Small and mid-size businesses are most likely to be at risk from cyber attacks, as they may lack knowledge or awareness of their risk and cannot afford expert advice. Fortunately, you do not need to be an expert to take basic steps to improve your cyber security. Jody Westby, CEO of Global Cyber Risk, has posted 20 steps for improved cyber security in Leader's Edge magazine.
I found this list to be quite helpful, so I have shared my favorite parts with you along with my personal comments and additions below:
- Develop a top level cyber security policy, and require all employees and contractors to abide by it.
- Assign an employee to be responsible for cyber security.
- If there is no knowledgeable employee on staff, assign a liaison with your service provider.
- Conduct background checks on employees in sensitive positions.
- You should be doing this already; be sure it covers anyone with access to sensitive data not limited to financial information.
- Develop policies and procedures on key cyber security issues (if not included in step 1), require compliance and have a disciplinary procedure for non-compliance.
- Develop and maintain (with regular updates) digital inventories of applications, data and hardware.
- Make unit leaders responsible for their data and applications.
- Classify and prioritize data.
- Establish strong access controls for systems and data, on a "least privilege" basis. Westby has a detailed list of controls.
- Remove local administrator rights from workstations.
- In other words, users cannot change their software or computer settings without approval.
- Segment your network to protect sensitive operations with access controls and firewalls.
- Restrict the use of personal devices.No devices should be shared, even with family members.
- Establish rules for working at home or at remote sites. Devices must be secured at all times.
- Train all employees and contractors on cyber security policies and procedures and awareness of current threats.
- Training must be ongoing, not limited to once a year or quarter.
- Restrict the use of removable media
- This applies to corporate and personal devices.
- Establish a process for return of IT assets from employees (especially terminated employees).
- Install anti-malware software, update it, and scan frequently.
- Replace equipment and software no longer supported by vendors.
If you find this list to be helpful and would like to learn more ways to better protect your business from cyber attacks, we encourage you to reach out to our risk management expert Steven Sharkey at firstname.lastname@example.org or call at (484) 684-1101. We would be happy to help in any way we can.