People: Disgruntled or uninformed employees are one of the most significant risks to any organization. An unhappy employee with access to IT systems and applications can wreak havoc in an organization, especially those employees who work in IT and have privileged administrative rights. Uneducated employees are prime targets for phishing attacks or other social engineering tactics to gather information, access, and online credentials.
- Have all my employees done cyber secuity training? Training needs to be part of the onboarding process for new employees and should be done for all employees at least once a year. Many organizations add additional security training (and testing) by secretly putting employees in situations to test how they would respond. For example, by planting USB drives on the ground or floor around or in the office, the security team can test employee knowledge and practice of USB use and security.
- Consider background checks. Many businesses and organizations require background checks before it hires an employee or accepts a volunteer. Several services are available to consider if you feel it is needed for your business.
- Physical security plays a role. Although it technically may not be considered cyber security, physical control of who enters the workplace is essential for both personal safety and cyber safety. It keeps the wrong people out of a building where computers may display applications and data or files on desks with useful hacking information. Physical security can even help with forensic work if there is a breach. Ask yourself: Even though we use gates and badges, are employees “sneaking in” behind the car in front of them when the gate goes up? Are all employees scanning their badges, or is a group walking in together as one employee opens the door?
- Third-party partners can be the overlooked risk. If you outsource any of your work to third parties and they have access to your IT systems, this is a risk factor that must be addressed. Some most significant breaches have been attributed to bad actors getting in via a third-party partner credential. Sit down with your partners and make sure their security is acceptable for your policies and ensure there is a security clause in your contract with them.
Process: Various processes can add layers of security and control, making it more difficult for bad actors to impersonate an employee or use their credentials. Other processes are mandatory to address regulations and guidelines.
- Two-step or multi-factor authentication. This also can be considered under technology, but using at least two factors to access your systems and data is a must-do in today’s computing environment.
- Keep passwords unique, and don’t reuse them. Passwords are here to stay, at least for the foreseeable future, so make sure you practice good password hygiene and use strong passwords or phrases that are long and easy for you to remember but hard for anyone else to figure out.
- Compliance. If regulations govern your company, are you meeting all the audit demands? The regulations are often presented clearly; it’s up to you to implement the processes and procedures to implement them.
Technology: Today, everything is Internet-connected. The technology you protect from intrusion and tampering ranges from routers, VPNs, computers, and mobile devices to databases and servers, cloud services, software applications, copiers and printers, and more.
The National Cyber Security Alliance and the U.S. Department of Homeland Security team have assembled an excellent technology checklist to use year-round, not just during National Cyber Security Awareness Month. It provides a comprehensive list of technologies you need to consider and tips for protecting them. If you don’t have a cyber security technology checklist, it’s a great place to start. You can download it here: https://staysafeonline.org/wp-content/uploads/2017/09/Technology-Checklist-for-Businesses.pdf.
Cyber security is not something you want to leave to up to chance. Would you like to request a consultation to see how ZZ Servers can support your cyber security needs? Contact us today.