As you start the new year, consider how these 10 resolutions could help you and the rest of the executive team sleep better at night.
- Passwords and Multi Factor Authentication
Change your passwords frequently, resist the urge to duplicate passwords across numerous tools and sites, and implement stronger password requirements including special characters and alpha-numeric components. Implement multi factor authentication where possible adding an additional layer of security particularly for sensitive data.
- Embrace a Security Culture
Employees can be your best line of defense. As with any technology there remains a human element. Employees should know what steps to take when a cyber event occurs. Have steps and policies in place to respond to suspicious emails or malicious files. Education is key and can be reinforced with phishing email tests and online cyber threat classes.
3. Back It Up and Test Those Back Ups
Safeguard your valuable data in the 3,2,1 form: 3 copies, 2 local but different media (devices), and at least 1 copy offsite. Also test the validity of those back ups often. Many companies only test once per year. Do you have the confidence that your test will reveal a potential success? If it does not, how far back does your storage of a valid back up go? Can you afford to lose data?
- Find the Vulnerable Roots
Software vulnerabilities, ransomware, and malware are being discovered every day. Most companies account for at least one way to combat each of these. Many of the latest threats could be addressed ahead of time with security best practices and basic cyber hygiene. Look to NIST and other frameworks to implement consensus-developed standards to address configuration flaws and security gaps.
- Patch Work
One of the basic security approaches is to ensure you are updating your software and hardware as patches are released. A new patch is a good indicator that a vulnerability has been identified. Many breaches occur through unpatched software or hardware and hackers are using automated tools to scan for those. Combat their automation with one of your own to keep your environment up to date with patches.
- Impact of Legislation
Industries like healthcare, finance, and manufacturing have legislation in place concerning data, breaches, and standards that must be met. Software development has been far ahead of legislation in many areas, cloud implementation is a perfect example. A review of current and potential legislation, your responsibilities, your current environment, and reviewing/creating a road map should be on your schedule for early 2019.
- Tools, Process, and Audits
When developing or implementing tools, examination of the process behind those needs and capabilities should be an integral part. Look at bringing DevOps into your environment to utilize software development and IT teams with a collaborative approach to build and test applications side by side. Add in auditing of your processes to further enhance projects and future planning.
- Crisis Management Planning
For effective response to an IT crisis, an actionable crisis management plan should be in place. Within the plan identify the parties which need to take action in specific crisis scenarios. Assign tasks to each role so responsibilities are clear. Many companies do not have plans in place which can add significant time in responding to a crisis.
- It’s Not Technology, It’s Value
Many companies look at IT as a cost center and not as an innovation center. The approach should not be how to get by with a little investment, but rather how to get the most out of an investment. Focus on cost removal and maximizing dollars spent, a larger upfront investment can produce savings down the road with reduced maintenance and increased reliability and capabilities.
- Capabilities, Time, and Staff
Evaluate your needs within the business and the staff accreditations or experience necessary to meet those needs. Is there more work than current staff can handle? Are there repetitive tasks that could be automated or outsourced? Often daily tasks do not allow for the advanced security functions necessary to provide a secure environment. When analyzing potential staff expansion, examining both a full-time employee or a Managed Security Service Provider should be on the table. Often the budget for a full-time hire is close to a managed services provider, which can bring specialized resources, 24/7 support, and a much deeper bench than a single hire can.