Here are four cybersecurity best practices every organization should follow:
1. Keep your system up to date.
Updates are almost always one of the biggest missing security components. Companies like Microsoft and Google identify problems in existing systems and create updates to address them, but these patches won’t do you any good if you don’t install them. For your personal computer or a small office, just check the box in your settings to automatically apply updates. As organizations grow, company leaders should work with their IT team to ensure updates are made.
Here’s how the problem can play out when everything goes wrong:
One firm suffered a ransomware attack during the summer that rendered all of its data inaccessible. An outsourced computer consulting firm was performing backups of the firm’s data, so the firm contacted them to restore it. Unfortunately, the restore failed. Even worse, the data was so damaged that the firm had to pay the ransom to access it. Since the data had been damaged, they had to spend a great deal of time rebuilding it, only to face another attack down the road since they hadn’t followed up with the proper security procedures.
The entire problem could have been avoided if the firm had taken two basic cybersecurity precautions: using security patches and testing a restore attempt before they needed one (a different measure from simply testing backups).
2. Pump up your passwords.
Since bad actors can find your username and password, using two-step login or multifactor authentication adds an extra layer of security. The next time you log in and enter your username and password, you will also have to enter data texted to your phone or that you receive in a call. More sophisticated options include apps that run on your phone to generate authentication code numbers. It helps prevent the use of your devices or accounts even if someone obtains your username and password.
To determine if your login data is already out there, you can also go to the website haveibeenpwned.com. Troy Hunt, who runs the site, has built a database of usernames and passwords that have shown up on the dark web. If you find your details there, you need to reset your username and password at the locations you see immediately. If there is a chance you reused the same password to login elsewhere, reset those passwords too.
3. Cordon off third-party access.
When your organization connects with a third party, your security is only as good as theirs. Some organizations suffer cyberattacks that start with their vendors, consultants or suppliers, as it’s very difficult to vet an outsider’s cybersecurity. The first step is to get as much information as possible about the security steps of anyone you deal with and to regularly follow up for updates so they know you’re paying attention.
One strategy to help isolate your network from one of your third party’s insecurities is to tell your IT team set up what’s called a demilitarized zone. Often shortened to “DMZ,” this is a subnetwork that creates a separate area for each company that accesses your network.
If an online provider is doing tax processing, for example, they will need access to your database of client information. You would set up a server or other resource inside a dedicated DMZ that contains that particular information but does not allow access to your full network. If an attacker compromises your vendor’s network, they can access all the information you share with your vendor. However, it will be more difficult for the attacker to enter your network through your connection with the vendor. Find ways to proactively compensate against potential insecurities in your vendors’ systems. Your security is increased if you effectively isolate their access to your network.
4. Hardening your systems.
This refers to methods for preventing damage even if your network is attacked. One of the simplest measures is to make sure you’re using the most recent operating systems since newer systems are more hardened to attack.
Another step is ensuring that no person or program has access to something that they don’t need. People outside HR don’t require access to that department’s employee data, for example, and HR doesn’t need to access client files or financial information. If a bad actor enters your network posing as a user in either of those departments, then until they manage to escalate their access, their access could be limited to just that user’s area.
These four cybersecurity best practices can prevent a devastating data breach, so don’t wait until you’re the victim of a cyberattack to implement them. Accounting and finance professionals must be proactive — take these steps to protect your organization today.
Mike Foster, founder of the Mike Foster Institute (USA) is a Certified Ethical Hacker, Certified Information Systems Auditor, and Certified Information Systems Security Professional. He’s delivered more than 1,500 presentations and training sessions around the world and has consulted at hundreds of companies in North America. Find out more about Mike on his website.
Related Stories
- Four crucial tips to protect your organization’s data
- ICYMI: Five things you need to know about cybersecurity
- Is the spookiest item on your calendar a networking party?
Originally published by AICPA.org
