Implementing these essential policies and procedures will help keep your company’s most valuable assets secure.
No matter the size or nature of your business, protecting sensitive data is one of the most important challenges you’ll face. Cybersecurity is a huge concern as attackers get more sophisticated and their attacks cause more costly and damaging results. But you can protect yourself by taking a proactive approach to cybersecurity that will help to minimize your company cybersecurity exposure.
Before creating any kind of cybersecurity plan, you should assess whether you’re subject to any compliance framework, which naturally makes securing assets easier because those guidelines have built-in security controls. For example, retail facilities processing credit card data must maintain PCI compliance and medical facilities are subject to HIPAA regulations.
Even if your business has no pre-existing security frameworks, a basic security protocol should include:
- Documenting the environment – Take a close look at what assets require security measures
- Identifying Security Risks – Make a list of potential weak spots
- Performing a Security Audit – This hands-on assessment should include an unbiased external team who can confirm which gaps exist
- Creating a Gap Analysis/Risk Assessment Document – This document should clearly spell out minor and major risks, the plan to address the gaps and a to-do list of what needs to be fixed and how to achieve compliance
Generally speaking, areas of cybersecurity compliance can be broken down into three main categories. Focusing your efforts on these specific areas will help your business to reach optimum compliance with the least amount of effort. Here is a checklist for each of the three areas you can use to begin to assess your setup.
#1 Networking Security
- FirewallsThese are used to protect communication from outside intruders by analyzing data and determining whether the information is safe or not.
- Data SegmentationSegmenting network traffic based on individual departments or users can help to restrict access at the user level and help to keep valuable data protected.
- LoggingAll the equipment should have logging capabilities and audit controls, and login servers should show logging trail when there is a problem.
- MinimizationOverengineering the environment can have negative consequences and can potentially compromise security. The more complex the network, the more difficult it is to manage, which is why the technical team should always have the appropriate resources to manage the network environment that’s in place.
- Access ControlsThe network and equipment should have restricted access and there should always be an accurate log of who logged in and where, what changes were made, and the individual it can be traced back to if something goes wrong.
- Security of WirelessWireless connectivity should be well secured with an appropriate encryption algorithm and authentication.
- MaintenanceAll the measures put in place need to be regularly updated and the configurations should be validated at preset intervals. A network infrastructure is only as good as its maintenance.
#2 Desktop Security
- Antivirus/MalwareEvery desktop should have up-to-date anti-virus software installed to protect against viruses and malicious code.
- Access ControlsEach desktop should have a unique username and account that’s not shared with anyone else. The password should have regular expiration dates and should not be shared between people or groups.
- Account PoliciesThere should be explicit rules prohibiting the sharing of user names and passwords, in addition to restrictions on where users can log in, what users can access internally and externally and limits placed on individual accounts.
- User TrainingAll users should be made aware of security implications in regular training sessions.
- Hardened OS/FirewallThe operating system must be hardened and extra services not in use should be disabled, as they create doors for potential security vulnerabilities. A firewall should be enabled and configured on each desktop.
- Wireless/MobilePersonal phones and laptops are subject to the same security as work-issued computers and should have the same malware, antivirus, firewalls and access controls if they are also being used for accessing company drives and email.
- MaintenanceThe IT team should regularly maintain computing devices. It should not be left to the discretion of users to update systems.
#3 IT Assets Security
- Equipment Tracking
There needs to be an accurate record of every serial number on every piece of IT hardware being used at the company.
- Labeled Restrictions
Access to any equipment should be restricted at a BIOS level (which is where the data that flows between the computer’soperating system and attached devices such as the hard disk and printer).
- Equipment Restrictions
All equipment going in and out should be accurately recorded. If there is a separation of employment, established protocols should be performed before the equipment is removed from service.
Although this checklist of best practices is extensive, it is by no means comprehensive. Securing valuable assets can be a daunting effort and when you take into account personal tablets, PCs and mobile devices used to access your company network, the situation gets even more complicated.
The biggest takeaway from this should be that cybersecurity is a very important issue and that maintenance should be the biggest priority. Without proper maintenance, massive security problems can happen. Maintenance responsibilities must be clearly defined and assigned and should cover who is responsible for what equipment and how often updates should be performed.
Following all of these steps isn’t guaranteed to keep you safe from a security breach – those guarantees don’t exist in real life – but doing so will give you the best chance at avoiding cybersecurity breaches and minimizing damage should a breach happen.
Does your company need a formal cybersecurity risk assessment? Find out here.