Part 3: Cybersecurity Steps Every Business Must Take

Posted by Mike Battistella December 5, 2019

In this final article of our three-article series, we will be cover four remaining areas that every business must secure to protect itself from cyberthreats and to ensure the cyber safety of their business. If you didn’t get a chance to read the first or second articles, please give them a read through.

“Cybersecurity is the protection of computer systems from theft and damage to the hardware, software or information, as well as from the disruption, or misdirection, of business services.”

 

Cybersecurity area #9: mobile security

The freedom and flexibility of mobile devices are incredible. The improvements in efficiency and the ability to provide a rapid response cannot be overstated; it’s great. Along with all the benefits also comes all the associated risks, additional costs and importance in adhering to security best practices concerning these same mobile devices. The concerns are not limited to just mobile devices provided by the company to its employees but also any personal devices brought in by those same employees, business partners and, yes, clients.

Best practices around mobile devices include, but are not limited to the following:

  • Utilize strong user authentication for device access and after screen lock-out
  • Keep the mobile device OS and applications updated with the latest patches
  • Regularly back up device data to an external hard drive and the cloud
  • Encrypt your mobile device data at rest and for data in motion
  • Always use a secure transport (i.e. VPN) when attaching to a public network
  • Enable the ‘find my phone’ option in case the phone is lost or stolen
  • If available, enable the ability to perform a remote wipe of your device if lost or stolen
  • Disable device Wi-Fi and Bluetooth when not in use or needed
  • Only allow authorized mobile devices to connect to your network or Bluetooth server
  • Configure continual scanning for non-authorized connection of Bluetooth devices

Cybersecurity Area #10: Data Encryption

Data Encryption is simply changing the data format to a format that cannot easily be interpreted by the reader. The data is encoded and then the reader must have a mechanism of decoding the data so it can be understood. Typically, the encoding of data involves a “key” that is also passed to the reader so that the receiving data can be “unlocked” using the key. Encryption tools are available and should be utilized to encrypt sensitive data on your hard drive, for the sending of sensitive data via email & text – and anytime the loss of this data would have a negative impact you your business, your person or your reputation.

Best practices around data encryption include, but are not limited to the following:

  • Utilize highly rated data encryption applications and vendors. Don’t leave it to chance.
  • Maintain security around any encryption key. It’s what gets you, and anyone else, in.
  • Encrypt any type of data that you consider sensitive and would not want out in public.

Cybersecurity area #11: security policy

The importance of a security policy is that it clearly sets the expectations of the organization and the employees and business partners of that organization. The security policy sets the standards, guidelines, and rational for the policy. It also includes the potential repercussions of not following the policy as it is defined. The policy also allows decision makers and allows cybersecurity personnel the ability to take necessary proactive and/or remediation actions without fear of reprisal if something goes wrong.

The security policy also provides a baseline standard upon which audits can be conducted. To successfully perform an audit, there must be some standard that reality is being compared to. It’s the shortcomings or gaps between what the policy states and what the audit reveals that are areas for remediation and improvement.

The security policy should cover key areas specific to the organization, such as acceptable use of company technology and email, guidelines around the use of personal devices, password construction and protection, remote access, and wireless technology. There are many other areas such as data usage, protection and end-user training – but these are too extensive to cover in this article.

The security policy can become the legal standard that the organization has set to protect its human resources and decision makers. It allows people the ability to take necessary actions without fear of reprisal if the organization is compromised. It also establishes a standard and clearly provides expectations of the organization where cybersecurity is concerned.

Cybersecurity area #12: end-user awareness

Having corporate expectations of employee behavior, as it pertains to cybersecurity and the organization cybersecurity posture, would be unfair without providing formal training around that policy and posture. Human error, be it carelessness or just not being aware, has become the number one entry point for hackers. Providing this type of training raises cyberthreat awareness among team members regarding the types of threats, how to recognize them, how to avoid them and even how to respond to an active threat.

End-user awareness training will increase your employee’s ability to contribute to the security of the organization and to participate in a strong cybersecurity culture. By equipping employees to recognize and respond to various types of security threats, many cyberattacks can potentially be circumvented.

You can’t hold employees accountable for what they do not know or what they are not aware of. Ongoing end-user awareness training in conjunction with a clearly defined security policy equip your team for to better contribute to a strong security posture.

Conclusion

The goal of this series of articles is to provide insight into establishing a bare minimum cyber posture for any business. This is not the complete picture but a baseline that all businesses should establish. Incorporating all twelve of these areas are a great starting point to build upon and a “definite” for any business that is not sure where or how to get started.

Some additional recommendations when establishing your security posture:

  • Avoid a “checklist” approach. Cybersecurity is not a “one and done” item on a ‘to do list.’ It is an ongoing and recurring activity which also includes process integration.
  • Incorporate a fluid and dynamic risk management approach.
  • Define and implement a fluid and dynamic risk management process and incorporate continual service improvement (CSI).
  • Utilize government and industry resources to review and identify risks & vulnerabilities. These resources are readily available from the FCC, DHS and NIST.

If you believe there are deficiencies in any of the areas, reach out to your cybersecurity professional and get the help you need to keep cybertheft to a minimum. If you don’t know who to reach out to, reach out to me. I’ll get you pointed in the right direction.

If interested, please go to our website to download our infographic depicting “The Definite Dozen” as defined in this article series. www.Solutions3LLC.com/dozen

Mike Battistella
View More Posts
Mike Battistella is the President of Solutions3 LLC, an IT Management Company focusing on cyber security management, network & systems management, IT service management, critical notification management and technical & soft skill training.