On an almost daily basis the news contains a story about an IT security breach, a ransomware attack or system downtime caused by malware. As we read these stories it begins to feel as if there is little that can be done to protect your company from the seemingly endless threats that exist in the cyber world. It’s true, the attackers are clever, their methods of attack evolve quickly and what was protected yesterday may not be protected today. So what can you do to protect your company?
Before throwing up your arms in frustration remember that maintaining vigilance in very specific areas gives your company its best odds. Below I’ve listed five areas that all SMB’s should prioritize to minimize the chance of becoming a statistic.
1. Endpoint Protection
Cyber criminals are capable of attacking your business from all angles. To make the situation more dangerous and chaotic, devices like smartphones and tablets that connect to your business’s network provide an easy and largely un-watched entry point for many types of threats. Making sure that only protected devices access your business network and those devices have current approved endpoint protection are critical.
It is also imperative that your company’s endpoint protection is centrally managed and that someone is accountable for reviewing endpoint statuses and to remediate any deficiencies.
2. Basic Access Controls
Access control is a more complicated component of security, but it’s one of the most important areas to focus on. Access control to systems and networks needs to be tightly managed and reviewed often. A company’s access control should provide identification, authentication and authorization capabilities. Your company needs to know not only who has access to data and systems but what level of access they have.
3. Software and Patch Management
At its core, patch management allows for the update of software to address vulnerabilities as they are discovered. Your company needs to have a plan for patch management and the plan needs to be clearly communicated to employees as to when, how and, most importantly, why systems need to be patched. Exclusions for certain individuals because they are too busy or can’t wait for a device to reboot are an invitation for disaster.
Like all plans there is no point in having one if there isn’t a person accountable for the plan’s execution. Monitoring and enforcing compliance with the patching plan adds yet another layer of defense against the cyber criminal.
4. Documentation and Training
Documentation of systems, policies and procedures goes a long way towards helping address standards and non-compliance by those in the organization. Maintaining documentation regarding systems and access control prevents many of the “one off” fixes or changes that grow year after year and leave holes in your company’s security plan.
Training is the other area that, in my opinion, is the most overlooked component in the security prevention quiver. Training on the proper use of company IT assets, software systems and applications, internet activities and common cyber criminal phishing tactics are all items that companies large and small fail to address.
The difference between clicking on a link that brings disaster to the organization or not clicking may very well be the short training that an employee was given.
5. Data Backup
When all else fails, you will need to rely on your most current backups to keep the business running. Like the areas above it is more than a specific tool; it’s a process. With backup, there are a lot of different ways to go about it or things to think about, but the bottom line is that you need a fallback.
How long can your company be down or how much data can you afford to lose altogether? You’ll want to consider having both a file-based backup and an image-based backup solution, and make this part of the planning process when you plan your Restore Point Objectives (RPOs) as well as your Restore Time Objectives (RTOs).
Backup is the insurance that many business owners don’t want to pay but, is indispensable when a real disaster occurs.
If you would like to speak about how your company can best review your cyber security situation or discuss any of your other technology concerns. Contact us using the form below or call or email. We’d love to hear from you.
Schedule a Complimentary Consultation
Just click the button below, tell us who you are, how to reach you, and a couple of dates that work for your calendar. We’ll email or call to confirm shortly.
Schedule a Consultation