As attackers become more savvy and more numerous, the threat of cyberattack grows each year. Today, attackers usually automate most of the work, attacking hundreds or thousands of companies at once to see what sticks. Whether it’s via phishing links, downloaded malware, or a direct network breach, attackers are getting bolder and coming up with new ways to infiltrate company networks, big and small.
Fortunately, establishing a few baseline security protocols will offer protection against a broad range of attacks. Because most cyberattacks are automated, if you can frustrate any part of the attack then attackers are likely to move on to the next one, rather than spend more time attacking your network. Just by enforcing the guidelines in this article, every business can lay a solid foundation of data security to prevent attacks and scale in complexity as the business grows.
1. Document Cybersecurity Policies & Inventory Assets
No matter what policies you choose to implement as a company, documenting them clearly will be essential. Without clear documentation, it becomes difficult to enforce or even remember all the security measures you want to have in place.
At a baseline, you should have:
- Checklists for onboarding and offboarding new employees - What devices do they receive/need to turn in? What accounts do they have access to?
- Password and multi-factor authentication requirements for company accounts and devices
- Inventory of all devices currently owned by the company, plus an inventory of all external devices that have been added to the company network
- Policies on how often to update software, reset passwords, and gain access to the company’s network
- Overview of the company’s infrastructure and how everything works together - e.g. file storage, servers, WiFi networks, etc
As you read through the rest of the suggestions in this article, the first step should be to document your ideas and begin to formalize them into policies that can be shared, reviewed, and ultimately enforced.
2. Use a Password Manager, Strong Passwords, and MFA
The lowest hanging fruit for any cybersecurity effort is password management and protection. Easy-to-guess passwords are mind bogglingly common and trivial for computers to guess. In fact, lists of common passwords are available to anyone online.
The good news is it has become very easy to implement a password manager that can be shared across your organization. Once you do, you can require that all passwords be long and complex, eliminating password guessing as an attack vector against your organization. We recommend 1Password or Dashlane, as they make this process easy and relatively painless.
Furthermore, multi-factor authentication (MFA) adds another layer of security. Even if an attacker is able to steal your password, MFA means they won’t be able to gain access to your account without access to your phone or email. Combined, strong passwords plus MFA are the gold standard of account protection at the moment. You can rest easy once you have these policies in place and enforced across your organization.
3. Get a Firewall & VPN
Simply put, a firewall is a barrier between your company’s internal network (e.g. WiFi/LAN) and the open internet. Firewalls follow specific rules, that you set, to restrict the types and ports of connections for network traffic.
Virtual private networks (VPNs) allow you to create a private network over public internet connections using encryption. This means that devices don’t need to physically be in the same location in order to share the security, privacy, and access controls of private networks.
Both of these technologies are essential parts of data security and don’t require tons of technical know-how in order to set up. By placing layers of security and isolation around your company’s data, you’re making it increasingly hard for attackers to gain access.
4. Backup Data Regularly
If a ransomware attack held all of your company’s data hostage, do you have backups of that data somewhere else?
Off-site backups, preferably to the cloud, are essential to recovering from attacks and rolling back any catastrophic failures. Perhaps it sounds unlikely that you’ll lose all your data. But time after time, we’ve seen companies lose everything or be forced to pay ransoms because they didn’t have easily accessible, off-site backups.
You should automate this task, so that a new backup happens automatically on a regular cadence. This is one of those security measures you hope you don’t need but will be invaluable in the case that you do.
5. Anti-malware & Monitoring Software
At the very least, all devices with access to the company’s network should have anti-malware scanning software installed. This software lets users know when a file is not trusted or safe, often preventing them from opening it without some type of override.
Better yet, add a remote monitoring agent to all machines on your company’s network. Most monitoring software includes anti-malware scanning, but it also enables you to track machine up-time, network traffic, and provide remote support to users across the company.
Remote monitoring has the added benefit of allowing you to automate the rollout of software updates and policy changes company-wide.
6. Create a Work From Home & BYOD Plan
Increasingly, workers are using their own devices on the company network. Additionally, they’re working remotely more often. Combined, these two trends can create security challenges. However, they don’t have to with the proper policies and guidelines in place.
Workers that want to use their own devices or work from home should have to implement all the same security practices as internally-owned devices and internal WiFi networks. Many of these policies, we’ve laid out here - e.g. strong passwords, MFA, access via a VPN, install anti-malware software.
Whatever you decide, remember to document it clearly and provide that documentation to those who bring their own device or work from home. Make sure there are policies and practices in place about verifying compliance and enforcing security practices on worker devices and home networks.
7. Educate Employees & Simulate Attack Vectors
Ultimately, your cybersecurity is only as strong as your employees’ education. Anyone with access to the company’s network could become a target of a cyberattack. Increasingly, these attacks use phishing or social engineering to get workers to believe attackers are legitimate. Even with all the best practices in place, your data could be at risk if your employees aren’t trained.
To that end all your employees should know:
- How to use various software for security, what the software does, and why you chose it
- What a phishing attack looks like and how to report them
- Nobody will legitimately ask them for their password or MFA codes - never give them out
- Steps to take in the event of an incident
Critical Cybersecurity Measures
These measures just provide the basics, and your cybersecurity plan will have to evolve as your company grows. However, having this foundation in place will provide peace of mind as you’ve prevented the vast majority of cyberattacks through these seven policies alone.
Sign up for our newsletter
Get our latest articles and our most exciting updates delivered straight to your inbox.