Basic Cyber Security Needs

    1. Have Automatic Screen Locking
      • Have you screen automatically lock after being idle for 5 to 10 minutes
      • This will reduce likely hood of someone walking by the computer from accessing your data
      • Consider installing Security Screens on monitors so others cannot see what is on your screen
    2. Enforce Password Policy
      • 8-character passwords are no longer considered adequate – upgrade to 10 to 16 characters
      • Have upper- and lower-case letters, numbers, and special characters – much harder to break your password
      • Do not reuse passwords — For example August1# gets changed to August2# — easy to hack
      • Consider Passphrase – much easier to remember
      • Do not put your password/passphrase on a sticky on your desk
    3. Use Multi Factor Authentication (MFA)
      • Most all of us must use MFA to log onto our bank accounts or credit cards – people should not be giving you fits over this
    4. Secure The Physical Access
      • If you have in house servers – have them in a locked room
      • Don’t allow EVERYONE access to the server room
      • Have the room unmarked – Don’t advertise SERVER ROOM on the door
      • IF you have confidential data on your workstation/laptop – make sure it is encrypted
        1. Better yet – keep this type of info on your server and not local workstation
      • Have locks on your office
      • Have someone escort visitors to the person they are meeting with OR have the employee come to the front to escort the visitor
      • Use a security system in which each person has their own code
    5. Proper Data Asset Labeling/Tagging for Purchase and Disposal
      • Have inventory tags to track equipment
      • Have proper disposal policy on how to “get rid” of a device
      • Have proper disposal policy for “shredding” confidential paper files
    6. Data Mapping Access (what on earth is this?)
      • Have system in place so you know where your client’s information is
        1. You cannot make sure it is secure and safe if you don’t know where it is
      • Data Map shows what is stored on the internal servers; workstations, mobile devices BUT also where the backups are; where the file cabinets (storage devices) are; cloud providers that you store information in
        1. Access is on a NEED to have
        2. Not everyone needs access to everything
    7. Protect your Remote Access (WHAT????)
      • Only allow trusted approved users and their equipment on your server/WI fi
      • Remember anything connected to the internet can be access for malware and hackers
      • Use Virtual Private Network (VPN) and Mobile Device management applications that require the devices to be registered with your IT manager (if you don’t have an IT manager – registered with who oversees IT)
      • Keep updates up to date
      • Don’t use “guest’ wi-fi
    8. Updated Operating Systems – (No you should not still be running Windows 7)
      • Set digital devices to automatically install updates to the operating system and workstation applications
      • Turn off all the devices at night –
        • this will allow the updates to go into effect
        • remove system clutter
    9. Minimize Admin Rights
      • Not everyone needs access to everything – this even applies to Upper Management
        1. WHY does Upper Management not need access to everything?
          1. Because they can put the company at greater risk to be hacked since their name and email is often on the company website
          2. They often will take short cuts on the “Cyber security” protocol, which puts the company at a higher risk for hacking/ransomware, etc.
    10. Stay Current with Network Operating Systems
      • All equipment – file servers; firewalls, routers, internet of Things peripherals NEED to be reviewed regularly to make sure they are running the most current system updates
      • It is crucial to change the default passwords to this equipment
      • It is crucial to update the firmware
      • Don’t forget your wireless printers, security cameras – these are easy hacks
    11. Antivirus/Malware (remember when they were free – free is not good)
      • Pay for a good Antivirus and Malware package
      • Make sure it is set to automatically be updated
      • Make sure it is scanning for malware on daily or set schedule
      • Look for one that will search for intrusion detection and help prevent it
      • Consider disallowing flash drives to be used –
        • Educate your clients to use a secure digital portal or secure email
    12. Back ups (thought I forgot about backups?)
      • Backup often
      • Keep off site
      • Restore backups – to make sure they are good
      • Make sure backups are encrypted
    13. Sending Client’s Information Securely (train your people on this)
      • If emailing client’s sensitive information – make sure it is encrypted
      • OR use a secure portal
    14. Secure Connections
      • Train your people on how to verify a website is secure/authentic
      • Train your people on how to spot phishing emails
      • Use VPNs when working remotely
      • Make sure they need to verify the SSID/password to client provided WIFI
    15. Screen Your Employees, New Hires and Contractors
      • Current employees may have passed the initial background check – life happens
        • Re screen them; especially if they are in sensitive positions with the company
      • Each person needs their own username and log in – no sharing
        • If everyone uses the same username and log in, you cannot verify who did what
      • Monitor when they are accessing the system – should they be logging in at 2 in the morning?
    16. Greek Visitors/Delivery People
      • Train your people to ask unrecognized visitors who they can assist them?
      • Better yet – have someone at the door that checks them in
        • Escorts them to where they need to be
        • Stays with them if they are maint/repair person
      • If they don’t seem to have a reason to be there, ask them to leave
    17. Hire Cybersecurity Expert – (Internal IT folks need some support/backup)
      • Partnering with an outside firm to assist your Internal people is money well invested in the safety of your company
    18. Response Plan (in case of a Breach)
      • It is not if it is when
      • Company upper management and IT need to establish/develop the process in writing of how to respond when a breach happens
      • Practice it – so everyone knows what to do
      • Have written plan on how to handle the media
        • Social Media can crucify you in a heartbeat
        • Get ahead of it; manage it
    19. Update your IT Policies (make sure you have them)
      • Review them at least annually, if not more frequently
      • Covid showed us we must be able to respond quickly and securely
    20. Educate your people
      • Be proactive in training your staff and contractors
      • this is an investment not an expense
      • Don’t forget to train them on Phishing tactics
        • applies to voice mail
        • email spoofing as well as phishing
    21. Cybersecurity Insurance
      • You need to have Cybersecurity insurance
      • Talk to your agent about coverage –
        • what it does and doesn’t cover; as well as,
        • the dollar amount of the coverage per incident
      • Don’t get fooled thinking you have coverage and you have WRONG coverage