7 Cyber Security Best Practices to Protect Your Organization
Cyber attacks are everywhere, and it’s becoming increasingly important to implement strong cyber security best practices to ensure your organizational data is protected.
In fact, there is an estimated 3-10 high-profile cyber security breaches per month in North America. In recent years there has also been a shift in targeting those in the agriculture sector.
To understand why it’s important to enable cyber security best practices you need to understand two of the main types of attacks:
This is the most common type of cyber attack companies will face. Criminals will access your network and install a program that locks access to everything and encrypts your files. They will then hold them until a ransom is paid (typically in cryptocurrency.)
There are essentially two ways to deal with this type of attack:
- You can wipe all your machines and restore your data from a past backup; or
- You can pay the ransom
Both “solutions” come with additional issues. Restoring from a past backup (especially if you are not backing up your data regularly) can still cause you to lose valuable data new to your system. As for paying the ransom, it usually only works temporarily. Many companies that pay the ransom report getting hit again by the same criminals for even more money a short time later.
This is basically ransomware with a threat to publicly expose all of your data if the ransom is not paid. This can be particularly troublesome for companies that service other companies or has a long list of clients with sensitive information in their systems. If you get hit, you then have to notify all of those businesses as it could spread to them.
The Best Defense is Proactive Defense
While this might seem scary to read all at once, there are plenty of ways you and your team can proactively prepare to extinguish these fires before they even start.
Here are 7 ways you can prevent cyber attacks:
1 – Invest in Cyber Security Insurance with Ransomware Protection
First-party coverage offers you financial assistance if you are the target of an attack. You can also get liability coverage and accounts for technology errors and omissions.
Most cyber security companies offer some form of insurance, so you should ask yours about getting it if you don’t already have it. Note that insurance will not cover property damaged from fried computers, intellectual property, or protective measures.
In terms of how much insurance you should have, that will depend on the size of your company. If you are a small business $1 million is a good place to start. If you are a medium or large-size business, you will probably want more. You should think about your company’s risk tolerance and how much money you’ll lose out on if your systems are down for a week or longer.
2 – Enact Best Practices When Backing Up Your Data
You must back up your data – including document libraries, hard drives, email, ERP, CRM, Active Directory, and more – all the time. Some data will need to be backed up weekly, daily, or even hourly if you have a significant data volume.
It’s also important to test your backups and test restoring from that backup to make sure it's working.
We recommend a 3-2-1 strategy:
- Have 3 copies of your data
- Have 2 different storage types
- Have 1 set of backups offsite
If you are on-premise, you will want to have a backup in-house and offsite at the bare minimum. We also recommend using backup tools like Veeam. If you are in the Microsoft Cloud environment you will automatically have a cloud backup, but it would still be good to have one offsite and maybe one with a third-party provider.
3 – Set Up Multi-Factor Authentication for All Key Applications
Yes… we know opening an app, entering your login credentials, then having to verify through another app or a code sent to your mobile device that it is in fact you every time you log in can be tedious. However, it is also vital.
Multi-Factor authentication protects your systems and adds another stumbling block for would-be hackers to deal with. As a Microsoft user, you can enable this feature in your Microsoft 365 global settings.
We also recommend using a password vault (we use Keeper). Keeper allows you to generate and autosave optimized passwords that are very tough for cyber criminals to guess.
Additionally, you should have a plan in place for employees that leave to reset their passwords and disable their login credentials.
4 – Install Phishing Prevention Software for Email
Many hackers impersonate large companies like Microsoft to steal your credentials. Phishing is a specific type of attack where bad actors target users with an email that appears to be from someone in your company. It can even go so far as using the name and picture of someone within the organization. They will often target people in specific departments (sales, for example) and try to direct them to a fake site so they will log in to approve an invoice.
Here are a few things to keep in mind when you receive any email that might indicate phishing:
- Look at who the sender is and what their email is
- Check the file names on any attachments for weird characters
- Check for spelling and grammar errors
- Report ANYTHING that seems suspicious to the appropriate channels
- Implement anti-phishing software such as the Microsoft 365 function or Barracuda, an MSP Stoneridge works with
5 – On-Premises Hardware - Install and Maintain a Quality Firewall with Proper Preventative Services
Having a firewall is a great place to start, but it’s also important to keep it up-to-date and ensure the right security parameters are always in place. It’s not a “set it and forget it” solution, it’s one that requires constant monitoring and care.
That’s because hackers will often not stop when thwarted in their initial attempt to break through it. They will retool their attack to try again later. If you aren’t maintaining your firewall and implementing all the proper configurations and updates, they will eventually find a way around it.
6 – Identity Access Management - Give Users Appropriate Permissions for Their Role
You don’t need to give everybody access to everything. Only grant security to the applications and roles to users based on their job needs and limit what users can install on their PCs.
We highly recommend using an Active Directory group policy to control permissions for your applications and PCs. Develop HelpDesk and onboarding procedures to set new users up from the start.
The main risk is if you give everyone the same security clearances, users who have access to applications they might never use and therefore do not understand could be easily hacked. Additionally, they will have access to all sorts of data and could walk away with it.
You’re only as strong as your weakest link, and the best way to avoid that is…
7 – Don’t Have a Weakest Link! Train Your Team Regularly to Spot Phishing Emails and Stop Attacks Before They Happen
At the end of the day, you and your users in various parts of the company are the best defense in preventing cybercrime.
We recommend you run internal campaigns to inform everyone in the company about the importance of protecting your digital assets and how they can spot and report suspicious emails. You can either set this up with your internal IT team or use a third-party resource. We use KnowBe4. You should also encourage a rigorous password policy and run challenging phishing tests to see how much attention users pay.
If You Haven't Already, It's Time to Implement a Solid Cyber Security Plan
The battle against cyber criminals is ongoing, as their attacks are becoming increasingly sophisticated every month. We will leave you with some food for thought:
- Set aside a budget for cybersecurity expenses – Including insurance, analysis, and remediation
- Get a third-party security assessment – Even if you have an internal IT team, it doesn’t hurt to have another set of eyes look at your system and try to identify any weak points or areas of improvement
- Take remediation steps based on professional recommendations – Whether it is a third-party company or your internal IT team, you should act on their recommendations quickly. If you don’t you might leave your network vulnerable.
- Create a Security Committee that includes members of leadership – This is not just an IT issue. Everyone in the organization should know your standards and what they need to do to keep your environment safe. Establishing an oversight committee can help keep your business on track
- Lead by example – If you are a member of the management team, ensure you are strictly following best practices and modeling that for other users
- Review your Managed Services plans – This is especially important if you haven’t done it in a while. It’s never a bad time to ensure your plans are up-to-date and relevant.
Do You Have Questions About Cyber Security?
Please reach out to us! Stoneridge Software can help you implement these best practices within your organization to ensure your data stays safe.
Our Technology Services Team is ready to assist you and answer any questions you might have.