Q. With all the cybersecurity threats in the world, I am concerned my company isn't doing everything we can to protect ourselves. What should we be doing?
A. I hear it on a weekly basis, "We take cybersecurity very seriously at our office."
Really? Let's put that to the test and run through a list of the steps your business should be doing at the absolute minimum when it comes to cybersecurity.
If you check all the boxes (truly check the boxes, not just "lip service" check the boxes), you earn a gold star and a more secure organization. I'm willing to bet that most of you won't be earning that gold star today, but that's to be expected with all that has been going on. These steps will help you identify areas you need to improve.
Step 1: Enable multifactor authentication
Multifactor authentication (MFA) is a second form of authentication that reinforces that you are who you say you are when you log in to an application or system.
Think of it this way. When you're passing through airport security, you have to provide a form of identification. That form of identification must include your picture as a second form of authentication.
Simply having the ID isn't good enough, just like having only a password isn't good enough. MFA provides a second layer of authentication.
MFA comes in various forms, with text message codes and app authentication codes being among the most popular. After you provide your password, you are required to provide a code that confirms you are in possession of a device and therefore are who you claim to be. While this isn't perfect, it does provide a complication that most hackers cannot overcome. You should have MFA everywhere and anywhere you can.
Step 2: Provide recurring cybersecurity training for your staff
The cybersecurity threat landscape is constantly evolving, and it's too much to expect everyone to be on top of the latest threats and trends. A consistent training regimen should include both reminders about things we "should" know as well as information about new threat trends. It takes only one person to let their guard down for a data breach to occur.
Training is simple. You can choose from a variety of companies that provide self-guided security training for your entire organization for a small subscription fee. In addition to providing the training, the vendor will include tools to track who has completed the training.
The surge in working from home due to the COVID-19 pandemic has made training more important than ever. If you do only one thing after reading this article, ensure that formal security training is on the list.
Step 3: Perform random security testing of your staff
In addition to training, the best way to keep your people on their toes is to perform random testing to make sure they remain diligent. Many training applications include the ability to perform random testing. That testing should include phishing, smishing (SMS phishing), vishing (voice phishing), and other forms of vulnerabilities. These solutions are affordable and easy to set up and manage. The real-time feedback combined with the ability to provide additional training is a valuable asset to any business.
Random testing achieves two primary goals: (1) Users remain vigilant because they are always looking out for the latest test. If they are looking for the latest test, they will also be looking for the real thing; and (2) if someone fails the test, you can automatically enroll him or her in additional training and have a conversation about the importance of paying attention before clicking.
There has been a surge in phishing-type scams related to the global pandemic. Fake emails purporting to be from the Centers for Disease Control and Prevention, the IRS, the World Health Organization, and many other related organizations have been on the rise. Testing prepares your staff to identify these types of threats.
Step 4: Institute policies to protect against whaling
Whaling, aka business email compromise, refers to the process of impersonating the CEO or another executive to trick a company employee into sending money to cybercriminals. The impersonation is typically done either by hacking the person of authority's email or by sending an email that looks similar to the executive's actual email address.
Individual companies have been swindled out of hundreds of thousands of dollars in scams that could have easily been prevented with a simple corporate policy requiring that any request to send money be validated verbally.
For example, if a request from the CFO to send money to a vendor is received electronically (typically by email), the individual receiving the message is required to contact the CFO and verbally confirm the details of the request before transferring the money.
The Paycheck Protection Program and the U.S. Small Business Administration's Economic Injury Disaster Loan program also have been popular targets for criminals. Setting a policy now to ensure money and/or data is not shared with the wrong people could save a lot of time and trouble (not to mention cash) when your organization is targeted.
Step 5: Back up your systems and data
People rarely worry about data and system backups when thinking about cybersecurity. However, the importance of backups cannot be overstated. I'm frequently puzzled by the companies that are completely paralyzed by a ransomware attack. Even if all other defenses have failed to protect from a ransomware event, backups should provide a method of recovery.
Properly configured backups will limit the disruption and save your organization from paying a ransom. If you are hit by ransomware, recover the encrypted data with the most recent clean backup and restore services to the organization. No, it is not as simple as wiggling your nose; however, a trained professional will know the proper steps to ensure a smooth recovery.
To protect your organization, ensure your backup strategy includes the following features:
- Ensure backups occur often and are retained for a minimum of three weeks;
- Ensure backups are replicated and stored in a secondary location; and
- Test your backups regularly.
Step 6: Purchase cybersecurity insurance
This is a must. Unfortunately, security events happen despite all best efforts to protect ourselves. If something happens, insurance provides financial protection and gives you quick access to expertise you may not otherwise have. The important thing to remember is to call your insurance company immediately when something occurs. If you wait to call them, they may not cover all your claim.
Bonus recommendation: Set up a Slack/Teams channel for employees to share the threats they have identified. At our organization, it has become a popular game to share screenshots of the threats identified.
Here's the bottom line. Cybersecurity protection is only as strong as your weakest link. Many businesses think they're doing everything they can and make the false assumption that their employees are equipped to make the right decisions when faced with a dangerous situation. Unfortunately, those assumptions tend only to reinforce the old adage about assumptions. Stay vigilant, my friends, and earn your gold star by following these recommendations.
About the author
Byron Patrick, CPA/CITP, CGMA, is vice president of growth and success at Botkeeper.
Submit a question
Do you have technology questions for this column? Or, after reading an answer, do you have a better solution? Send them to firstname.lastname@example.org. We regret being unable to individually answer all submitted questions.