if they are not in the office. VPNs encrypt data being sent between your network and remote workers. Thus, if any traffic is intercepted, all the hacker will get is encrypted data rather the crown jewels they are after. By now, we should all know that not all Wi-Fi access points are secured equally (or sometimes even at all). Home Wi-Fi networks may not be any better than the free airport Wi-Fi if homeowners are not properly securing and updating their routers. Giving employees a secure tunnel into your company’s network may be some of the lowest hanging fruit to pick.
It may seem like employees are getting blamed for everything in this list, but human nature gives way to human error. Anything you can do to help your employees protect your company is the key takeaway here, but don’t stop at just checking the aforementioned boxes. The foregoing suggestions are just the minimum of what to do to help avoid, prepare and mitigate a cyberattack. A good cyber consultant will help identify other areas on which to focus your efforts, such as installing firewalls, antivirus software and vulnerability scanning tools, as well as establishing a software update protocol. Unfortunately, it is not a matter of whether or not your company will be a target of a cyberattack, but rather when it will be the target. Taking the time now to plan for the worst-case scenario is worth it, and while it may not guarantee you full protection, it will hopefully help mitigate any damage that you otherwise could incur—not to mention potentially lost revenues.