In a recent Worcester Business Journal (WBJ) webinar focused on cybersecurity for business executives and owners, Gregory Berks, SVP and Director of Operational Risk, Vendor Management, and Information Security shared his insights along with other local industry professionals on ways businesses can protect both their organization and customers.
Regardless of a company’s budget, a core principle of sound cybersecurity is educating your staff and employees so they can react and plan accordingly.
“Security professionals love to say that users are the weakest link in information technology (IT) security, however, a well-trained employee can be the best and last line of defense against a breach. Conversely, an employee that has received no training can be a huge risk to malware, ransomware, and data loss for your company,” said Greg.
When getting started with cybersecurity guidelines for your organization, an IT policy is an essential guide for you and your staff. At the very top level, everyone should have an IT policy that will really be the framework for your IT Infrastructure and IT security practices. Developing an IT policy will add structure and define how you will manage your IT risk.
Consider the following insights from Greg to create a sound IT policy for your business:
1. User training: One of the most important elements of your IT policy is user training and having your employees understand the risks. Training your employees on keeping your company and corporate data confidential is critical, including how to identify phishing emails. Be sure to regularly test them with phishing simulations to make sure they are well prepared on the most active and current threats.
2. Patching/vulnerability scanning: Key components of your IT policy should include things like patching frequencies, how you keep the systems up-to-date, and vulnerability scanning. How do you identify down level systems or systems that create a risk exposure? Do you have an anti-malware and anti-virus agent? Is there someone assigned to help you respond to an incident? What if you need to run a forensic investigation as a result of a ransomware attack; do you have a security firm on retainer? These are all important questions to be prepared for.
3. User access: Review of user access to systems is another key element. Evaluate which employees have access to what and determine if they have access to more systems or functionalities than they need to do their job. While it may be easier to provide all users with the same system access regardless of job function, be sure to only provide users with access to what they absolutely need.
4. Restrict access to the internet and external email sources, if you can: One example that comes to mind is of an employee receiving a fraudulent external email to transmit a wire that appears to come from the CEO or the CFO. Does that employee need to be able to receive email from external sources? Do they only primarily interact with internal employees? If so, why not limit their email correspondence to within the company and eliminate the phishing risk altogether?
5. Everyone should have web filtering: This only allows access to business related internet sites, and blocks access to malicious or nefarious sites. Most employees have smartphones and mobile devices, so why do they need to access non-business related sites at work when they can just use their mobile device? In the current threat environment, employees should only be accessing sites on your company network that are business related.
6. Incident response procedures: Your IT policy should also cover what you do in the event that you experience an incident such ransomware, a breach, or even an operational outage, and how you’ll recover. An important component of that is cyber insurance.
7. Cyber insurance: It is recommended that everyone obtain cyber Insurance, but it is becoming more expensive, and many carriers are requiring fairly advanced and stringent IT security practices to be in place just to obtain coverage. What many companies don’t know is the carriers often will assist you with incident recovery, which includes breach coaches and crisis communications teams that can speed up your incident recovery time and minimize operational disruptions. It is critical that you incorporate your cyber insurance response into your incident response plans.
Once you’ve developed your IT policy, be sure to test its efficacy.
“I would encourage everyone to develop a testing program that assesses whether or not your IT and security controls are operating effectively,” said Greg. One of the best ways to do this is to have a third party audit firm conduct an annual assessment of your IT environment. Many times this is called an IT general controls audit, and it can be a very effective way to make sure your IT controls are operating effectively and they are being followed. It will also assist you in identifying areas that need improvement.
For more business security tips, please visit our security center.
Regardless of a company’s budget, a core principle of sound cybersecurity is educating your staff and employees so they can react and plan accordingly.
“Security professionals love to say that users are the weakest link in information technology (IT) security, however, a well-trained employee can be the best and last line of defense against a breach. Conversely, an employee that has received no training can be a huge risk to malware, ransomware, and data loss for your company,” said Greg.
When getting started with cybersecurity guidelines for your organization, an IT policy is an essential guide for you and your staff. At the very top level, everyone should have an IT policy that will really be the framework for your IT Infrastructure and IT security practices. Developing an IT policy will add structure and define how you will manage your IT risk.
Consider the following insights from Greg to create a sound IT policy for your business:
1. User training: One of the most important elements of your IT policy is user training and having your employees understand the risks. Training your employees on keeping your company and corporate data confidential is critical, including how to identify phishing emails. Be sure to regularly test them with phishing simulations to make sure they are well prepared on the most active and current threats.
2. Patching/vulnerability scanning: Key components of your IT policy should include things like patching frequencies, how you keep the systems up-to-date, and vulnerability scanning. How do you identify down level systems or systems that create a risk exposure? Do you have an anti-malware and anti-virus agent? Is there someone assigned to help you respond to an incident? What if you need to run a forensic investigation as a result of a ransomware attack; do you have a security firm on retainer? These are all important questions to be prepared for.
3. User access: Review of user access to systems is another key element. Evaluate which employees have access to what and determine if they have access to more systems or functionalities than they need to do their job. While it may be easier to provide all users with the same system access regardless of job function, be sure to only provide users with access to what they absolutely need.
4. Restrict access to the internet and external email sources, if you can: One example that comes to mind is of an employee receiving a fraudulent external email to transmit a wire that appears to come from the CEO or the CFO. Does that employee need to be able to receive email from external sources? Do they only primarily interact with internal employees? If so, why not limit their email correspondence to within the company and eliminate the phishing risk altogether?
5. Everyone should have web filtering: This only allows access to business related internet sites, and blocks access to malicious or nefarious sites. Most employees have smartphones and mobile devices, so why do they need to access non-business related sites at work when they can just use their mobile device? In the current threat environment, employees should only be accessing sites on your company network that are business related.
6. Incident response procedures: Your IT policy should also cover what you do in the event that you experience an incident such ransomware, a breach, or even an operational outage, and how you’ll recover. An important component of that is cyber insurance.
7. Cyber insurance: It is recommended that everyone obtain cyber Insurance, but it is becoming more expensive, and many carriers are requiring fairly advanced and stringent IT security practices to be in place just to obtain coverage. What many companies don’t know is the carriers often will assist you with incident recovery, which includes breach coaches and crisis communications teams that can speed up your incident recovery time and minimize operational disruptions. It is critical that you incorporate your cyber insurance response into your incident response plans.
Once you’ve developed your IT policy, be sure to test its efficacy.
“I would encourage everyone to develop a testing program that assesses whether or not your IT and security controls are operating effectively,” said Greg. One of the best ways to do this is to have a third party audit firm conduct an annual assessment of your IT environment. Many times this is called an IT general controls audit, and it can be a very effective way to make sure your IT controls are operating effectively and they are being followed. It will also assist you in identifying areas that need improvement.
For more business security tips, please visit our security center.