HYWARDS/iStock/Thinkstock
1. Establish an Information Security Policy
maxsattana/iStock/Thinkstock
A thorough information security policy sets the standard for an organization to follow with respect to security practices and compliance. It should reflect relevant industry guidelines, such as those provided by FINRA.
2. Build Cybersecurity Awareness
Comstock/Stockbyte/Thinkstock
Security policies are only effective if they are understood and put into practice. Conduct annual cybersecurity awareness training that is mandatory for all personnel in order to train them regarding how to identify and respond to common cybersecurity threats (i.e., never open links or attachments in emails from unknown sources, etc.)
3. Proactively Manage Patches
natasaadzic/iStock/Thinkstock
Establish a patch management policy for all company computers and devices. All operating system patches that address severe risks should be evaluated and installed right away. Inertia is the hacker’s ally; a patch for the operating system exploit used by the WannaCry attack had been available since March 2017 and yet, had not been applied to a large number of computers around the world when the attacks began in May.
4. Be Mindful of Device Management
Halfpoint/iStock/Thinkstock
In addition to a patch management strategy, all company devices should have the latest antivirus protections, standard configurations, and well-defined administrative controls. Consider how to remotely wipe a device if it should be lost, rather than risking it becoming an asset for an attacker to use.
5. Encrypt Devices and Sensitive Data
ktsimage/iStock/Thinkstock
Sensitive data should be encrypted both in transit over networks as well as at rest on servers. All laptops and desktops should have full disk encryption to protect sensitive data should the device be lost, which is common for laptops.
6. Protect Information Wherever It Resides
Creatas Images/Creatas/Thinkstock
Information need not be in a digital format to be compromised. Enforce clean desk policies. Never write down passwords and store them only in a secure place.
7. Make Sure Passwords are Not as Easy as 1-2-3
Janis Veveris/Hemera/Thinkstock
Strong/complex password guidelines should be established and enforced. This should be coupled with active password rotation which expires passwords and forces them to be reset at least every three months. Users may chafe at these practices, but not more than if they get hacked.
8. Actively Manage Vendors
tashka2000/iStock/Thinkstock
Many systems (such as Home Depot’s in 2014) are compromised using hacked vendor systems as the initial point of attack. Create a third-party vendor questionnaire to make sure that all vendors meet minimum security standards, and have all third-party vendors sign confidentiality agreements. Consider vendor contracts with security provisions to provide legal recourse in the event of a breach.
9. Conduct Regular, Comprehensive Backups
canjoena/iStock/Thinkstock
Make sure that systems are backed up frequently (ideally daily) with a private encryption key and be sure that the scope of data that is backed up is sufficient to restore the business to full operation in the event of an emergency. Effective backups are one of the best defenses against ransomware attacks like WannaCry.
10. Don’t Overshare
Anikei/iStock/Thinkstock
Establish a social media policy and train staff members to protect their personal information on social media. Information disclosed via social media can be used by hackers to conduct social engineering, which are tactics used to dupe targets through familiarity or social pressure. Do not reuse the same personal security questions for any system that is work-related; a favorite sports team used as a security answer could easily be deduced from social media for example.