How to Develop A Cybersecurity Plan For Your Company [checklist included]

Cybersecurity is for every company.

Cybersecurity isn’t reserved for major corporations that collect huge sets of credit data and personal information.  Every company that relies on the internet must be aware of today’s cybersecurity risks and take steps to close vulnerabilities.

The details below will inform you on the steps to take to decrease the chances of a cyber attack.  This is a apt starting point for a company’s IT support to handle with minimal budget changes.

Beyond developing plans for our clients, implementing the strategies and proactively monitoring their digital security, it’s our role as a managed services provider to educate technology-reliant businesses on cybersecurity best practices.

Take 3 Minutes to Assess Your Company’s Cybersecurity Preparedness.

Creating Your Cybersecurity Checklist

*Note – every company is unique. This is meant to be a guideline, not a guaranteed protection template. For in-depth assistance, contact us for a consultation.

1. Develop the framework of a cybersecurity plan

Decide who in your organization will be responsible for developing, implementing, and enforcing the cybersecurity policy.

• While you may decide to enlist the help of a MSP for the implementation of cybersecurity, you need a senior management personnel within the company who will be the point person and have the authority to make high-level decisions. This will be especially important in case of a breach where quick action is needed to mitigate loss.

• Document, document, document.
  • The more comprehensive you are, the better prepared your company will be in the event of a breach or cyber attack. Clearly lay out your goals, commitments, plans and procedures ( see Step 2 ).

• Define how each role in the company (from CEO to entry-level) is responsible for adhering to cyber policy.
  • For example, stating that each employee must follow the company’s internet policy and keep their devices updated at all times.
• Communicate and distribute the policies to your personnel
  • Ensure they acknowledge receipt and understanding, as well as any consequences for violating the policy(ies).

Quantify the strength of your cybersecurity plan – download the checklist

2. Review & implement your existing information security policies.

You likely already have several “lower tier” security policies in place, such as an Acceptable Use Policy and an Internet Access Policy. These dictate a particular set of rules for employees to follow to help protect your network’s security.

• If you don’t have these in place, create them.
• These policies cover use of company laptops, cell phones, email procedures, internet usage, remote access, and employee-owned devices.
• Plan on reviewing these policies yearly to ensure they cover any new advancements in cyber technology.
  • Set up yearly training as needed.

3. Employee Education on Cybersecurity

Your policies will only be as good as your employees’ knowledge and willingness to adhere to them. In addition to the points above, here are 3 specific action items to take:

• Arm your employees against email phishing scams. The more knowledgeable they are against how and what phishing scams look like , the safer your digital assets will be.
• Educate on how hackers are most likely to get into your system . Many times it’s “simple” things like an employee ignoring a Windows security patch update that can create a vulnerability for a hacker to exploit.
• Make sure your employees know what to do if they think there is any type of security breach. Who do they alert first? Define your internal escalation process and practice it with your employees. You don’t want a real crisis to occur and only then learn of weak spots in your process.

4. Physical Security Helps Ensure Cybersecurity

With all the focus on protecting these digital assets, it could be easy to overlook steps needed to protect the physical devices that house your cyber information.

• Is your data center secure? Is it housed in a location where only authorized personnel can get in and out? Don’t forget to check that list of personnel periodically to ensure that ex-employees no longer have access.
• Is your office space secure? How easy is it for “the public” to come in and walk around? Laptops, cell phones, and USB drives can be swiped under your nose, and with it, granting access to your network with hardly any effort.
• If your employees take devices home (or travel with them), how secure is that device? Do your employees know to only use secure Wi-Fi networks? If it’s stolen, is access to the device password protected?

5. Develop Password Policies

While you may find yourself frustrated at the complexities of creating (and remembering) an acceptable password for the different applications you use in your daily personal life, there is of course, a good reason for it. You need to be doing the same thing for your business.

• Implement a password policy. Employees should be using complex, random, long passwords or password phrases (recommended to be at least 10 characters) to log into their devices, in addition to any linked business accounts.
• Incorporate a schedule to change passwords on a regular basis
• Consider adding two-factor authentication to regularly-accessed accounts. This would be the strong password plus answering a “secret question”, PIN, or even providing biometric data like a fingerprint.
• Do not store any passwords in spreadsheets or word documents. It’s just too easy to breach these. Look into secure password programs for your employees that need to access linked accounts. The programs act like a vault, auto-populating passwords into sites (that the employees have been cleared for) without displaying what the password is.

The following steps are more advanced and may require the assistance of a Managed Services Provider.

6. Ensuring Encryption Across Your Network and Devices

Encryption is key. It’s the process that encodes your data in such a way that it is unreadable unless you have the right “key” (usually a password). Encryption can be applied to your wireless networks, hard drives, a file, even USB drives.

• What encryption are you using for your wireless networks?
• Any workstation or device that goes online needs to be encrypted. Don’t forget those mobile phones and tablets.

7. Decommissioning Users and Devices

Terminated employees, even those that leave on good terms, can become security liabilities, intentionally or not.

• Have a procedure in place to decommission user accounts and devices.
  • Your IT department should have a log of what devices are loaned to which employees to ensure proprietary equipment is returned.
  • Backup the devices before wiping them clean
  • Do not let terminated user IDs linger longer than necessary.

8. Have a Centrally-Managed Antivirus & Malware Programs

Viruses, ransomware, keyloggers, botnets, Trojans–the cyber world is full of devious, malicious programs. Unfortunately, there is not really one antivirus or antimalware program to rule them all. The best security system will have multiple layers of protection.

• Not sure which programs would be best to protect your business? Contact us for a consultation.

9. Limit Access to Critical Assets

Not everyone in the company will have the same “need to know” access to information and passwords. Your marketing team, for example, doesn’t need to have full access to your developers’ sandboxes. Nor do customer service reps need to see your accounting spreadsheets for the whole company.

• Set up proper privileges for each employee. Review these on a periodic basis.

10. Third Party Patch Management and Windows Updates

As mentioned in Step 3 , keeping up-to-date on patch updates to operating systems and softwares is critical. Not updating leaves your network and devices vulnerable to hackers.

• It can become a time-consuming task to follow up on every employee and device to ensure patches have been applied. Utilizing managed IT services to oversee this process for you can free up valuable resources.

*Important note: Microsoft is sunsetting Windows 7 in the upcoming year. Contact us about planning a transition strategy when this change takes place.*

11. Advanced Threat Protection: Firewall Packet Inspection

Firewalls are a critical component to your company’s network security. And as cyber crime increases and evolves, so does firewall security by necessity. How comfortable are you with managing your firewall? How about when it comes to determining whether you want to use a stateful inspection versus a packet-filtering firewall?

• Determine what your current firewall settings are and if they are optimized for your organization.

12. Continuous Vulnerability Scanning

It cannot be understated that cybersecurity requires constant vigilance. While your company laptops may be up-to-date and protected by your resources today, a vulnerability in the software could be discovered overnight–and cyber criminals are quick to pinpoint these weak spots.

• For large organizations, continuous scanning can also provide insight into performance trends (of the security system), be connected to feeds, provide authentication scans and more.

13. Disaster Recovery and Replication

Take a moment to imagine all of your digital assets have been wiped out. Now wipe that cold sweat of your forehead and breathe a sigh of relief if you have all that data backed-up and securely stored (in a location that is not your main server).

• Ensure you have a regular backup schedule and the information is stored securely.
• Going back to Steps 1 and 2 — Do you have policies in place in the event of a disaster? Does your IT team know the steps to bring your system back online?

14. Intrusion Detection

With all the focus on defending against incoming cyber attacks, let’s not lose sight that sometimes the attacks can come from within. That’s where intrusion detection comes into play.

What’s the difference? Intrusion detection system versus firewalls

Figuratively speaking, a firewall guards your front and back doors and watches for incoming threats. Intrusion detection systems, on the other hand, is like a security team that observes what’s happening inside your network and alerts you to any suspicious actions. (It’s a bit like that horror movie trope when the house phone rings and the babysitter realizes the threatening voice on the other end is the attacker waiting upstairs.)

Pulling it all together — Cybersecurity planning

The threat of cyber attacks requires a multi-layered approach and strategy. Having a managed services provider at your side can ease the stress of setting up, implementing, and maintaining the resources to keep your business safe and up-and-running.

For help with your cybersecurity planning, contact Copeland today.