The recent outbreak of the Wannacry ransomware brought renewed attention to the importance of a well-crafted cybersecurity strategy. Every company should have a strategy in place regardless of its size. If you don’t have one yet, there is no time like the present to begin. We previously published an article detailing some key-focus points that should be addressed when developing an organizational-wide cybersecurity strategy.
In this article, we drill down into a handful of steps that can be taken now to begin securing your company’s network and data. This is not meant to be an all-encompassing guide. This is only a starting point. These steps should already be familiar for those that have already implemented a cybersecurity plan. However, the most comprehensive plans are worthless if they are not being executed.
1. Make sure all OS & software updates/patches have been applied.
Microsoft and other software developers such as Adobe and Oracle release updates and patches on a regular basis to improve usability and, more importantly, address security issues. Secure your computer systems by taking the time to install these updates. Turn on automatic updates whenever possible. Set reminders for yourself to check for and install any updates and patches. If you forget once, it is easier to forget again and before you know it months have gone by.
If you are running a PC with a version of Windows earlier than 10, be sure to install any updates and then run the tool to check for available updates again. In many cases, certain updates will not be available until other updates have already been installed.
2. Migrate to a Current Operating System.
Organizations are keeping their existing computers longer than they once did. There can be any number of reasons for this – the computers are “fast enough” to serve the needs of the company, the cost to replace the machines may be too high, or perhaps you need them to support a piece of legacy software that cannot run on new computers. These are all valid reasons but as an OS matures fewer security patches are issued. Eventually, the developer will cease all support. Most newer operating systems will run on older hardware. However, if your hardware cannot support the latest operating system, it may be time for an upgrade as well.
3. Install Antivirus Software.
This should be a no brainer. Many people think they’ll never be a target for an attack and as such don’t bother. For those of you out there thinking you’re “too small” to be a target, here is a sobering statistic: 85% of targets are small businesses. Do your research. There are some good options out there, many of which are free. Make sure protection is installed on all computers. Run scans on a regular basis. Check for and install updates on a regular basis. Antivirus software cannot do its job if it doesn’t know what to protect you from.
4. Password Administration.
More than 50% of people use the same password for all of their logins. Remembering one password is far easier than having a different one for each and every service. This makes compromising access to your corporate systems much easier. Employees should be required to use complex passwords. You can also request passwords to be changed on a regular basis.
5. Set User Access Permissions.
Employees only need access to the data required to do their job. Do they need access to certain sensitive information? Do they need permission to install programs? Narrow an employee’s access and permission only to what is needed. This will better protect your systems should their login be compromised.
6. Backup Your Data.
You may need to restore lost or corrupted data should you be hit with ransomware or your systems are disrupted by another type of attack. Backing up your data to an external hard drive that is always connected to your computer or network isn’t enough. That data can become compromised as well if your backup is connected to the same computer or network that suffers an attack. Hard drives are relatively inexpensive these days. Keep multiple backups off-site and swap them out on a regular basis. It is far easier and less costly to recreate or update a few files than to have to try to recreate years’ worth of data. Another option is to use a cloud-based backup service. Your data is stored off-site and most (but not all) of the burden of protection is transferred to your storage vendors such as Amazon Drive or Carbonite.
7. Transition All Your Data to the Cloud.
This step is a little more advanced than the others. As we discussed in point 6, having your data in the cloud takes a lot of the burden of protecting that data off you and transfers it to your storage vendor. You are reducing the impact ransomware can have by not storing critical information on your computer or network. Keep in mind, however, cloud storage can still be vulnerable to ransomware if you upload an infected file. That is why it is imperative you look for a vendor that can retain multiple versions of files if you decide to go the cloud storage route. You can restore a previous clean version with minimal effort should a file become infected.
8. Discuss Cyber Liability Insurance with a Risk Advisor.
You can do everything to protect your computer network and data. The reality is no system is perfect. Cyber liability can’t stop you from having a ransomware attack or data breach. It will help to cover the costs of investigating the breach. It will help you in the defense of claims from the attack & potential data loss. Many policies may also include cyber extortion costs to address a ransomware attack.
Cyber liability tends to be written on the basis that at least some basic security controls are in place. It is easy to say you are performing these steps on an application. However, if a claim results which could have been prevented by following these steps, it may not be covered.
Contact one of our Risk Advisors today by clicking here to learn more about cyber liability and how it can help your company.