by Dave Rose If your company were hacked tomorrow and all your data was encrypted would you go out of business? If your company data were stolen and being threatened to be sold on the Internet, what would you do?
Hackers are no longer some vague concept or entity to be aware of. They are a harsh reality. Do not think it is only hospitals and big business that are targets. We are all at risk. All of us. Be prepared. Here is what you need to understand, and 16 action items you can take to protect your business.
Begin with a security risk assessment. Identify your risk. Identify your data and weaknesses in your protection and procedures.
Once you have completed a Risk Assessment you should put in systems to IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER from cyber security issues.
Here is how.
- SECURITY ASSESSMENT: It is vital you identify your data, your risk, and your risk tolerance before you can plan to protect yourself. A comprehensive Risk Assessment is the right place to start. The lack of a proper assessment is the most common item medical offices are fined for in HIPAA settlements.
- BACKUP: Backup is almost a pre-requisite for security. It is not a security step, it is a last resort. Determine your firms Recovery Point Objective and Recovery Time Objective. Follow the 3-2-1 backup rule: 3 copies of your data on 2 different media, with 1 copy offsite. Assure your backup is not vulnerable to crypto attack.
- FIREWALL: “Next Generation” or “Unified Threat Management” firewalls should be implemented along with managed Web application filters. Ongoing updates and maintenance are vital.
- ANTI-VIRUS: An active alert system must be tied to your anti-virus software. Getting alerts about virus activity will not help you if you do not have procedures and people to take action on the alerts.
- INTRUSION PREVENTION: Intrusion prevention is sometimes referred to as Advanced Endpoint Protection. It includes software that takes action when unwanted behavior is detected. A Security operations Center (SOC) is recommended to assure proper response to detections. For large firms or firms with compliance requirements, a security information and event management platform (SIEM) are suggested.
- INTRUSION DETECTION: Early detection is vital. Limiting Dwell time, the amount of time a hacker gets a foothold on your network before detection and remediation is a key to successful security management.
- ENCRYPTION: Encrypt everything. Data should be encrypted at rest and in transit. Disk encryption is a must, and file-level encryption can offer safe harbor.
- MULTI-FACTOR AUTHENTICATION (MFA): MFA is a must. CISA and Microsoft now recommend that you use a mobile application for MFA rather than relying on text-based MFA.
- PHISH TESTING and context sensitive SECURITY AWARENESS TRAINING: Training significantly reduces your chances of breach or attack. Knowledge is power. Educating your staff and developing a security-conscious culture is very important, and typically missed by small firms.
- WRITTEN POLICIES: Be prepared. Many forms of compliance require written policies. For firms without compliance requirements, I still recommend written policies. After a breach or file deletion is not the time to be asking what to do, or how to restore your data.
- SPAM CONTROL: Reducing spam directly limits the most common method of penetration for most malware. Unfortunately, the hackers are getting very clever and have many methods to deliver legitimate email that still poses a threat. New software is coming out all the time with AI and machine learning to help limit spear-phishing attacks.
- PASSWORD MANAGEMENT: Helps assure passwords meet complexity requirements and are not used in more than one place. These services typically alert customers when a commonly used service like Facebook or Home Depot are breached and suggests you change password there and anywhere you have a similar password.
- DARK WEB MONITORING: These services watch for and report on activity for your company on the dark web, where criminals list and sell your sensitive data. A must have.
- PATCH MANAGEMENT: Assuring you patch your operating systems, applications, and devices like firewalls is vital to reducing your attack vector. New vulnerabilities are discovered daily, and an active patch process is important to keep you protected.
- MOBILE DEVICE MANAGEMENT: With everyone using cell phones, mobile devices are an attack vector too often overlooked. Anti-Virus, and preferably full management of mobile devices is recommended.
- CYBER INSURANCE: When all else fails, you should have insurance to protect your business and your livelihood. You have liability insurance. You have car insurance. Why wouldn’t you protect yourself from this spreading new threat of cyber-attack?
You have worked hard to build your business to where it is today. Be sure to protect it properly with proper Cyber Security.
David Rose is founder of Rose Computer Technology Services. He has been working in Information Technology for 36 years. Rose Computer Technology Services, located in Williston Vermont has been serving Vermont Businesses for 23 years, and was recently awarded the Comptia Security Trustmark Plus Certification. The CompTIA Security Trustmark+ signifies that Rose Computer Technology Services adheres to the industry’s highest standards for security practices and business processes in critical components of identification, protection, detection, response, and recovery as related to data security. You can contact David and his team at rosects.com.