To hear our podcast, featuring Fulcrum Group CEO & President Steve Meek and Mastery Partners' Tom Bronson on this topic, go here.
Being a business owner is fraught with risk. Getting started, driving sales, entering new markets, redefining services or making investments in technology. These all take some calculation to protect your organization. Cybersecurity is just another risk area that owners should be aware of and focus some time on.
I created this list of ten ideas to help owners take simple, inexpensive actions towards protecting their business and their livelihood from security threats.
10 Low-Cost Cybersecurity Actions You Can Take Now:
- Cybersecurity starts at the top.
There is a reason why executive involvement in security is a requirement in many compliance frameworks, such as HIPAA. You make all the difference. If you really want something to be done the right way, your involvement, asking questions, incorporating into growth plans and understanding of the entire organization goes a long way. You don’t need 10 hours a week to make a difference, but two hours a month every month means you know what’s going on and understand your organization’s efforts to protect your applications and data. Our most secure clients are almost always a reflection of the committed executive at the top, and not necessarily security dollars spent. - Track devices on your network. There is probably a lock on the outside door of your office because you want to control who comes in. Any device on your network could introduce security problems. Smaller organizations can whip out the old spreadsheet and just track everything it purchases to keep control of what things go on the network. Tracking device name, serial number, IP address, purchase date, disposal date, who has the device or where it’s located can help you exercise good cyber hygiene. That’s part of the challenge of work from home, there are a whole bunch of devices on the typical home network that could be impacting performance or security and are outside your control. But increasing security starts with managing what you do control so start here where it’s easy. There are also low-cost tools or partners that can automate this task with agents or scanning devices to continually see what’s on your network, to protect you. This is sometimes referred to as the Internet of Things, which really means there are a whole bunch of devices that can connect to your network that don’t necessarily have security in mind.
- Know your important business software. Owners should know every piece of software on their network to ensure the applications have proper security configuration, get patched regularly, are centrally managed and limited to applications you know to be safe. You also want to make sure important data can be backed up if needed for your employees or corporate value. Documenting is helpful for standardizing across similar user groups and making sure your teams have the tools they need to complete the work assigned. While these can be manually tracked, I’d highly suggest a software inventory tool or vendor to help you automate the process.
- Train your employees on cyber hygiene. No employee wakes up and tries to click a bad link. The constant pressures of work, home, clients and people push security thinking to the back. You can find or buy presentations online to do annual trainings. We began including security training videos for our clients that track completion in our offering, because it helped reduce the number of security incidents and emergencies our team had to jump into. Requiring each employee to complete four five-minute security awareness training videos a month could save your company thousands and thousands of dollars. If you can’t do that, at least watch videos yourself. The top targets for spearfishing attacks are C suite executives, the finance department and IT professionals. These targeted attacks focus on us because we have more access, are closer to the money and usually very busy. It’s like the old Sam Kinnison joke, if you’re hungry, move to where the food is.
- Remove old employees from your system. Sometimes the rush of business makes it hard to transition out old employees with the focus being on bringing in new team members. When we review new clients we sometimes find old accounts still enabled that could allow an old employee to connect in to the network and access information. Don’t leave those open holes in your network. There are all kinds of scripts and tools that can pull information. We usually target the last time the user logged on, the last time the password was changed and other important nuggets from Windows active directory.
- Lockdown who has administrative access. You own the company, so you should have access to everything. While that may be true, you usually don’t want to do that with your everyday account. The principle of “least privilege” suggests people only having enough access to do their jobs. By having a separate administrative account for those people who need administrative access, you allow them to run installations or complete other permission-related tests. This also makes it easier in your periodic reviews of who has administrative access to ensure only a small number of people have access.
- Separate employee smart phones from business wireless. You probably already have a guest wireless network for nonemployees with devices. The idea is you don’t want noncorporate assets potentially impacting your business network. I suggest extending that concept to employees' smart phones, home tablets or other miscellaneous stuff. Most wireless networks support multiple SSIDs, so there is no additional cost to create 3 SSIDs for laptops, smart phones and guest users. “Laptops” can have access to servers and network data. “Smart phones” can provide Internet access but without the need to access servers or data, which they shouldn’t be doing anyways. “Guest” could provide Internet access and depending on your firewall, possibly limit the bandwidth that SSID uses or apply more filtering to sites that guests could go to.
- Revisit your Office 365 configuration, with security in mind. Maybe you’ve spent a lot of money on great security tools to protect your logical network. But, Office 365, hosted applications and other cloud services are their own systems and might be gaping security holes in your operations. Fortunately, Microsoft knows this and created Microsoft Secure Score. This built-in tool can help you evaluate various security best practices and how you compare to them, so you can close some of these holes. Some features aren’t available until the next level of 365 but quite a few can be configured for free, assuming someone has the technical experience to plan and make specific changes. Stop reading this now, do it today.
- Read the news. Treat all those cybersecurity “new ransomware” stories as reconnaissance. If you read about a new threat or patch that needs to be applied, ask your IT or support person if you are protected. Understanding where threats are coming from can help you selectively mitigate current risks, until you can afford a risk assessment and/or develop security operations, to complement network support. Those are completely different technology skills.
- Review your cyber insurance policy. We usually review our client’s cyber insurance applications to make sure what they think they have is correct. Too many times we find wrong information that would most likely invalidate a claim. And while most providers like us carry E&O and cyber for possible negligence of our organizations, you will want to make sure you also have the protection of a cyber insurance policy for your peoples' negligence.
While these tips are low cost, you still must make base
investments in first level risk busting tools such as anti-malware, firewalls,
email filtering, backup technologies and others. Cybersecurity can seem like an
overwhelming concern, but with these ten tips, you can move the needle, even on
a budget.