A thorough information security policy sets the standard for an organization to follow with respect to security practices and compliance. It should reflect relevant industry guidelines, such as those provided by FINRA.

Security policies are only effective if they are understood and put into practice. Conduct annual cybersecurity awareness training that is mandatory for all personnel in order to train them regarding how to identify and respond to common cybersecurity threats (i.e., never open links or attachments in emails from unknown sources, etc.)

Establish a patch management policy for all company computers and devices. All operating system patches that address severe risks should be evaluated and installed right away. Inertia is the hacker’s ally; a patch for the operating system exploit used by the WannaCry attack had been available since March 2017 and yet, had not been applied to a large number of computers around the world when the attacks began in May.

In addition to a patch management strategy, all company devices should have the latest antivirus protections, standard configurations, and well-defined administrative controls. Consider how to remotely wipe a device if it should be lost, rather than risking it becoming an asset for an attacker to use.

Sensitive data should be encrypted both in transit over networks as well as at rest on servers. All laptops and desktops should have full disk encryption to protect sensitive data should the device be lost, which is common for laptops.

Information need not be in a digital format to be compromised. Enforce clean desk policies. Never write down passwords and store them only in a secure place.

Strong/complex password guidelines should be established and enforced. This should be coupled with active password rotation which expires passwords and forces them to be reset at least every three months. Users may chafe at these practices, but not more than if they get hacked.

Many systems (such as Home Depot’s in 2014) are compromised using hacked vendor systems as the initial point of attack. Create a third-party vendor questionnaire to make sure that all vendors meet minimum security standards, and have all third-party vendors sign confidentiality agreements. Consider vendor contracts with security provisions to provide legal recourse in the event of a breach.

Make sure that systems are backed up frequently (ideally daily) with a private encryption key and be sure that the scope of data that is backed up is sufficient to restore the business to full operation in the event of an emergency. Effective backups are one of the best defenses against ransomware attacks like WannaCry.

Establish a social media policy and train staff members to protect their personal information on social media. Information disclosed via social media can be used by hackers to conduct social engineering, which are tactics used to dupe targets through familiarity or social pressure. Do not reuse the same personal security questions for any system that is work-related; a favorite sports team used as a security answer could easily be deduced from social media for example.