5 minute read
10 steps to better cyber hygiene
Threats are everywhere, but a little diligence and education can help you protect yourself, your employees, and your business
BY BILL SHERIDAN, CAE
The numbers are staggering, and frightening. • A ransomware attack occurs every 11 seconds. In fact, 60 percent of companies have experienced a ransomware attack in the past year, and their average down time was six days. • One in every 6,000 emails contains suspicious URLs, including ransomware. • The number of malicious emails being sent is up 600 percent. • 560,000 new pieces of malware are detected every day. The costs can be just as staggering. According to research from the Center for Strategic and International Studies and security vendor McAfee, estimated global losses from cyber crime hit $1 trillion in 2020, which was double the losses of 2018. A year later, those losses increased about six-fold, to an estimated $6 trillion. The average cost of a data breach for companies with fewer than 500 employees is just under $3 million. Adding fuel to the fire is Russia’s invasion of Ukraine. Officials with the Department of Justice are urging companies throughout the world to strengthen their cybersecurity defenses in the wake of the invasion. In a recent article for TechRepublic, reporter Brandon Vigliariolo said cyberattacks against U.S. companies aren’t a question of if, but rather of “when.” “Scott Kanry, CEO at cyber risk management company Axio, said there’s absolutely no question that U.S.-based organizations will see an increase in cyberattacks due to the conflict,” Vigliariolo writes. “Kanry said that we’re likely to see attacks like (distributed denial of service, or DDoS), phishing, activation of persistent malware and more across the 16 critical infrastructure sectors,
potentially all the way down to small but vital local organizations. ‘We should also be paying attention to the other organizations that are critical to a functioning society, like hospitals, schools, health clinics and local banks. Often the smallest organizations lack even basic cyber defenses which make them vulnerable to an attack,’ Kanry said.” What’s at stake? Not much, really — just your organization’s reputation, interruptions to your ability to conduct business, your going concern, our country’s economic stability, and possibly even our national defense.
And given our shift to remote work, this is no longer something that only business leaders need to worry about. Everyone, from the top to the bottom of your organization, is responsible for cybersecurity.
HOW TO PROTECT YOURSELF
So what can we — as organizations, as leaders, as individuals — do to keep our businesses safe? Quite a bit, actually. So says Clar Rosso. The CEO of global cybersecurity association (ISC)2, Rosso offered a list of 10 cybersecurity steps business leaders can take to protect their organizations during a session at the recent DigitalNow Conference in Nashville. There’s a little something in here for everyone.
1. Lock down endpoints.
This is especially important for your remote workforce. Securing mobile devices, and implementing safety measures like antivirus solutions, URL filtering and blocking, and email scanning are all ways of protecting your remote assets from nefarious elements.
2. Enable ‘least privilege access.’
This means restricting administrative rights, requiring admins to install new applications, and “turning off this kind of access when employees leave or no longer need it,” Rosso said.
3. Patch.
Installing routine updates from software vendors can help remove bugs that could otherwise be exploited by cyber attackers. “Installing these patches in a timely fashion is important in limiting points of vulnerability,” Rosso said.
4. Stop ‘shadow IT.’
Remote workers often download non-approved applications which can expose your organization to dangerous vulnerabilities. “Good application management practices can ensure that only approved programs are being used with proper oversight from a security professional,” Rosso said.
5. Mandatory VPN.
Virtual private networks add a crucial layer of security by creating secure Internet connections to other networks via encrypted data and hidden IP addresses. “In a remote work environment,” Rosso said, “this is a key tool for small businesses to use when communicating with their employees and partners.”
6. Backup and recovery.
One of the best defenses against data loss and cyberattacks is to regularly conduct all-encompassing backups of all systems.
Get more cybersecurity tips on our podcast
Clar Rosso offers additional insights and advice about how to strengthen your cybersecurity defenses in a recent episode of the MACPA’s “Future-Proof” podcast. Listen to the conversation at bit.ly/CyberCPA. And don’t forget to subscribe to receive new episodes of “Future-Proof” wherever you get your podcasts.
“In the event of a cyber incident,” Rosso said, “small businesses that frequently back up their data have the option to simply roll back to the last uninfected backup for a given system, limiting the loss of data and the time, cost and expertise needed to recover.” Don’t forget to train remote employees how to back up their data and — equally important — how to recover uninfected data from a backup.
7. Wi-fi security.
The wi-fi network in your workplace should be secure, encrypted, and hidden so that it does not broadcast its service set identifier (or SSID) to the world. Your remote workers will be using consumergrade Internet connections routers. Studies show that one in 16 home wi-fi routers still use the manufacturer’s default admin password, making them vulnerable to hacking At the most basic level, Rosso said it’s critical that they change default passwords on their home routers.
8. Fight phishing.
The top cybercrime in 2020 according to the FBI, phishing scammers send fake emails designed to trick readers into sharing their personal information. These emails often look authentic, but they frequently leave clues as to their criminal intentions. Rosso said organizations should establish clear policies on acceptable email use. Meanwhile, staff should be trained on how to spot phishing emails and bad links, and to report any suspicious emails to organization leaders.
9. Better passwords.
These are your organization’s weakest cybersecurity link. “For the sake of convenience, it is tempting to reuse passwords, share passwords between users, and even document them in one place such as a sticky note,” Rosso said. “However, to avoid falling victim to an avoidable cyberattack, it is imperative that all passwords are unique, complex, and kept private.” The use of a password management tool like 1Password or LastPass can help your staff easily create, store, and recall secure passwords.
10. Staff up.
Assess the cybersecurity IQs of your team members, then focus on the non-technical solutions they can easily implement first before training them on the more technical security aspects. Continuously explore your technology options — particularly if you are a small business with limited resources.
Bill Sheridan, CAE, is editor of The Statement and chief communications officer of the Maryland Association of CPAs.
