Simple steps to harden your company
Last updated Friday, August 17, 2018
Because cyber attacks come in many shapes and sizes, it's important to try and cover all the bases when defending against them. You’re only as strong as your weakest defense.
Things you can (and should) be doing:
- Deploy and maintain automated systems and services to detect, prevent and reduce threats.
- Educate employees so they may better defend themselves (and your company) from social engineering attacks.
- Establish and enforce internal rules and procedures (checks and balances).
- Increase your network monitoring & physical security.
Let's look more closely at each of these components...
Systems & Services
AV, filters, patch managers and blocking tools are all layers of protection and, combined, they reduce the number of threats arriving via the Internet. An ounce of prevention is worth a pound of cure, and the cost of running these services is small compared to the cost of recovering from a successful attack.
Some organizations are led to believe that these services are enough, but we don’t agree. Security services on their own are great, but they won’t protect people outside the workplace and they won’t stop letters, text messages and phone calls. They most likely won't even stop everything that arrives via Internet. Research has shown that sometimes people are more likely to fall for social engineering attacks when they falsely believe that security services alone will always protect them.
People are more likely to fall for social engineering attacks when they falsely believe that security services alone will always protect them
It's inevitable that some threats will make it past basic system defenses. But they can still be neutralized if your team catches them. Use tools to test how well employees can identify phishing attempts, along with just-in-time training videos to help them improve over time. Explain that threats can come from Facebook, phone calls, letters, texts, parking lots, websites and many other avenues besides email. Some will even ask an employee to spend their own money, expecting reimbursement.
Policies and Procedures
Implement a process that includes checks and balances before a request is honored. Require someone else to sign-off on all financial payments and obtain supervisor approval before divulging confidential information to any 3rd party. Confirm unusual requests by reaching out to the person making the request by phone for confirmation. Enforce strong passwords, use a password manager where possible, and limit who has access to company sensitive information and funds.
Network & Physical Security
Build strong password policies and enforce them, force workstations to log users out if left unattended, and prevent installation of unapproved applications. Determine what data is allowed to be on someone’s smartphone and how to wipe it if lost or stolen.
Carefully manage which devices can access the network. Keep firewall rules clean, maintain the firmware, and always run a centralized patch management service to keep all applications and operating systems up to date. Maintain logs of who signed in or out, where from, and when. Use ID cards for physical access, deploy gatekeepers, and lock critical business systems in a secure room. Keep a copy of your data offsite (and in a secure location).
Run ATP and deploy SEIM/SOC services to add additional protection for your business.
Get Some Help
Few businesses have the time or expertise to take on their own plumbing, telephone, electrical and remodeling work. IT security is no different. It’s a complicated animal, and that makes hiring outside professionals an appealing and reasonable choice.
Size Doesn't Matter
It's a mistake to think that being small means you're less likely to be a target of a cyber attack. Because small companies and organizations have less money for defenses, and attackers can harness botnets to attack thousands of targets simultaneously, it's more important now than ever for all small organizations to protect themselves with better security software, systems, standards and practices. Small businesses are just as likely to be attacked, and those attacks are more likely to succeed.
Filed Under: Security