Cybersecurity Is Everyone’s Responsibility: 5 Organisation-Wide Best Practices IT Managers Must Implement
Cyber crime has most of today’s organisations on edge. This is especially true for small to mid-sized businesses who are more vulnerable to attack.
According to Small Business Committee, nearly three quarters (71 percent) of cyber attacks impact businesses with less than 100 employees. Most experts believe that it’s not a question of if but when a company will deal with this issue.
With half of all small to mid-sized businesses having experienced a breach within the last year, it’s incredibly important to take cybersecurity seriously and follow the right steps to keep your company safe.
Although the term “cybersecurity” is a wide umbrella that encompasses a myriad of techniques and strategies, you could make the point that it starts at the top and trickles down. Therefore, it’s in the best interest of your company to adopt cybersecurity best practices and get all team members on board.
Cybersecurity Best Practices
You could argue that one of the biggest mistakes modern organisations make is placing the responsibility on a specific department or team. Often, cybersecurity will be isolated where only a small percentage of team members handle it, while everyone else is essentially hands off.
But this is a huge error. For cybersecurity to truly work, it can’t be siloed.
In fact, it’s just the opposite. Everyone needs to be in on it.
The IBM Security Services 2014 Index Cyber Security Intelligence Index reports that upon investigating cybersecurity incidents, a whopping 95 percent discovered human error to be a contributing factor. Some specific examples include:
- Poor patch management
- System misconfiguration
- Poor passwords
- Lost laptops and mobile devices
- Opening infected attachments and clicking on malicious links (this was most common of all)
With most if not all of an organisation’s team members accessing key data assets on a daily basis, one person’s mistake can impact the entire company. Therefore, it’s an issue that must be addressed cross-departmentally.
The solution? Have IT managers implement organisation-wide best practices.
Not only does this provide an effective framework for everyone within your company to reference, it reduces confusion and ensures accountability across the board. After all, having concrete best practices in place means that team members have a very specific list of guidelines to follow.
Put it all together, and you can reduce the likelihood of a security cyber attack significantly.
Of course having the biggest impact requires you to address the right areas and implement best practices accordingly. With that being said, here are five organisation-wide best practices that are the most critical.
1. Developing Comprehensive IT Security Policies
You could argue that having the right framework to keep team members on the same page is most important of all. Any gaps in communication or opportunities for misinterpretation could open the door for cyber attacks.
That’s why it’s in the best interest of your company to develop comprehensive IT security policies. What you want is cyber security by design.
This clearly explains the potential threats that your organisation is up against and provides employees with clear direction on how to minimise those threats.
Although every company is different with its own unique set of goals and objectives, here are some common areas you may want to address:
- Rules and regulations that your company is legally required to be compliant with (e.g. PCI DSS compliance)
- Confidentiality and putting limits on the types of information that can be shared and the individuals that it can be shared with
- Which information employees have access to and what’s off limits
- Guidelines on managing data
- Internet browsing do’s and don’ts
- Who employees should contact if they suspect they have encountered a threat
The more specific you get, the more effective your policies should be. So be thorough and leave no stone unturned.
2. Creating Mobile Usage Policies
Bring your own device (BYOD) has become the new norm for most businesses. Tech Pro Research reports that 59 percent of companies already allow employees to use personal devices for work purposes, and another 13 percent plan on doing so within the next year.
While the use of mobile devices can factor into productivity, the BYOD trend creates a major security challenge for IT managers. Their portability makes them easy targets for theft and can leave sensitive data compromised. Even if your employees strictly use company-provided devices exclusively for work purposes, there’s still a risk.
Mobile ransomware is especially problematic on mobile devices. Securelist even points out that there were 218,625 instances of mobile ransomware detected in Q1 of 2017, which was more than 3.5 times higher than the 61,832 detected in Q4 of 2016.
Therefore, setting mobile device policies should be a top priority. Some examples include:
- Requiring employees to use strong authentication (e.g. robust password control or even biometrics)
- Requiring employees to use secure mobile devices
- Disabling Bluetooth
- Requiring employees to set up automatic updates
- Performing periodic penetration testing on all mobile devices
3. Performing Routine Data Backups
Here are a few more statistics from Cybersecurity Ventures to provide even more perspective on the current state of ransomware:
- Ransomware is increasing at an annual rate of 350 percent
- Global costs stemming from ransomware are expected to surpass $5 billion in 2017, which is dramatically more than the $325 million in 2015
- WannaCrypt (aka WannaCry) accounted for as much as 20 percent of all damage in 2017
This type of attack is plaguing more and more businesses and shows no signs up letting up. One of the best ways to stay safe is to perform routine data backups.
Ideally, you’ll use remote storage via off-site servers or in the cloud to increase your odds of recovering your data. This is important because many attacks will prevent you from accessing data on your primary computer/network. But if it’s stored off-site or on the cloud, you should still be in good shape.
Be sure that all team members across all departments do this on a routine basis to ensure that critical data is never lost.
4. Providing Employee Education/Training
As mentioned earlier, human error is an underlying factor in the majority of cyber attacks. But you can greatly reduce your risk by providing organisation-wide education and/or training.
It should be immersive and should leave employees knowing what to do and not to do in order to keep data safe. To begin, you’ll want to discuss some of the most common cybersecurity threats that SMBs are up against and the basics of how attackers gain unauthorised access to a network and its data.
From there, you should delve into specific actions your employees can take including:
- Using strong passwords that are difficult to crack
- Routinely updating those passwords
- Knowing how to identify common attack vectors
- Understanding how to spot questionable links and attachments
- Being careful about the information they share online (even seemingly innocuous social media posts can lead to problems)
- Knowing how to recognise an attack
- Informing IT managers when a threat is detected
Keep in mind that cybersecurity is continually evolving. Therefore, it will require ongoing instruction to ensure that your entire organisation possesses the collective knowledge that they need.
This brings us to our next point.
5. Monitoring User Activity
Educating employees on cybersecurity is somewhat of a catch-22 because it’s often employee knowledge that’s the catalyst for insider threats. In fact, educating your employees is sometimes what leads to an insider threat occurring. When they understanding the underpinnings of your security protocol, this makes it easier to execute an attack.
Another issue is giving employees access to too much data. According to research, 62 percent of network users report that they have access to sensitive company data that they probably shouldn’t have. If the wrong individuals gain access to the wrong information, it can have disastrous consequences.
One of the best ways to mitigate the risk of insider threats is to monitor user activity across all departments. While this doesn’t stop incidents in and of itself, the transparency that it provides tends to serve as an effective deterrent. This is especially critical when it comes to more privileged users who have more access than most.
When employees know that their digital activity is always logged and is public knowledge, this greatly reduces the likelihood of someone purposely executing an attack. That way you can still have a knowledgeable team but don’t have to worry that their knowledge will be used against you.
All Hands on Deck
Cyber attacks don’t merely affect an isolated branch of a company – they affect the company as a whole. That’s why it’s so important to take an organisation-wide approach to cybersecurity best practices.
This has become truly essential in a day and age where 75 percent of all organisations have dealt with a cybersecurity breach within the past year.
The five organisation-wide best practices listed here should cover the most critical elements and help keep your company secure on all levels. In turn, you’ll be better equipped to deal with ever-changing threats as they unfold.
Do you believe that your company’s current cybersecurity defence strategy is adequate, or are there missing elements? Please let us know: