Your cybersecurity checklist
Hardly a week goes by without us reading about some new data breach or hacking scandal. And while we may never be fully protected from all risk factors, cybersecurity should be an essential part of operations for any business. While we are always at risk of damage – be it through a targeted attack or an accidental breach – there are actions we can all take to mitigate that risk.
The consequences of poor cybersecurity
The consequences of a data breach can be longlasting and significant. Under GDPR, businesses that fail to secure their data can be fined up to 4% of their global revenue (or €20 million, whichever is greater), but in some cases the reputational damage can be even more costly as bad publicity can impact an organisation for several years after the incident. IBM estimates that the average cost of a data breach is $3.86 million. Not many businesses can afford to lose that kind of money, so let’s take a look at some crucial things to do in order to build your security and resilience.
1. Appoint a cybersecurity leader
Your business needs someone who can be accountable for all cybersecurity processes. This should be an experienced individual with clear ownership of data security, and who can also serve as a leader to inspire staff to be more security-conscious. In larger organisations, the leader should ideally be a board member or report directly into the board. Every employee should be aware that this person is in charge of cybersecurity issues and that they are the person they should report any concerns to.
2. Create clear policies
It’s important to create policies that ensure everyone understands what is expected of them, and that offer a clear chain of command if a breach occurs. These policies should cover things like privacy, information security, remote access, ‘Bring Your Own Device’ (BYOD), as well as acceptable use of the Internet and email communications. These policies should also clearly inform staff of their role in ensuring GDPR compliance.
However, encouraging people to read, understand and apply policies can be a challenge. So how do you make sure everyone is aware of the critical parts of a policy? Many organisations set up workshops and ‘lunch-and-learns’ to introduce a particular policy. There is also software such as Convergepoint, which is a policy management system that integrates with Office 365 and that helps create, maintain and update policies. This software will also notify you when employees have read a document.
3. Invest in the right technology
To be serious about detecting and mitigating cyber threats, you need to invest in technology that will help you to protect your business against malware, to secure and encrypt data, to detect intrusions and to perform backups. With the help of this technology you will be able to manage employees’ ability to send files securely, share information, and secure your networks.
Encryption tools like VeraCrypt are being used by many businesses to protect data. It offers powerful protection against brute force attacks, which means that it can prevent hackers from decrypting your sensitive data and passwords. The basic version of this and other similar software is free, allowing you to test it before committing to the enterprise version.
- Antivirus and firewalls
Antivirus software protects against malicious files sent over the Internet. One email attachment unwittingly downloaded by an employee could threaten your entire network, but antivirus solutions like Avast or AVG can be used to protect your organisation. Meanwhile, a firewall will stop unauthorised access to your network. Sophos’s Firewall is an industry-leading solution which uses deep learning to secure systems and keep your users protected. In addition to this, it’s a good idea to also ensure your business closes any unnecessary ports, as these can make the business vulnerable to attacks.
- Data backup
When it comes to backing up data, the best practice is to have three copies of your data; one offsite and two in different types of storage. For online backups, there are basic business services such as MozyPro that could fit the bill. However, for local backups some companies might prefer a device like ioSafe, which will allegedly withstand fire for up to 30 minutes and complete immersion in water for several days. As an alternative, some organizations (including Google) report having been saved by tape backups – and Facebook has been known to experiment with Blu-Ray disc backups.
There are different types of backup (full, differential, and incremental) which all have different advantages. Bear in mind that it’s not just about having data backed up; you should also consider how fast you will be able to restore that data and get back to full functionality.
- USB security
Hard drives and USBs can sometimes represent a weak link in your cybersecurity. To encrypt USBs when they are inserted into a company computer, you can use a solution like VeraCrypt. Alternatively, IronKey USBs are encrypted as standard and protected against malware. These can also be locked or set to self-destruct if lost, which can offer complete peace of mind for highly sensitive information.5. Personal devices
4. Regularly test your security
Security is in itself not a product, but a process. However, by running regular penetration tests (pen tests) in your organisation, you will be able to get a snapshot of your current state of protection. You may choose to set this as a contractual requirement for clients or suppliers, depending on how interconnected you will be. Pen tests are best left to experts, so if you don’t have the skills in-house you should hire a specialist firm to run it for you.
5. Personal devices
It’s virtually impossible to stop employees from bringing their own devices to work. This means that you should consider how you can secure your data on any personal smartphones, laptops and tablets.
- Multifactor authentication
Multifactor authentication is a good way to confirm the identity and access rights of a user. Services like Gmail offer this as standard, and many online and email services provide this option in their settings. One new, powerful tool is the clever YubiKey, which offers instant passwordless authentication for hundreds of online services.
However, you may want to consider restricting personal device use where appropriate – preventing users from opening a company email attachment on their phone, for example.
If you have employees working remotely or on their personal devices, we recommend using a Virtual Private Network (VPN). This is a layer of security that protects any web browsing and data transfer, regardless of where the device is being used. If employees often travel and use public, hotel, airport and café wifi, then a VPN is essential. ExpressVPN will meet most business needs and is compatible with most phones including Apple and Android, as well as BlackBerry devices.
- Disabling devices remotely
Prey can add another element of protection by enabling you to shut down devices remotely if lost. This is the service used by Uber, combined with an in-house solution, to disable employee devices if needed.
81% of security breaches occur due to poor password security. Hackers can use stolen passwords to access user accounts and cause all sorts of damage – and if a password is used across multiple accounts, the damage will be multiplied. Ensure your staff don’t ever write their passwords in emails or digital files and encourage them to use a password manager to secure their login information. In addition, all passwords should be hard to guess and unique to each user account. Alternatively, you may choose to use a solution like KeePass together with the YubiKey, which allows the use of one-time passwords – removing the ‘single point of failure’ of a master password.
A word on budget
Much like an insurance policy, cybersecurity is an area that you shouldn’t skimp on. However, with strained budgets you may struggle to afford your ideal level of protection. It’s worth shopping around to find the best solution that fits your wallet and risk profile. Many cybersecurity vendors offer different pricing options, allowing you to find a level that is reasonable for your business. However, bear in mind that the potential costs of a data breach will far outweigh the software investment.