Startups, small businesses and established enterprises have at least one thing in common: They are all prime targets for cybercriminals. With that in mind, understanding and implementing cybersecurity best practices is essential. Verizon’s 2020 Data Breach Investigations Report reveals that, while most cybercrime victims were companies with more than 1,000 employees, small businesses were still the targets of more than a quarter of all cyberattacks.
By following these cybersecurity best practices for 2021, you can ensure that your organization is well equipped to anticipate threats, neutralize attacks and recover in the event of a serious data breach.
The 10 Must-Know Cybersecurity Best Practices
1. Know the Risks
Perhaps the most pivotal of all cybersecurity best practices is simply knowing what you’re up against. To that end, it’s good to understand common types of threats and know where they come from:
- First Risk: Malware
This is probably what comes to mind when you think of cybersecurity threats. Malware is an umbrella term for “malicious software,” including ransomware, spyware and viruses. Malware can find its way onto your network via malicious links in emails or on web pages.
- Second Risk: Phishing
Phishing is a strategy that involves sending fraudulent communications — typically through email — from official-looking sources. These messages include copy that preys on emotions such as fear, greed and curiosity, tempting targets to click on malicious links or attachments. A successfully baited victim of a phishing attack may be tricked into giving away personal or confidential information and may expose their network to malware.
- Third Risk: Man-in-the-Middle
Also called eavesdropping, man-in-the-middle (MitM) attacks involve attackers inviting themselves to a two-party transaction. Once there, cybercriminals can easily intercept and steal valuable information. Common entry points include insecure networks and malware that has been installed via phishing or other methods.
- Fourth Risk: Denial-of-Service
According to the Cybersecurity & Infrastructure Security Agency (CISA), “a denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor.” These commonly involve a deluge of illegitimate traffic directed at a network, internet service provider (ISP), or cloud service provider. When this happens, legitimate traffic can slow to a halt as the servers work to handle the flood of false requests.
This is not an exhaustive list of all possible types of threats but rather a sampling of things to look out for. Based on these alone, you may have already identified some areas where your organization is at risk. Next, we will unlock more ways to identify and mitigate risks.
2. Identify Vulnerabilities
Simply knowing about the threats that are out there won’t protect your organization, but taking a shotgun approach to cybersecurity won’t help you much either. It’s important to identify your organization’s most valuable digital assets and determine where your current cybersecurity measures need to be improved to shield them from malicious activity.
One tool that can help with this is the National Institute of Standards and Technology Cybersecurity Framework, or NIST CSF.
Originally developed to standardize infrastructure within a niche of organizations, it has expanded based on the IT community’s feedback. Today, the CSF includes guidance on self-assessment, planning guidelines and other updates in response to advancements in security threats.
The NIST Cybersecurity Framework outlines Five Functions that represent critical steps in your approach to cybersecurity risk management:
Function One: Identify — outline cybersecurity risks that threaten all company assets, including personnel, systems, and data.
Function Two: Protect — establish systems to defend critical assets.
Function Three: Detect — identify events that could threaten data security.
Function Four: Respond — act to neutralize threats as they arise according to predetermined procedures.
Function Five: Recover — plan a course of action to restore functionality in the event of a catastrophic incident.
These functions are further broken down into categories and subcategories. This is intended to run the gamut of cybersecurity best practices and objectives without overcomplicating the issue.
Beyond implementing this or another CSF, you might consider bringing in a contractor to perform an audit of your cybersecurity systems. This will provide an unbiased view of the policies, procedures and technologies that you have in place in the form of actionable feedback that you can use to improve your cybersecurity measures.
Whatever set of standards you decide to abide by, Diligent Compliance software empowers you to manage assessments, monitor compliance and track improvements.
3. Bring in the Experts
Keeping in mind the importance of a robust cybersecurity system, your IT teams should include at least one expert on cybersecurity. Additionally, consider including a cybersecurity expert on your board. It can be difficult for critical issues like cybersecurity to come to the forefront where they belong when decision-makers don’t fully understand them.
Finding the right person here can be tricky, and it’s not hard to see why. According to Steve Durbin, managing director for the Information Security Forum, “The person must be a hybrid with strong communication skills, who understands how to operate at the board level, and have an understanding of the cyber space.”
Durbin’s statement stresses the importance of finding a candidate who has both technical knowledge and leadership abilities. Take care when deciding who to put in this position, as their work will be instrumental in protecting your organization from cyberattacks.
4. Leverage Managed Services
As you begin your search for cybersecurity professionals, remember that you don’t have much time to waste. The risk of falling victim to a cyberattack continues to grow, and you need to be prepared as quickly as possible without taking shortcuts. For this reason, leveraging the expertise of a managed security services provider (MSSP) may be your best bet, at least for the time being.
There are several advantages to taking this approach:
- Advantage One: Lower Costs
You can reduce costs without sacrificing quality here because working with an MSSP means you don’t have to spend time in training. Your security professionals will already be equipped with the most current knowledge on combating security threats.
- Advantage Two: Automatic Detection and Response
Top-tier MSSPs come loaded with defenses, ensuring that, in the event of an attack, you have remote and on-site responses ready to go.
- Advantage Three: Scalability
Rather than hiring and training more people as your organization scales, simply expand the reach of services from your provider. The best solutions are product-neutral, allowing you to change your applications or cloud services without taking on unnecessary security risks.
- Advantage Four: Reliability
The best MSSPs will have Service Level Agreements that include 24/7 support and guidelines for incident response times. This shifts much of the technical burden away from your organization, though you must be sure to work with a quality provider and understand what you’re getting.
5. Practice Basic Cyber Hygiene
All discussion of cybersecurity best practices centers around making your organization employ basic cyber hygiene. The following are among the most vital elements of this practice:
- Recommendation One: Write Explicit Security Policies
Without written policies, it’s difficult to conduct an audit or assessment and nearly impossible to implement consistent training. Having your policies written down makes your goals and procedures clear, reducing the risk that a misunderstanding of policy will put your organization at risk.
- Recommendation Two: Train Everyone
We’ve discussed technical aspects of cybersecurity best practices, but the reality is that much of the responsibility lies in the hands of your people. The human element represents the most significant risk to your networks and systems, so it’s important to ensure that everyone knows how to do their part.
- Recommendation Three: Phish Everyone
Remember phishing? It doesn’t seem to be going away any time soon. Keep your systems safe by testing everyone after they’ve been properly trained. Yes, that includes upper management and even board members. Consider using the phishing awareness quiz as an interactive part of your training.
- Recommendation Four: Use Multi-Factor Authentication
In many cases, a simple password — even one that’s hard to guess — is no longer enough. Multi-factor authentication (MFA) ensures that everyone is who they say they are when they attempt to log into a device or an application that touches your network.
- Recommendation Five: No Default Passwords
Default passwords for new user accounts tend to be easy to guess even for a human brain, let alone a computer capable of blitzing your system with countless strings of letters and numbers. Stay on the safe side and avoid using simple passwords, no matter how convenient it may seem.
6. Update Software
There’s no doubt that your organization leverages several external applications in order to function. Sometimes the developers of those apps release updates with new features or user interface components, but more often, those regular updates contain security fixes.
Cyberthreats are constantly evolving, and software companies update their products accordingly. You don’t want to be caught using the old version of a program with a known security vulnerability. After all, a single vulnerability in one of your programs could be just the access point that cybercriminals need to force access into your network.
Your hardware also plays a role in cybersecurity. Most computers and mobile devices reach a point when they can no longer run the latest version of their respective apps and operating systems. When this happens, it’s time to let them go. Remember that the investment in upgrading your devices is far lower than the cost of a data breach.
7. Perform Regular Backups
Even following all cybersecurity best practices cannot serve as a 100% guarantee that your data is safe. You should still be prepared in the event that any of your assets become compromised.
Aside from being good practice in general, regularly backing up your data helps ensure that you can continue operations in the event of a virus or ransomware attack. In fact, having a recent, uncorrupted backup is the only way to recover from ransomware attacks without paying the ransom.
When searching for a solution, keep in mind that malware can go undetected for a long time before showing obvious symptoms. For this reason, be sure to work with a provider that offers the longest-possible version history that your budget allows.
It’s also a good idea to follow best practices for your backup strategy, especially as it pertains to the number of copies and frequency of backups. Some businesses — such as those that deal with a high volume of constantly changing data — will need to perform several backups each day. In contrast, others can get away with a single backup overnight or during periods of little activity. Only you and your team can decide what’s necessary for your organization, which is why you need to have a high-ranking IT specialist.
8. Monitor Privileged Users
High-level authorization within your organization is necessary, though it poses a significant risk. Verizon’s DBIR indicates that internal actors accounted for 30% of all data breaches in 2020. You want to trust your teams — and you should do your best to hire trustworthy people — but you should still keep an eye on them.
You don’t necessarily need someone sitting in a room watching every move your users make in real-time. Still, your security software or MSSP solution should be smart enough to recognize suspicious behavior with user activity monitoring before it becomes a problem.
With that said, do take care in implementing this practice. In an era with seemingly limitless surveillance technology, there’s no shortage of privacy concerns. Be transparent about your monitoring practices, including what you’re looking for, what kind of data may be collected, and why. Further, if there is an incident, be sure to keep the evidence presented in context. You want to differentiate between malice and mistakes, and making accusations is an excellent way to put even innocent people on edge.
Finally, when someone leaves the company, access should be revoked immediately to prevent them from using outdated credentials to wreak havoc on your network.
9. Use Zero Trust Architecture
It’ll take some work to implement, but one way to minimize risks from users with high clearance levels is to use Zero Trust security.
Zero Trust is a comprehensive approach to security that operates on the premise “never trust, always verify.” Rather than a particular technology or solution, it is a philosophy that combines the following security principles to protect your assets:
- Extensive authorization — authorize and authenticate based on all available data, including identity, location, service requested, and more.
- Least privileged access — only allow just enough access for an authorized user to complete the task at hand and only grant access at the moment it becomes necessary.
- Assume breach — use micro-segmentation to break up access into smaller authorized “zones” so that no device has free reign to move about the network and data systems.
Additionally, Zero Trust architecture breaks down entities into six components — identities, devices, data, apps, infrastructure, and network. Each of these components has its own security concerns, so each of them is handled separately according to your organization’s needs.
10. Protect the Home Office
2020 completely changed the way we do business, pushing nearly everyone whose job allowed it into home offices. While the overall workforce was already seeing a gradual trend toward work from anywhere (WFA) policies, the sudden shift poses a staggering cybersecurity challenge.
Insufficiently secured home offices and data transfers over unsanctioned platforms (such as personal email and instant messaging) are likely to play a major role in data breaches in 2021. Organizations can combat this by investing the resources necessary to shore up security for home networks and devices used for business and providing specific security training designed to encourage safe behavior.
Researchers at Bitdefender suggest that employees are likely to take shortcuts for convenience while working at home. During training, everyone needs to learn about steps they can take to help keep your organization’s assets secure, such as:
- Designating a safe, private workspace.
- Keeping confidential information away from other members of the household.
- Keeping children away from the computer during work hours.
- Closing all browsers and applications as well as disabling access to company materials when not working.
It’s also a good idea to start using a VPN for an additional layer of security. The free services are tempting, but it’s unlikely that they are as secure as enterprise solutions. Just be sure to do your due diligence when selecting a service provider; the last thing you need is for the solution you choose to be the cause of a data breach.
Software To Put These Cybersecurity Best Practices in Action
Diligent is the world’s largest governance, risk and compliance SaaS company, committed to helping your organization comply with ESG standards, mitigate risks and educate leadership on new developments that affect the way we all do business. Contact us today to discover how we can work together to ensure you are meeting the cybersecurity best practices and furthering the goals of your organization.
Why 24/7 Cybersecurity Visibility is Essential for Boards Today