Budgets are important in all organizations. Sometimes you have to calculate for future risk, which can be hard. However, you must find room or you could pay the price in other ways — especially when we’re talking about Cybersecurity. We’ve broken down the top security must-haves so you can keep your organization safe without breaking the bank.
READ ALSO: Eide Bailly expands on Camelback Corridor
1. Educate your staff. Education is one of the most important pieces to the cybersecurity puzzle, and knowledge can be a better asset than any tool on the market. Since 95% of cyberattacks are due to human error, your employees need to know what they’re watching out for. Formal cybersecurity training should be conducted yearly at a minimum. We recommend conducting quarterly trainings as well as additional training for new hires. We often say that security is a journey, not a destination, but there are things you can do to make that journey a smooth one. Good education includes:
• An overview of common cybersecurity threats
• Tips on identifying and avoiding these threats
• A clear way to report incidents
Despite your best efforts, incidents will happen. And while this is obviously frustrating, staff need to feel that it’s a positive interaction, because if they’re reprimanded, they and others will be less likely to report future issues. When someone reports an incident, thank them for the information, reassure them that they aren’t in trouble, and work together to gather all the information surrounding the incident. Disciplining employees for clicking a phishing link or being fooled by a social engineering scheme will do a lot more harm than good.
2. Invest in a cyber insurance policy. Cybersecurity threats are inevitable, and cyber insurance can help you better position your business to mitigate the financial impacts of an incident. But don’t just buy a cyber insurance policy and file it away; make sure to come back to it yearly to examine and review.
3. Tighten up your configurations. Cybersecurity isn’t just about buying the right software, hardware and protection plans. Tightening up your configurations to eliminate unnecessary access is a simple yet often overlooked way to reduce your organization’s vulnerability.
Harden your system and reduce the potential for compromise by periodically:
• Removing admin rights
• Reducing other user permissions
• Closing unused ports
• Removing inactive user accounts
• Uninstalling software that is no longer used
• Ensuring your VPN is required
• Following a hardening benchmark (such as CIS Benchmarks)
Cybersecurity professionals can also conduct penetration testing exercises to give you a full picture of any gaps that may be subject to exploitation. This testing can highlight weaknesses in your network configurations that could allow unauthorized and/or unsuspected access.
4. Enable MFA. Multi Factor Authentication should be a standard for email, intranet and other business logins. According to Microsoft engineers, 99.9% of account compromise attacks could have been prevented with MFA. MFA is classified as something you have, something you know and something you are (e.g. a biometric like a fingerprint or facial recognition) that creates a second factor to another trusted source. When MFA is enabled, if (and when) a user’s password is stolen, the password alone is not enough; there’s still that other authentication method needed.
While it can seem inconvenient for users to have to provide their fingerprint or type in the six-digit text code that never seems to arrive quickly enough, the difficult truth is that passwords alone just don’t cut it anymore. MFA adds that necessary second layer that a threat actor can’t know ahead of time, and it is a simple step that can go a long way.
5. Practice, practice, practice. A good incident response plan isn’t just a “one-and-done” kind of thing. Good plans are built, practiced, reviewed and improved on an ongoing basis. In tabletop exercises, cybersecurity professionals meet with business leaders, attorneys, IT professionals and others in the organization to ask “what if” questions. Typically, the process of a tabletop exercise involves identifying a scenario, walking through how it could play out and examining any questions or curveballs that may arise. It’s also incredibly helpful to include your insurance policy details and team in these exercises, so you can shed light on what’s covered and what’s not, and so you know the specifics of contacting them when an incident occurs.
Your practice exercises should also include testing your backups. Backup issues are one of the main reasons businesses end up paying when hit with ransomware. They may think that their backups are safe, complete and ready to use, but that may not be the case when it comes time to reinstate them. It’s also important to understand how long it takes to reinstate your backups: it could be weeks or even months before your systems are ready to use again.
Deciding where your money should go can be challenging, but ensuring these five areas are covered will set you up with strong cybersecurity practices that hopefully won’t break the budget.
To learn more about cybersecurity, visit eidebailly.com.
NOTE: A version of this article appeared on eidebailly.com