There’s no amount of money you can throw at cybersecurity to create a 100%, hacker-proof environment. But even on a limited budget, there are still simple steps you can take to make your organization more secure. The following are five actions and policies you can implement on a budget to keep your sensitive information safer.
(We’ll assume you already have enterprise network firewalls and anti-virus protections in place. But if not, start there!)
Internal Security Policies
Internal security policies are a great first step for any organization operating on a shoestring budget. That’s because, for the most part, they’re free! As your organization is establishing IT protocol and best practices, remember these points:
Culture is Vital
Organizational culture is the driving force that will make this measure a success or failure. If your organization has a culture where users follow policies and are held accountable when policies are not followed, then having formalized and documented Internal Security Policies is a great foundation. If oversight is slack and best practices are regularly ignored, creating these policies will not help protect your organization.
Policies Must Be Enforced to be Effective
As discussed above, policies are only powerful if they are enforced and have the support of the organization’s management team. If policies can be applied and enforced administratively (via systems/applications), that should take precedence over relying on the integrity and trust of users.
Document Your Policies
Documenting security policies helps users understand what they can and can’t do, but you have to get users to read it, which is never easy with long policies. To help, summaries and security trainings should be used to supplement the formal policies. In the end though, it all goes back to the organizational culture and holding your users accountable at all levels.
Gone are the days where everyone is working on a desktop computer in the corporate office. Modern work requires mobility and flexibility and, with that, securing communications via encryption should be a requirement.
Encrypt Your Communications
With working from home being part of the new normal, encrypting communications should be a requirement for all organizations. These encrypted methods should include SSL certificates for web communications and VPNs (virtual private networks) for network communications.
Virtual Private Network (VPN)
Outside of enterprise network firewalls, a VPN is another line of defense that should not be taken for granted. With remote work now common, you may not always know where your users are working from and what networks they are connected to. This uncertainty can be a blind spot when trying to keep cyber-threats out. Having an enterprise-level VPN in place can provide you with some level of comfort that your data and communications aren’t going through a home/public/wireless network with no security.
Multi-factor Authentication (MFA)
MFA should be a default security measure for any external web application/service that has it available.
In addition to a password, MFA utilizes a second authentication factor to strengthen security. There are many options for MFAs, from mobile authenticator apps that provide authentication codes to physical hardware authentication keys.
Email and text-based MFA codes are simple options that are widely available and better than having no MFA. But if the two previously mentioned MFA methods above are available, they are recommended over email and text codes based on the current attack vectors that target these simpler MFA authentication methods. You can either use the built-in stand-alone MFA feature that is provided by the application/service or, if your environment and the application/service supports it, enable Single Sign-on (SSO) with SAML 2.0 to utilize your enterprise SSO/MFA authentication.
Securing access to your physical/virtual devices with MFA is also important. These include laptops, desktops, servers, virtual computers/servers.
Password Policy is Still Important
Remember, having MFA doesn’t remove the need for a strong (and long) password policy, as you need both measures to ensure a high level of security. Implementing MFA but using a weak password that can be cracked easily is contrary to the point of having MFA. Your goal should be to have multiple strong authentication measures in place to make it as hard as possible for bad actors to gain access to your accounts.
Educate Your Users About Phishing Scams
Phishing is one the most common tactics bad actors use to infiltrate your network. These harmful emails may include fake links and websites to steal your user’s credentials; fake attachments and download links that install ransomware; or fake emails from hackers impersonating others for monetary gain. All of these are common attacks that email security platforms can help block before they ever reach your end users.
Use Software to Scan for Harmful Attachments
Advanced scanning of attachments can prevent malicious software from being delivered to users via email. Certain software packages can detect suspicious attachments and fraudulent links before they reach anyone’s inbox, keeping a safe distance between your users and the bad actors.
Granular policies can be used to identify emails that should be held for further inspection by IT personnel or automatically rejected. These policies might include anti-spoofing, attachment management, blocked/permitted senders, impersonation protection, etc.
Assist Your Users However You Can
Even with all the training you give users on what not to do, it’s impossible to entirely prevent them from ever clicking on a harmful link and accessing malicious attachments. Help them out by having a system that can pro-actively block (and warn) them from certain actions in email. Protect your users from themselves!
Security Awareness Training
Educate and Update Your Users
Your users can’t know what they don’t know, so user education, especially on common and current scams and attack vectors, is critical to an overall security posture for an organization. Even if the training prevents just one user from having their account compromised, that’s well worth the costs and potential losses a compromised account or ransomware event can have on your organization.
For users, the benefits of security awareness training is twofold. Not only does it help their organization stay more secure, but it can also help them keep their personal information and accounts secure.
Remember, there’s no way to guarantee absolute security. And putting any or all of the above measures into place won’t protect your organization completely. If you’ve read the news in the past few years, you know large enterprises with vast technology and security budgets are being breached. If that can happen to them, it can happen to anyone.
A primary goal for smaller organizations then should be to have security measures in place that block common threats and account for user behaviors that can lead to a security incident. If you have even more budget to align with security initiatives, adding additional layers of protection that utilize artificial intelligence, machine learning, and third-party experts to analyze network traffic and user behavior are great ways to further strengthen your security profile.
If you have any questions about your cybersecurity options, or concerns about the vulnerability of your network, contact our IT Services Team.
©2021 Clark Nuber PS. All rights reserved.
This article or blog contains general information only and should not be construed as accounting, business, financial, investment, legal, tax, or other professional advice or services. Before making any decision or taking any action, you should engage a qualified professional advisor.