CYBER SECURITY | 7.5 MIN READ
Effective corporate cyber security has never been more important. Security advice is dynamic, which means that your business' network needs to evolve to stay ahead of emerging cyber threats. Keep reading to learn our top cyber security tips for this year so you can implement the necessary changes within your organization.
Not enough time? Jump to:
Enable Two-Factor Authentication
As the threat of cyber attacks grows, there is a security tip that continues to keep hackers at bay− two-factor authentication.
Two-factor authentication, also known as 2FA, adds another security layer to your personal accounts by verifying your identity through a second method such as your smartphone, biometrics, physical security keys, and more.
2FA is an industry buzzword that you've probably already seen in recent years from accounts that you've created or have had. Two-factor authentication was created to protect against the threats that weak passwords frequently pose to your account's security.
While a hacker may be able to figure out your password, they likely won't also have the second verification factor, or the process of obtaining it would be so cumbersome that they would rather move onto someone else.
A popular example of two-factor authentication is your smartphone. For instance, Microsoft Outlook has 2FA features that can be enabled to add additional security to your email account.
To login to one's Outlook email account using two-factor authentication, one must enter their username and password, and then enter a randomly generated code texted to their personal smartphone.
We recommend that you enable two-factor authentication whenever reasonably feasible. Be wary of enabling two-factor authentication too much though, as it could end up working against you.
For instance, if you enable 2FA on every personal account you own and use your smartphone as the second authentication factor, a criminal who steals your phone now has easier access to all your accounts.
Use Zero Trust Network Access (ZTNA)
The central premise of the Zero Trust belief is that organizations shouldn't automatically trust anything inside or outside their network until there is proof that they can. Furthermore, access should be granted on a "need-to-know", least privileged basis.
ZTNA protects against the potential security risks associated with automatically trusting that everything within one's network is safe. When organizations automatically trust programs and software, they potentially open themselves up to cyber breaches.
Though Zero Trust Network Access can be complex and takes a lot of work to implement, it is currently one of the leading industry security frameworks. ZTNA ensures that users can securely connect to private applications without placing them on the network or exposing those applications online.
There are four core tenets of Zero Trust Network Access that can be applied to an organization's network:
1. Separate application access from network access.
2. Only make outbound connections to ensure that unauthorized users cannot see network and application infrastructure.
3. Once users are authorized, only grant application access on a one-to-one basis. Authorized users shouldn't have full network access.
4. One's network should be de-emphasized and the Internet should become the new corporate network.
5 Steps to Build a Zero Trust Network Access Policy
1. Segment the Network
This step is arguably one of the most crucial in implementing an effective ZTNA policy.
Organizations should separate systems and devices based on which types of access they allow and what information they process. Based on these segmentations, one can then form the trust boundaries.
2. Strengthen Identity and Access Management
Identity and access management infrastructure needs to be strengthened when a ZTNA policy is built.
This can be accomplished by utilizing two-factor authentication and role-based security procedures, which ensure that users only have access to the platforms and applications they need to do their jobs.
3. Extend Least Privilege Policies to Your Firewall
A core tenet of Zero Trust Network Access is to not automatically trust anything within or outside of your network. This tenet can be followed by restricting access between networks through your firewall as much as possible.
This is similar to following a closed-door firewall approach, which we'll explain later in this article.
4. Add Application Context to Your Firewall
By adding application inspection technology to your firewall, you ensure that traffic passing in and out of your firewall is verified and safe.
This can mean, for instance, that your firewall checks to verify that outbound traffic corresponds to queries and isn't being abused by a hacker.
5. Implement a Security Information and Event Management (SIEM) Solution
SIEM solutions let IT managers parse through data collected from security events using a centralized view.
These solutions help companies quickly identify and remedy network threats that take place across systems, devices, and applications within one's network.
RELATED: What is a VPN?
Educate Employees About Phishing
Phishing schemes are one of the most common vectors for data breaches. All it takes is one employee falling for a phishing scheme, which is why employee phishing education and testing are key.
On-Boarding Educational Content
Educating employees about cyber security from the day they're hired helps build a company mindset around the importance of cyber security.
Educational pamphlets or short courses on cyber security can be used the first week of employment for new hires to get them up to speed on your company's cyber security policy and educate them on security topics they may not have previously known about.
If an employee is educated about cyber security right from the start, the odds of them becoming a cyber security threat are likely to decrease.
Internal Cyber Security Newsletters
Monthly company cyber security newsletters can serve as an informative and engaging way to constantly educate your employees about the latest cyber security threats as well as a way to share tips on staying safe online.
Phishing tests are fake phishing emails orchestrated by your IT department that aim to see which employees fall for the attack by clicking on links or downloading files that are embedded in the email.
If employees fall for these phishing attempts then you can send them through cyber security training, again. We recommend conducting this test quarterly.
However, penetration testing is only so effective if your network has inherent vulnerabilities. We find on a consistent basis that many companies have network security issues that were overlooked or unknown. Conducting an annual network security assessment is a great idea to discover these vulnerabilities.
Update Employee Password Policies
Employees can be your greatest weakness when it comes to a secured network. All it takes is one employee who falls for a phishing scam, shares a file insecurely, or has a weak password to compromise your entire network.
Company-wide cyber security policies, of which password policies are a subsection, help standardize best online practices across your business while fostering a culture of personal accountability.
While effective company cyber security policies help safeguard your network and company data, industry recommendations on proper policy frameworks have evolved over the years.
In the past, there were a number of recommended password policy points that industry experts pushed. The main issue with these points was that employees who struggle to follow these tips may end up creating an insecure password.
Here are some issues with past password policy recommendations:
Regular Password Reset Requirements
In the past, companies would set up automatic notifications instructing users to reset passwords for various company devices and programs on a regular basis, for instance every 6 months.
The concern with this logic is that employees tend to update their password with a similar one with minimal characters changed to ensure that they remember it. In essence, this policy point does little to better secure an employee's programs and devices.
Long Password Requirements
Passwords with more characters are harder in general for a computer or hacker to crack. This is why many cyber security experts used to recommend making one's password as long as possible to avoid data breaches.
However, users who are required to create long passwords may resort to insecure practices such as writing it down, reusing it, or repeating characters to make it easier to remember (ex. 7even7even7even).
Character Variation Requirements
Similar to long passwords, those with a variety of characters, such as uppercase, lowercase, numbers, and symbols, is harder for a computer or hacker to crack.
This led many security experts to suggest that system administrators require a specified amount of variety in password characters. However, the main issue with this line of thinking is that users tend to use the same character substitutions. For instance, substituting 3 for e or 1 for l is common.
While users may meet a company's character variation requirement with these substitutions, they do little to better secure one's data because hackers knowingly exploit these common substitutions.
Based on this knowledge, we have a few updated password policy recommendations, backed by Microsoft:
Don't Reuse Passwords
Employees have many accounts and programs that they use at work. Remembering passwords to every account may become challenging, which leads some to repeating passwords.
This is a security risk because if a hacker gets the password to one account and it's been used for other accounts, now all those accounts are insecure as well. Educating employees on this point can prevent them from repeating passwords.
Use Secure Password-Storing Programs
If employees must resort to writing down passwords to remember them all, we recommend that they use a secure password storing program as opposed to simply writing all their passwords down on a Sticky Note or in a Word document.
Password storage programs such as MyGlue are virtual password vaults that centralize all your account logins and then pre-populate the sign-in forms when you log into an account.
Pre-populated logins save you time and reduce stress over remembering 50 different passwords. If, for some reason, your password changes or you want to remove a login from the vault, you have the option to remove it.
You can access all your account logins at any time by accessing your password storage program. Your password vault is usually protected by two-factor authentication, so be sure to create an especially strong password for it.
Ban Common Passwords
Common passwords such as 123456 or abc123 are so common that hackers likely try these first when attempting to breach one's accounts. Employees that use these kinds of passwords may not even know that they're putting their accounts' security at risk.
Creating a list of common passwords to avoid or sourcing them online can help employees identify which passwords to avoid.
When building password policies and cyber security policies in general, it is crucial that businesses ensure that all staff members understand it and that updates are made as your IT administrator sees fit.
Take a Closed-Door Firewall Approach
Simply put, firewalls keep would-be intruders where they should be – outside your network. By putting up a virtual “wall” against inbound and outbound traffic, firewalls choose whether to allow or block certain traffic. Firewalls serve as a good basis for building your network security.
Though a good firewall can prevent many spam/phishing emails from getting through, it must be set up properly to do so. There are typically two schools of thought when it comes to firewall setup: open and closed-door systems.
In an open-door system, all network ports are open and you close vulnerable ones that need to be secured. On the flip side, closed-door systems close all ports by default, leaving open only trusted or necessary ones.
To better picture why a closed-door system is superior, picture this scenario. Imagine leaving all the windows and doors in your house unlocked, and only locking your front door because there's been previous break-ins through there.
Now imagine locking all your house's doors and windows and only unlocking your front door to allow trusted friends and family in. Which system do you think would be more secure?
Consider Managed IT Services
While implementing all of the above tips is a great way to better protect your network, cyber security is a complex and evolving process that needs proper care and attention to be implemented and monitored correctly.
Businesses without in-house IT may turn to other employees like secretaries or office managers to perform basic security tasks such as data backups. However, effective cyber security policies are best maintained by IT professionals that know how to monitor and update them to ensure uptime and minimize data breaches.
Companies with in-house IT departments may find that these employees can quickly get overwhelmed with managing their company's network security while fielding employee help requests.
A Managed Service Provider (MSP) can work with both of these types of companies to implement and monitor a layered approach to cyber security.
Usually, an MSP's first task will be to perform a network audit to identify security gaps and build a roadmap to success. This roadmap usually involves securing your current infrastructure and installing new hardware and software when necessary.
Once your network is secured, MSP's will use a variety or remote monitoring platforms to quickly identify and remedy issues that arise, such as network downtime and cyber threats.
As a metro-Atlanta based Managed Service Provider, our diverse offering includes:
Network monitoring− Consistent observation of all parts of your network ensures that any issues are swiftly identified and mitigated
Cyber threat prevention and education− Layers of the latest technology neutralize threats while courses and phishing tests teach employees how to secure company data
- Data security− BCDR plan implementation and data privacy regulatory compliance ensure that data is backed up and data loss is minimized
Network Operations Center− 24/7 assistance from a help desk with higher satisfaction ratings than Amazon and Ritz-Carlton customers
Project management− Get assistance planning office expansions, moves, remote transitions, and more from qualified experts
Effective cyber security isn't a static process. Technology and industry advice constantly changes, which means businesses cannot afford to keep implementing the same security processes.
We hope that this article helped your business make a roadmap towards effective and up-to-date cyber security.
For more cyber security-related content, follow our blog!
Posted by Erica Kastner
Erica Kastner is a lead Marketing Specialist at Standard Office Systems as well as a University of Georgia graduate. She aims to use her passion for problem-solving to help businesses understand how to better leverage their network infrastructure.