In order to strengthen the cybersecurity posture of your organization you should identify where your weaknesses are. All aspects of your organization need to be evaluated. This includes inventory of physical and virtual devices & software, configurations and training. Most security risks can be eliminated or reduced by following the CIS Critical Controls. Getting rid of the ‘low hanging fruit’ will greatly increase your security strength. Low hanging fruit are the easy to resolve and most vulnerable issues that you may face such as changing default configurations, password management and training.
Here are some tips to help you develop a secure environment:
- Train employees in security principles. Include password requirements, social engineering, appropriate Internet use guidelines and how to handle and report security issues. Make sure your IT department also gets the appropriate training to maintain the infrastructure.
- Keep clean machines. Make sure all systems are patched and up-to-date. Enable anti-virus software. Secure mobile devices by enabling password protection and encryption.
- Control access to computers, servers and network equipment. Controlled use of administrator permissions can limit and reduce the likelihood of cyber security events.
- Passwords and authentication. Consider a password policy that will include complexity and at least 15 characters. Use passphrases and change passwords on a regular basis. Staff that has access to personal information, banking or other critical data should have a stricter password change policy. Enable 2 factor authentication if possible.
- Create routine backups and regularly test the restore process.
- Develop an Incident Response plan and test it. By identifying the risks and planning for recovery you will be able to limit the amount of damage and expense caused by a cybersecurity incident.
- Actively monitor your network so that you become familiar with normal and abnormal activity.
There are more steps that you can take to evaluate your organization’s vulnerabilities. You may want to look into hiring a licensed professional to perform scans on your network. This can uncover open ports, rogue devices and other issues that may go unnoticed. A step further would be a penetration test. Pen testing can be extremely expensive and may not be necessary in your environment. You will need to do some research.