Cyber attacks pose a significant risk to businesses, costing companies millions and ruining reputations. The tactics used by hackers are always evolving so it’s important to make sure you are keeping up.
Most attacks result from a business and its employees being unprepared or underprepared for a threat. But by following the latest cyber security best practices for business and employees you can significantly minimize your risk of a hack.
Here are 15 tips to get your protection up to speed.
Cyber Security Best Practices for Businesses and Employees
1. Develop Cyber Policy Documentation
Create a written cyber policy that is tailored to the needs of your business. Make sure your policy addresses the particular cyber risks facing your company, documenting the steps for your personnel to take for cyber attack prevention, ongoing threat monitoring and cyber incident response.
2. Educate Employees on Cyber Safety
Make education on cyber safety a key part of your employee training. Go beyond inserting a few bullet points into an employee handbook that is handed out to new employees. Instead, train employees regularly on cyber and data security issues. Consider enlisting the help of third-party best practices seminars if available.
3. Institute a Funds Transfer Policy
Take extra precautions if your business routinely handles financial transactions for clients. Have a specific policy for wiring funds or sending money. Institute a policy of verifying instructions via a phone call with the number on file for any transaction over a small amount (such as $1,000) if your business routinely wires funds. Instruct clients to call and verify any changes in payment or wire instructions sent or received through email. Institute a policy requiring funds deposited into a trust account to be fully cleared by the bank before initiating any request to wire them out.
4. Have a Suspicious Links Procedure
Have a specific policy about opening links from unknown sources. Train employees never to click on a link in an email from a third-party source without first either verifying the email is legitimate or showing it to IT. Instruct employees to never provide any credentials such as a username or password if prompted by a link in such an instance.
5. Consider a Personal Use Internet Policy
Consider creating and enforcing an employee policy on personal internet usage. Realize that, besides being a drain on productivity, employee internet surfing can lead to cyber attacks. Consider prohibiting internet use beyond what is necessary to complete work tasks, such as law firms that restrict access to sites other than Westlaw or Lexis, or provide dedicated computers for employees to use on breaks that are not on the company system.
6. Establish a Personal Device Policy
Put a policy in place for employees regarding the use of their personal devices for work purposes. Understand that there is a risk involved in allowing employees to perform work functions on cell phones and personal computers that haven’t been vetted and approved by your company’s IT. Think through how your company will successfully manage the risk of a personal device being stolen that contains confidential client information and communications.
7. Protect Portable Company Devices
Establish a protocol to protect company-owned laptops, cell phones and other portable devices issued to employees on the go. Make sure IT knows who has each device and that each system has been properly set up to provide only the access required for their role. Set up devices to require strong password protection with multi-factor authentication and install current software and antivirus protection.
8. Require Robust Password Security
Have a policy requiring employees to set and maintain robust passwords for all their work devices and applications. Require employees to immediately change any dummy passwords given at the start of employment (such as “1234”), keep their passwords confidential by never leaving notebooks or sticky notes lying around that could reveal their passwords, and enforce frequent password changes, making sure employees choose strong passwords that meet policy requirements.
9. Turn on MFA for Remote Access
Make sure to enable multi-factor authentication (MFA) for remote access to your network and use of remote devices. Ensure MFA is enabled whenever employees work from home, use company portable devices and use their own personal devices for work purposes under your “bring your own device” (BYOD) policy. Remember hacker intrusion through remote access portals is high and any employee working in a system remotely should be required to go through an MFA verification process to confirm their credentials.
10. Ensure Software Is Up to Date
Make sure all software up to date to prevent a hack. Check that all virus, malware and ransomware software that protects your system is up to date. Make sure operating systems and business software solutions are also kept up to date on all devices. Turn on automatic updates for security fixes and software patches that protect against new vulnerabilities. Realize that an investment in software on the front end to prevent an attack is often well worth it.
11. Enact Firewall and Data Encryption Protection
Enact a combination of firewall and data encryption protection across all your systems. Realize that many cyber incidents in healthcare and other privacy-centered industries stem from avoidable failures to encrypt sensitive data and protect privileged communications. Make sure you understand what your in-house or third-party IT and data host provider is doing to protect your data and network.
12. Review IT Backup Procedures
Have your IT team go over its backup procedures to ensure everyone is on the same page. Understand that all too often a business learns that its data has not been properly backed up or that the backup is so closely tied to the server that it too is lost or corrupted in theft and ransomware attacks. Put your IT company to the test before an event to make life much easier if and when an event occurs.
13. Know Third-Party Firm Policies
Have a thorough understanding of the policies of third-party companies who store data or who you store data with. Realize your cyber security protection is only as strong as your weakest link and it does little good to have strict data and cyber policies if a third-party host is not careful or shares sensitive information with unsafe recipients.
14. Invest in Annual Penetration Testing
Consider allocating resources to conduct annual system penetration testing by a qualified third-party cyber security firm. Look into forensic IT companies who offer services where your company network and email systems can be tested to highlight vulnerabilities and recommend solutions to improve cyber safety.
15. Obtain Cyber Insurance Protection
Understand that there is still a risk a cyber attack may occur even when you’ve taken all the right steps to protect your business. Make sure you obtain cyber insurance protection to ensure your business survives the hack and bounces back. Look for broad, comprehensive coverage with no sublimits, such as the robust Cyber Liability coverage offered by CyberLock Defense, administered by Lockton Affinity.
CyberLock Defense Insurance offers all of this protection, plus CyberLock Defense is more affordable and more accessible than any other cyber liability policy available. For more information, contact Lockton Affinity today.