The reality of today’s post-pandemic business landscape is one where the workplace has shifted to a largely remote or hybrid setting. Employees are completing work on laptops and mobile devices, which allows for both physical and digital threats to protect company and personal data. This shift in how work is approached opens the door for enhanced vulnerabilities and gaps in security as compared to a purely in-person work environment.
Meanwhile, cyber attackers are increasingly sophisticated in their approach to online criminal dealings. According to this 2022 Must-Know Cyber Attack Statistics and Trends post, "Cyber attacks on all businesses, but particularly small to medium sized businesses, are becoming more frequent, targeted, and complex." The fallout of such cyber attacks can be catastrophic, from operations disruption and damage to infrastructure and IT assets to incurring huge financial losses, damage to a company’s reputation, and legal liability.
Another alarming trend in 2021 was that corporate cyber attacks increased by a staggering 50% as compared to 2020. This goes to show that cyber attackers are indeed constantly transforming and improving their menacing tactics. Fortunately, companies are not without options when it comes to avoiding being the victim of a data breach. Here are some ongoing best practices and tips to employ that’ll put your company on the defensive strongly. A good way to categorize data protection practices and tips is by exploring the people, or human capital side, of your company, followed by a look at how to protect your network, software, and hardware, or the systems side of the house.
People: The Human Capital Side
95% of cybersecurity breaches are made due to human error, and with employees operating in a remote or hybrid work environment, this becomes even more prevalent. Ensure your people are properly trained and equipped with the latest practices and tips around data protection so that they can put their best foot forward in the interest of your company.
Provide Best Practices and Training
The approach to protecting one’s workspace is as important in a remote capacity as it is in your office. A remote work environment may look like the privacy of an employee’s home or a public space, like a co-working establishment or coffee shop. Still, employees need to be diligent about protecting their workspace, even at home. It’s easy to fall into patterns that expose sensitive data to would-be cyber criminals. Employees should be trained to exercise these steps around their workspace:
- When you walk away from your workspace or phone, make sure it locks or times out.
- Keep sensitive documents secure.
- Grab documents off printers immediately, and require access codes on printers.
- Keep desks clean.
- Avoid leaving sensitive notes, information, and documents on a desk.
Create best practices for how employees should behave when online and/or using your network. Cyber threats are continuously developing, which makes modeling best practices that can be adapted to the latest threats very useful. Emphasizing guidance in the following areas is a great place to start:
- Keep passwords separate
- Ensure passwords vary for all accounts
- Offer appropriate and regular password update cadence
- Phishing/social engineering awareness
- Guidance around what spoofed emails and text messages look like
- Insights as to how cyber criminals can take advantage of your employee’s information
- Suspicious websites, links, and files
- Verify the source of website, links, and files prior to clicking, downloading, or taking other actions
- Telltale signs of suspicious schemes, such as odd spelling or inclusion of out-of-place characters
- Mobile device manegment
- Lock devices automatically after a short period of inactivity
- Have IT backup devices regularly
- Deploy antivirus and malware protection across all mobile devices
Notably, creating accurate policy documentation is a necessary step before delivering training and best practices to your workforce. Policies help to enforce such best practices. Digital automation policies may also be used to pre-analyze emails and add headers to alert users that something is odd. Company-issued devices can also be forced to automatically lock, enroll in backup services, and install security and antivirus software.
Ongoing Company Communications and Update Requirements
Your job isn’t done following the IT orientation for new workers, where you discuss cybersecurity best practices and recommendations. Establish a regular schedule for communicating cyber attack trends to all staff, such as the latest phishing tactics, social engineering ploys, and ransomware attacks.
Furthermore, deploy automated major software updates, password refreshes, and the like at the company level, rather than asking the individual users to do it. Keeping these security best practices automatic can dramatically reduce the risk of a data breach or cyberattack caused by human error.
Systems: Network, Software, and Hardware
We’ve covered the human side of things, but your systems and operations also play a role in keeping your business’ data safe. Here are some recommended best practices as they pertain to your network, software, and hardware.
- Updates: Operating Systems, Anti-Virus, and Malware
- As threats and vulnerabilities appear in systems, patches are developed and must be deployed to keep your business safe.
- Often, employees will not act with the same level of urgency to keep their software up to date, and automatic updates take the guesswork out of keeping your network and devices safe.
- Network Access Control/ Firewall
- Use Access Control to keep unwanted and potentially insecure devices off your network.
- Access Control software will monitor your network traffic and block unidentified or unauthorized devices from transmitting potentially damaging data.
- Firewalls, on the other hand, ensure that you have access to all the data you need while also limiting harmful and undesired activity on your network.
- Using a firewall to screen suspicious websites and restrict the use of harmful web-based applications complements all the other security measures in place to keep cybercriminals out of your network.
- A great method of data protection, encryption is used primarily for two things:
- To encrypt the data traveling through the network so it cannot be intercepted and disseminated
- Having an automatic backup of data regularly occur helps ensure data doesn’t get lost.
- Backups require monitoring and periodic testing to ensure they are working properly and that the data is recoverable.
Having up to date hardware has its pros and cons, and realistically, most companies cannot afford to upgrade to the newest hardware every year or so. When using newer hardware, it also has newer built-in security that protects from common threats. Additionally, newer devices are made to run faster, meaning better speed and productivity for your workers.
On the other hand, there are some reasons to hang on to older devices, primarily due to cost. If you are in an industry that uses complex machinery, for example, buying the latest computer may mean it is not compatible with your machines, making them obsolete and needing to be replaced. Essentially, if your older devices are costing you more in downtime than they are making you in uptime, you may need to consider upgrading. If not, the cost of bringing on 24/7 tech support for your current system can be far more reasonable.
Overall, with newer computers, you’ll spend less time updating, operate faster and more efficiently, and have a lower risk of downtime due to hardware failure. However, older systems and software will no longer be supported on newer computers in many cases, meaning a much bigger expense in replacing them. It is often worth the cost of bringing on tech support—whether in-house or outsourced—to keep your older machines up and running rather than replacing them with something new.
Security health checks
Awareness, knowledge, and employing these best practices is your first line of defense against would-be online criminal attacks. To quantify your security strategy, we recommend identifying and closing any further gaps and confirming the strength of your data protection measures/protocol. For instance, getting a security health check can help you identify the following threats:
- A complete network scan of all connected servers, computers, and devices
- A review of your Microsoft Secure Score
- A Dark Web Scan
- Phishing Simulations
And if you want to take a deeper dive at opportunities to train your employees, you can follow up with our IT Insights. From Security Awareness Training and Phishing Simulations to Dark Web Monitoring and Security Training Policy, IT Insights will educate you and your employees to stay safe, secure, and productive while protecting your online identity.