Asset Protection
Once you have identified your “crown jewels” and critical assets, build your cyber protections around these first as you create a trajectory forward to protect your entire businesses. Ultimately, your goal is to build a culture of cybersecurity that includes employees knowing how to protect themselves and the business and understanding the cyber risks as your business grow or adds new technologies or functions.
Protections will include:
- implementing cyber protections on core assets
- implementing basic cyber hygiene practices across the business
Now that you know the assets of your organization, Step 2 is to implement protections. While the what you need to do will be based on your assets, protections may include:
- Locking down logins: Using stronger authentication to protect access to accounts and ensure only those with permission can access them. This can also include enforcing strong passwords.
- Backing up data: putting in place a system–either in the cloud or via separate hard drive storage–that make electronic copies of the key information on a regular basis.
- Maintaining security of devices over time: This includes knowing that software patches and updates are done in a timely fashion.
- Limiting access to the data or the system only to those who require it.
Train Employees
Creating a culture of cybersecurity is an important element building a cybersecure business. That culture is created by establishing the cybersecurity practices you expect your employees to follow and training and reinforcing that training so you have confidence the practices are being followed. Employees should know:
- Why cybersecurity is important to protecting your customers, their colleagues and the business
- The basic practices that will keep them and the business cybersecure (see basic hygiene below)
- How to handle and protect personal information of customers and colleagues
- How and when to report cyber incidents
- Any specific use polices that your business has including what websites they can visit, the use of personal devices in the workplace, special practices for mobile or work at home employees, etc..
Basic Cyber Hygiene
Having everyone in the business follow these tips will help you make significant strides in protecting your business:
- Keeping a clean machine: Your company should have clear rules for what employees can install and keep on their work computers. Make sure they understand and abide by these rules. Unknown outside programs can open security vulnerabilities in your network. If they have any responsibility for making sure the devices use have updated software train them to implement those updates as quickly as possible.
- Following good password practices: A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”).
- Don’t reuse passwords: At a minimum, work and personal accounts should have separate passwords.
- Lock Down Logins: Whenever possible, implement stronger authentication sometimes referred to as multi-factor authentication of two-step verification.
- When in doubt, throw it out: Employees should know not to open suspicious links in e-mail, tweets, posts, online ads, messages or attachments – even if they know the source. Employees should also be instructed about your company’s spam filters and how to use them to prevent unwanted, harmful e-mail.
- Use WiFi wisely: Accessing unsecured WiFi is very risky. If you have employees who need WiFi access out of the office, use a virtual private network (VPN) or a personal hotspot.
- Backing up their work: Whether you set your employees’ computers to back up automatically or ask that they do it themselves, employees should be instructed on their role in protecting their work.
- Staying watchful and speaking up: Your employees should be encouraged to keep an eye out and say something if they notice strange happenings on their computer.
- Plug & scan: USBs and other external devices can be infected by viruses and malware. Use your security software to scan them.
(Author: National Cyber Security Alliance, published under Public License)