Cybersecurity: Where to Start (or Restart)

Every business, no matter the type or size, needs to take a proactive approach to cybersecurity. You do not want to find yourself questioning your business’s cybersecurity capabilities during a cyber incident or data breach. By having a strong cybersecurity program in place, not only will you be able to respond to a cyber incident quickly and effectively should one occur, but also mitigate the risk of becoming a target for a cyber-attack in the first place.  

To develop an effective cybersecurity program for your company (without requiring a lot of resources), here are some important initial steps to take: 

1. Identify your company’s sensitive data and where it resides. Whether it is your customer’s private information or your organization’s proprietary information, it is your organization’s responsibility to protect it. 
2. Identify your mission critical assets. These are assets that are critical to your business’s operations. If compromised, it would cause irreparable loss to your business. 
3. Ensure that the data and core assets are properly secured using administrative, technical, and physical controls.

Here are some easy, but effective, actions you can take to protect your business’s sensitive data and core assets right now:   

1. Harden Core Assets 
System hardening is the process of securing a system by reducing the amount of potential attack vectors, reducing the security risk.

Some ways to secure your systems are limiting access to the system, regularly updating the system and its software, closing unused ports, removing unnecessary software, and collecting and reviewing audit logs.

The Center for Internet Security (CIS) has published numerous benchmarks for different operating systems, software, network devices, mobile devices, and cloud providers. It is highly recommended that you start here for your system hardening needs.  

 
2. Conduct Vulnerability Scans
Vulnerability scanning is the process of using automated tools to search for known vulnerabilities and provide details on what can occur if the vulnerability is exploited, and most importantly, how you can remediate the vulnerability.  

There are two types of vulnerability scanning:

Internal vulnerability scanning consists of deploying a scanning device on your internal network to search for vulnerabilities on other devices on the network.
External vulnerability scanning uses a special scanner which is outside your network and checks your public facing devices and websites for vulnerabilities.

It is highly recommended that an organization perform internal vulnerability scans at least quarterly, and external vulnerability scans at least once annually. Once vulnerabilities are discovered, technical teams should work to follow the guidance from the scan results to remediate the vulnerabilities on your organization’s systems and network. (Nessus, OpenVAS, Qualys, and Nikto are just a few examples of free or cost-effective vulnerability scanning tools) 
 

3. Establish Proactive Security Defenses 
Taking a proactive approach to cybersecurity has many advantages and is not as difficult as you may think. Here are some things you can do right now:   

• Offer Security Awareness Training to inform your employees of current threats and best practices, which reduces the risk of compromises from human error. 
  
  
• Perform backups of data regularly. By performing backups, if the data were to be compromised or deleted, you can rest assured knowing that you have recovery points that you can restore too. 
  
  
• Establish a password policy which consists of strong password complexity. Password length has been found to be the primary factor in characterizing password strength. Passwords should be at least 8 characters long (12 characters long for administrator accounts) and should contain at least 3 of the 4 character types (i.e., lower case, upper case, numbers, special characters). 
  
  
• Enforce Multi-Factor Authentication (MFA) wherever applicable. Many times, users enter just a password before gaining access to the system. With MFA, users must enter in their password and then provide another form of authentication before being granted access. Another form of authentication could be receiving a code to your mobile phone through an authenticator app. This helps protect your account from a hacker trying to access your accounts; even if the hacker gets the password, it is unlikely he or she will have access to your second factor of authentication.  
  
  

4. Adhere to a Cybersecurity Framework & Create Security Policy Documentation  
Your organization should have security policy documentation that details the organization’s security requirements.  
 
A good security policy will: 

• Provide an overview of the security requirements for your IT infrastructure 
• Identify the functions and features of the infrastructure 
• Describe the security measures that are in place to protect your systems 

The first step to creating effective security policy documentation is to identify and choose a cybersecurity framework that your organization wants to adhere to. There are many cybersecurity frameworks that your organization can adopt to provide guidance for protecting your sensitive data and core assets.  

We recommend the National Institute of Standards and Technology Special Publication 800-171 r2 (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf). The publication also provides guidance on how to implement these best practices, so you can protect your information and organization.