Does paying attention to the risk of cyber attacks sound expensive, complicated and a distraction from your business plan? Are you burying your head in the sand and hoping that this risk will pass your organization by?
As an incentive to act, recognize that successful cyberattacks can cause the demise of your organization by:
- A high extortion payment to fix a ransomware attack.
- A lawsuit settlement payment and loss of reputation due to a data breach.
Take these small steps to significantly reduce the risk of a successful cyber attack affecting your organization.
Strengthen cybersecurity awareness of staff
Many cyberattacks start with a phishing attack that tricks one of your employees or contractors into clicking on a link that downloads malware.
You can raise awareness of employees and contractors about the dangers of phishing attacks. This action significantly reduces the risk of a successful phishing attack. This article outlines a good action plan: Wake up your employees: How to reduce cyber security risks with employee training. For more details on reducing the risk of a phishing attack, see the resources of the Anti-Phishing Working Group (APWG).
Implement a computing use policy
Unfortunately, some employees increase the risk of cyberattacks by their thoughtless surfing on the Internet and inadequate credentials management.
You can quickly develop an acceptable use policy for corporate computers and the Internet. Include these features:
- Describe acceptable and unacceptable uses.
- Ensure the policy includes a prohibition on sharing credentials.
- In the age of working from home (WFH), describe your expectations of what employees will do to competently manage their in-home computing environment.
- Insist that every employee and contractor review and sign the policy.
- Communicate that violations of the policy are recorded in every employee’s personnel file and will play a role in evaluating performance, calculating bonuses, promotion considerations and possible reasons for termination.
Review the scope of MSP services
Your Managed Services Provider (MSP) is most likely operating your computing infrastructure in accordance with the contract you have agreed to. Too often, this work is insufficient to reduce the risk of cyber attacks.
You can easily broaden the scope of services to include work related to reducing the risk of cyber attacks by ensuring the following services are included in the contract:
- Update operating systems on all devices.
- Monitor firewall effectiveness.
- Maintain anti-virus software.
- Protect your network.
- Confirm that the data backup process is operating correctly.
Many websites provide helpful information to reduce the risk of a cyber security breach. This one, Secure Computing at MIT, is comprehensive and exceptionally well written because it avoids techno-speak.
Review system access
The negative impacts of cyber attacks often multiply because too many active accounts with excessive system access privileges exist for hackers to hijack. For example, sometimes:
- Poorly developed software packages require end-users to have considerable system access privileges to perform their roles.
- Poorly implemented applications based on Software-As-A-Service (SaaS) give end-users more system access privileges than they need.
- Database administrators are lazy and simplify their work by giving themselves unnecessary, god-like access.
You can strengthen your system’s access controls by regularly reviewing and pruning the privileges assigned to all end-users. Delete accounts for employees who are no longer with your organization. Define few generic accounts and email addresses.
For more information on how best to review your system access risks, see this article.
To explore additional ideas for protecting your business and home from cyber risks, please read Get Cyber Safe. Get Cyber Safe is a federal government website that was created to inform Canadians about cyber security and the simple steps they can take to protect themselves online.