In the last 10 years, we’ve seen huge advances in the sophistication of cyberattacks, including ransomware, malware, and phishing. In 2018 alone, billions of people were impacted by data breaches, nearly doubling in frequency from the previous year.
The good news is that there are many ways that organizations can protect themselves against cyberattacks—if they take the time and effort to embrace best practices and share them with their entire team.
Here are some of the top cybersecurity practices to pay attention to in 2020:
- Set strong passwords
It’s well past time to teach your employees to stop using their dogs’ names as passwords and share the importance of setting strong, secure passwords. A 2018 study found that more than half of Internet users re-use the same password for multiple services—so if one service gets hacked, all those passwords are ripe for the picking. Make sure that your employees choose unique, secure passwords for all of your enterprise accounts, using a service like 1Password or a random password generator. Check the strength of each employee’s password, and ask them to change it if it doesn’t pass the test.
- Use a firewall
A firewall is a network security system that creates rules for which traffic is allowed to enter your network. While firewalls have been around in various forms for more than 25 years, today’s enterprises can benefit from next-generation, threat-focused firewalls that use built-in sandboxing and advanced malware protection to immediately detect and eliminate threats. These NGFWs provide the best possible security for your enterprise’s network, so make sure that you take the time to research and invest in one that fits your organization’s needs.
Test out Cisco Meraki MX Firewalls at our upcoming Security Escape Room Event -->
- Document your security protocols
Maintaining a secure organization is everyone’s responsibility—not just your IT team’s. To that end, it’s important to establish and carefully document your security protocols to make sure that everyone is aware of their role in the process. Build documentation that goes over your company’s approach to user permissions and authentication, passwords, remote access, phishing prevention, and other topics of importance. Rather than living in a paper binder, this documentation should reside in a wiki or knowledge base on your company’s intranet, so that your entire team can access it regularly and get alerts when new information is added.
- Conduct penetration testing
If you want to know how vulnerable your organization is to a cyber attack, the best way to find out is to create one. Penetration testing (or “pen testing”) is also known as ethical hacking, and involves simulating a cyber attack to test for network security vulnerabilities. Penetration testing can involve external testing (what’s available to an outsider visiting your website or application) or insider testing (what’s available to an employee within your firewall), and can identify security vulnerabilities that you should patch so that these vulnerabilities aren’t exploited in a real cyberattack. Experts recommend conducting penetration testing once or twice a year.
- Use multifactor authentication
Setting up secure user passwords is part of the equation, but incorporating multifactor authentication will help ensure that if an intruder does correctly enter a user’s password, they won’t be able to access your network. If a user logs in from a new device or a new location, multifactor authentication should be used to ensure that the individual has the correct permissions. Many modern multifactor authentication methods even include biometrics or facial recognition tools, making it impossible for an unauthorized user to enter the network.
- Provide limited user privileges
Your organization may have hundreds of employees—but they don’t all need access to confidential company data. Conduct an audit of your user permissions, and pare back privileges for any users that don’t genuinely need access to privileged information within your database. Your router should be able to offer multiple privilege levels so that each user gains access to only those functions that are necessary to complete their jobs, reducing the likelihood of an insider attack or a cyberattack resulting from phishing.
- Pay close attention to user activity
While you should limit privileges for users who don’t need extensive network access, it’s also important to carefully monitor the network activity of users who do require a higher level of privilege. Set up system alerts to detect unusual user activity, so that your team will be immediately aware of any potential phishing attacks or insider attacks.
- Restrict third-party access to data
Cybersecurity breaches often occur as a result of third-party contractors who have experienced a data breach, as in the case of the Quest Diagnostics data breach, which exposed over 11 million patient medical records. Make sure that your third-party contractors, including attorneys, CPAs, marketing agencies, and other providers, have their own strong security protocols, and limit their access to your network and data to as little as possible to complete their roles.
- Educate your team about phishing attacks
While firewalls, strong passwords, and multifactor authentication can help alleviate the risk of a data breach, many employees unwittingly provide access to a malicious user by falling prey to a phishing or smishing (SMS-based phishing) attack. Educate users on paying close attention to email address domains (which may look very similar to a reputable domain), avoiding clicking on email or SMS links from unknown senders, and avoiding entering passwords or confidential information in response to an emailed request. The FTC offers more advice on recognizing and preventing phishing attacks.
- Put hosted endpoint protection in place
As users are likely to access your network from multiple devices, it’s important to ensure that you have full endpoint visibility to protect against breaches both on and off your VPN. Choose a suite of endpoint security products that provide advanced threat detection both on and off your network, including web, email, cloud, and network security solutions.
- Partner with an MSP
As cybersecurity risks grow, traditional IT teams are finding themselves out of their depth, and are faced with huge liability risks in the event of a cyberattack to their organizations. Unless your organization is large enough to hire specialized cybersecurity resources, it’s a great idea to find an MSP with cybersecurity expertise to help your organization assess its risk level and build a strong game plan to defend your organization from insider and outsider threats.
- By implementing best-in-class endpoint and network security tools and protocols, your company can mitigate the risk of falling victim to a security breach and start the new decade strong.