Because of this, we wanted to be transparent with you about how we secure our services to ensure that your business also remains safe. Our client safety is always top of mind in everything that we do, and we take our cyber security (and yours) very seriously.
What makes a comprehensive cyber security plan?
After years of being in the industry and watching the evolution of cyber-attacks, we feel that there are 13 critical pieces to any cyber security plan that we, as your IT Support provider, should have. They are:
Two factor/Multi factor authentication – probably the most widely misunderstood security solution, but a critical and vital part of every cyber security strategy. Two factor authentication is just how it sounds. Two separate layers of security, where the first is the typical username and password that are standard, with a secondary level that looks for something you know, something you have or something on your body (i.e., fingerprint).
Secure Swiss Data shares some stats you should know that describe the critical need for two factor authentication:
● 90% of passwords can be cracked in less than six hours.
● Two-thirds of people use the same password everywhere.
● Sophisticated cyber attackers have the power to test billions of passwords every second.
It is this sobering reality that brings us to require two factor or multi factor authentication for all of our employees and users of our system, and highly recommend that you do to.
Password management – When you think about the statistics above, consider this as well. One reason why people use the same password everywhere is that it is impossible to keep track of hundreds of usernames and passwords across various devices and systems. So, it is understandable why true, unbreakable passwords are difficult to maintain and users resort to the use of the same password for each site.
This is why we have a password management program built into our procedures and policies for accessing our sites. The password manager program generates passwords for each unique site and then stores them in the management program. When one of our staff needs to access that site, they use the master password they have created to open the database of passwords to obtain the correct password for the site they are attempting to access, and further reducing the risk of a breach.
Security risk assessment – Synopsis defines a security risk assessment as, “A security risk assessment identifies, assesses, and implements key security controls in applications. It also focuses on preventing application security defects and vulnerabilities.” The assessment should be performed at a minimum of one time per year, if not more. A full security assessment includes the following pieces:
● Identification – to start, when performing a security risk assessment, you need to take inventory of all of your critical information technology equipment, then determine what sensitive data is created, stored or transmitted through these devices and create a risk profile for each.
● Assessment – This step takes the identification step to the next level. To complete the assessment step, we need to identify the security risks to each critical asset and determine the most effective and efficient way to allocate time and resources to mitigation.
● Mitigation – Mitigation is the “act of reducing the severity of something painful.” We have specifically defined a mitigation approach for each potential risk in our network and what security controls will be initiated in case of a breech.
● Prevention – We have detailed specific tools and processes to reduce and minimize the risk of threats against us and our network in order to help keep you safe.
Information security plan – There is a significant need to safeguard any information that is collected, transmitted, used and stored within information systems, and the development of an information security plan is crucial to safeguarding your data. One that we take seriously, we have taken steps to document a plan and systems designed to secure our own and your sensitive business data. A security program is essentially about risk management, including identifying, quantifying and mitigating risks to computers and data. Sans.Org believes there are 57 essential basic steps to risk management:
● Identify the Assets – SANs feels that this goes beyond generating a list of all the hardware and software within the infrastructure, but also includes any data that is processed and stored on these devices.
● Assign value – Every asset, even data, has a value and there are two approaches that can be taken to develop the value: qualitative and quantitative. Quantitative assigns a financial value to each asset and compares it to the cost of the countermeasure. Qualitative places the threats and security measures of the assets and sets a rank by use of a scoring system.
● Identify risks and threats to each asset – threats to the system go beyond malicious actors attempting to access your data and extend to any event that has the potential to harm the asset. Natural events like lightning strikes, fire, floods, or human error or terrorist attack should also be examined as potential risks.
● Estimate potential loss and frequency of attack of those assets – This step depends on the location of the asset.
● Recommend countermeasures or other remedial activities – By the end of the above steps, the items that need improvement should become fairly obvious. At this point, you can develop security policies (rule) and procedures (how).
Policies and procedures (internal & external) – A crucial part of an effective cybersecurity plan is the policies and procedures, both for internal assets and external assets. You can’t have one without the other. A general description of them can be thought of as this: a policy is the “rule” and a procedure is the “how.” With this in mind, a policy would be to effectively secure corporate data with strong passwords. The procedure would be to use multi-factor authentication.
Cybersecurity insurance and Data Breach Financial Liability – CyberInsureOne defines cybersecurity insurance as “a product that is offered to individuals and businesses in order to protect them from the effects and consequences of online attacks.” Cybersecurity insurance can help your business recover in the event of a cyberattack, providing such services and public relations support, funds to draw against to cover any financial losses and protect your customers and suppliers, and is something that your IT Support Provider should carry as well as your own business. And just like business liability and car insurance, it is paramount that your business (as well as your IT Support Company) covers themselves with data breach financial liability insurance to cover any event that may be attributed to their activities causing a breach.
Data access management – Techopedia defines access management as the governance process that is used in granting access to approved users and denying access to disallowed users. This is critical for your business as it enables controls over who has access to your business data, especially during times of employee turnover. Other benefits include increased regulatory compliance, reduced operating costs and reduced information security risk.
Security awareness training (with phishing training) – Phishing is the number one attack vector today, with over 90,000 new attacks launched every month. If your provider is not actively participating in security and phishing awareness training, they will be unable to help you keep up on the latest trends in how these malicious actors are attempting to gain access to your businesses data.
Data encryption – At its basic level, data encryption translates data into a different form, making it readable only by the starting and ending points and only with the appropriate password. Encryption is currently considered one of the most effective security measures in use and falls into one of two categories: Asymmetric encryption and Symmetric encryption.
Next gen Antivirus and firewall – Gartner defines an antivirus as endpoint protection (EPP), and is a software designed to detect and render ineffective any virus that does attempt to access the device. Many providers are marketing their software as “next generation,” but true next generation antivirus includes features such as exploit techniques (blocking a process that is exploiting or using a typical method of bypassing a normal operation), application whitelisting (a process for validating and controlling everything a program is allowed to do), micro-virtualization (blocks direct execution of a process, essentially operating the program in its own virtual operating system), artificial intelligence (blocking or detection of viruses the same that a human user would be able to), and EDR/Forensics (using a large data set from endpoint logs, packets and processes to find out what happened after the fact). Next generation firewalls also include additional capabilities above the traditional firewall, including intrusion protection, deep packet inspection, SSL-Encrypted traffic termination, and sandboxing.
Business continuity plan – is a process surrounding the development of a system to manage prevention and recovery from potential threats to a business. A solid business continuity plan includes the following:
● Policy, purpose and scope
● Key roles and what that individual is responsible for
● A business impact analysis
● Plans for risk mitigation
● Data and storage requirements that are offsite
● Business recovery strategies
● Alternate operating plans
● Evaluate the readiness of outside vendors
● Response and plan activation
● Communication plan
● Drills and practice sessions
● Regular re-evaluation of the current plan.
Your IT Support Provider should be able to provide you with a copy of what is included in their plan and how it will affect your business if they do encounter a business continuity event and what their back up plan is to maintain your critical business infrastructure.
Email security layers – In short, layers limit risk. Email security layers include tactics such as two-factor authentication and spam filters at the basic level and giving your employees time to evaluate a potential threat by removing the words “urgent” or “do right now” from internal subject lines.
As your IT Support Provider, we are dedicated to help you maintain effective cybersecurity through these advanced tactics as well as through a consultative, trusted advisor relationship. You are more than just a number to us, and we will do everything in our power to help keep your business safe and running smoothly.
3 Ways to Improve Company Culture
The approach your company takes to building a great workplace is indicative of the leadership that is present throughout your business. Culture is changing at such a fast pace that it is important to discover and address culture to help create a thriving workplace. The attitude of your employees also has a direct correlation to the happiness throughout your company. Happy employees make for a thriving corporation. To keep company culture thriving, here are three ways to help improve company culture throughout your business:
1. Offer benefits or time off to your staff – it is important that your staff is not burning out. Burnout is associated to chronic stress and not being managed very well. To decrease company burnout, improve the culture of the workplace by trying to decrease stress throughout and provide plenty of time off for your employees to take as they feel symptoms of burnout. Burnout is a real thing and happens when employees feel stressed, overworked, underpaid or have not seen the value that they bring to the company.
2. Empower and Encourage – It is important that your staff understands that they aren’t just people sitting in chairs, but they are a valuable asset to your business. Show them that they are an integral part of your business and that no matter what their role is they are an asset to your business. Also, provide meaningful purposes for employees and be sure to show your employees how much they mean to you (remember, actions speak louder than words at times).
3. Integrate Modern Tech for Ease of Job – Understandably so, there is not “easy” job out there; but what if you could make your employee’s job easier for them? I can tell you, that making your employee’s job easier will increase company culture tremendously. Start using automation and delegation to create ease of job throughout the company. If things are done manually, try to use tools available to automate as much as you can without causing harm to your business.