Unfortunately, no organization is immune to cyber threats. These days, most companies should have some basic form of cyber security program in place. If yours doesn’t, or if you need a refresher, here are four steps you can take to establish a stronger foundation.
Step 1: Create a Comprehensive Set of Cyber Security Policies
What resources does your organization have that are at risk? Think beyond the obvious. On-site computer systems, laptops, tablets, and mobile phones are immediate suspects, but wearable technology such as smartwatches can also be compromised. Determine what controls you need in place to ensure information is kept secure. Set your rules for communicating, working with, copying, and distributing sensitive data. Be sure to document those rules and make sure everyone in the organization receives a copy. Necessary policies typically include an IT policy, information security program, employee acceptable usage policy, business continuity, disaster recovery plan, and an incident response plan.
Step 2: Follow Best Practices
Putting your policies into practice is easy when you develop good habits. Inventory your data, just as you would physical inventory, so you understand what you have. Maintain your software, applying the latest updates as soon as they are available to help combat security holes and malware attacks. Filter web content known to carry malware. Keep your user list current, purging old and unused accounts. Review who has high-level access privileges and ensure these are the users you want having that access. Utilize multifactor authentication for all cloud systems, including email. Back up your data regularly.
Step 3: Use the Right Tools
It’s difficult to stay ahead of cybercriminals, but establishing layers of controls and using the right tools can help. Encrypting your emails and files for transmission is something your applications should allow, whether they are cloud-based or locally hosted. Be sure to use a mobile device management system to enforce and manage system-wide controls such as inactivity timeouts, forced passwords and remote wipe capabilities in the event of a stolen or lost device. Consider organization-wide controls for password management such as password vaults or the use of single sign-on. In addition, be sure to have a robust backup plan that keeps sensitive data safe and recoverable in the event of a ransomware attack.
Step 4: Thoroughly Train Staff
Establish a culture of cyber security starting at the very highest levels of management. Your policies, practices, and tools should all be familiar to your staff and users. Be sure to keep all users updated on any changes to the system or your cyber security plan as soon as they occur. Refresh all employees at least annually on policies and practices and make cyber security in your organization part of the onboarding process.
Submitted by: Michael Rosicam, CPA.CITP, CISA, IT & Assurance Services Director, Thomas Howell Ferguson P.A. CPAs, firstname.lastname@example.org, (850) 668-8100.