Scroll Top

Five Steps to Safeguarding your Business from Cyber Attacks

Five Steps to Safeguarding your Business from Cyber Attacks
0
By Jeffrey Jones News & Announcements January 24, 2018

CyberCyber Security 101

Cyber Security sure is important. This article is based on NIST NISTIR 762, Revision 1 “Small Business Information Security: The Fundamentals.” The Federal Government considers a business small if you have less than 500 Employees. I have cliff-noted and added some comments, but I think this hits the nail on the head.

Identify

Identify and control who has access to your business information

Think need to know…  You may think all my information is not secret but, one person’s trash is often another person’s treasure

Conduct Background Checks

The big one I always think of is a Credit Check. Money is a huge a factor when it comes to stealing things. Also, a background check might identify a criminal record or who knows what

Require individual user accounts for each employee

Usually we see this at places where there is one computer that everybody logs into or the Admin/Root Account is used by entire IT Staff. The Problem is no accountability

Create policies and procedures for information security

This is a huge one that we stress must always be in place. It doesn’t have to be 250 pages long, but it should cover the basic aspects: Administrative Controls, Technical Controls and Physical Controls. If you do have an incident, it may protect your six

Protect

Limit employee access to data and information

Repeat from first paragraph under identify

Install Surge Protectors and Uninterruptible Power Supplies (UPS)

Physical Electrical Protection gets no more basic than this 

Patch your operating systems and applications

This is another Biggy. We see unpatched systems especially servers all the time. Why? Because no one wants to introduce change into the information flow.  So the solution here is to test the updates before you install them on production servers. So, this should really say Patch your systems after you test them to make sure it doesn’t screw everything up

Install and activate software and hardware firewalls on all your business networks

I would add don’t make changes on the fly to the firewall; Document it and have business reason for making changes

Secure your wireless access point(s) and networks

Don’t make it too easy, put some hurdles in there… make that hacker work for it

Set up web and email filters

10-15 Percent of the user population provide their username and password every time we run a phishing test.  Also, some sites on the web are just inappropriate for work

Use encryption for sensitive business information

When you send email out on the Internet where does it go? Remember, the Internet is a public place

Dispose of old computers and media safely

Don’t sell your old hard drives on eBay for 2 cents on the dollar. Shoot them, drill them, shred them, degauss them… you get the idea. I have heard of hacker’s buying old drives and mining them for info then ransoming it back to companies

Train your employees

Training end users about cyber threats may sound pointless, but maybe they’ll remember a couple things… at least you tried      

Detect

Install and update anti-virus, spyware, and other malware programs

Here is a tip make sure that your end-user is not the box administrator, because then they can uninstall

Maintain and monitor logs

For some reason this is hard for IT Shops to implement but,  if you do get breached this might help you detect and find the breach

Respond

Develop a plan for disasters and information security incidents

Here’s another one that practically nobody does this as well. When you have a disaster or incident you don’t want to wing it. Remember the five Ps: Prior Planning Prevents Poor Performance

Recover

Make full backups of important business data/information

Sound advice, just don’t store the backups in the same place as the data you backed up. Kind of defeats the purpose

Make incremental backups of important business data/information

Same as above but only the changes made since the last full back up

Consider cyber insurance

Personally, I am on the fence on this one. Mainly because if you are not doing the cyber security best practices, as mentioned above, the insurance company could not cover the loss. Just too many variables

Make improvements to processes / procedures / technologies

Pretty much known as the Systems Development Life Cycle. If you not really familiar with it… Google it

0
Jeffrey Jones / About Author
Jeff Jones is a Cyber Security Architect and Ethical Hacker for Topgallant Partners. He has been in Data Communications for over 35 years. He responsible for all day-to-day operations, technical consulting, and security design for Topgallant.

His expertise is in Security Program Design, Security Risk Analysis and Assessment and Cyber Security Testing to include Penetration Testing, Vulnerability Testing, Social Engineering, Phishing, Wi-Fi Exploitations, Password Cracking, Man-in-the Middle Attacks and Web Application Hacking.

He has a M.A. in Computer Resources Management from Webster University and a B.A. in Journalism from Purdue University. He is also a terrible golfer.
More posts by Jeffrey Jones
Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Privacy Preferences".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required