News

Protect Your Business With These Four Cybersecurity Best Practices

January 11, 2023

​There is one fundamental rule in cybersecurity that everyone should know: No product, or group of products, can provide 100% protection against threats. Rather, the goal of these products is to act as your first line of defense and let automated security measures be the backup.

Your workforce has the potential to be your most effective asset against cyber threats, but only if you keep them updated with the latest knowledge of threats. Here are some cybersecurity best practices, complete with action plans, for you to review and implement to protect your business against cybersecurity threats.

Be Aware of Social Engineering Tactics

The practice of social engineering to gain information has been practiced long before the age of the internet. One fundamental to remember: All threat actors (a.k.a. “Bad Guys”) require a response from their target (a.k.a. workforce, people, users, etc.). Any tiny detail can be exploited, and a series of calls or emails where small bits of information are provided without discretion gives the threat actors more leverage. Email is the single most vulnerable threat where these attacks originate.

Action Plan

  • - Train your workforce to vet everyone before they provide information. Everyone should know the basics of identifying phishing emails and understand that attacks can also come from SMS texts and chat applications.
  • - Enforce this through a written policy and integrate it into your other HR and compliance documents for annual review and sign-off by your workforce. The policy should include elements of training as well as consequences for non-compliance.
  • - Invest in anti-phishing services through your email provider (if offered) or a reputable third-party cybersecurity integrator. This becomes a safety-net if a user happens to overlook something.

Measure Success:

  • - Conduct an initial audit of all existing policies and operational practices.
  • - Work with all departments in your organization and gain feedback on compliance.
  • - Review ongoing threats with your cybersecurity provider.

Patch Existing Network Infrastructure

Network devices, installed applications, laptops, desktops, tablets, and phones all run on some kind of software that requires regular updates and patching. Cameras, credit card machines, printers, and IP phones also require attention. Windows, Mac, and even Linux systems can have vulnerabilities that allow an outside threat actor in through a “back door” and drop ransomware onto your network.

The good news is that operating systems running the latest updates greatly reduce the chance of exposure. The bad news is that nearly every organization has a device on their network that has been forgotten and is the weakest link in their cybersecurity chain because it did not get updated. Unpatched systems are the most common means for getting breached.

Action Plan:

  • - Inventory all network devices. The list must include any device that obtains an IP address and/or has visibility outside the firewall.
  • - Systematically review each network device and ensure that firmware/software updates have been applied.
  • - Ensure all default passwords have been changed. Disable login accounts with username as “root” or “admin” if allowable.
  • - Disable HTTP access to device configuration pages wherever possible and stick with using management ports or local ports if the device has that option.

Measure Success:

  • - Have your network penetration tested by a qualified cybersecurity provider.
  • - Document the results and recheck annually.

Update Your Disaster Recovery Plan

Business continuity includes a number of modules like cybersecurity insurance and facility management. However, a technology Disaster Recovery plan is a critical element to maintaining business operations in the face of disaster. Storms, pandemics, cyber-attacks, and human error are examples of why every business needs a DR Plan. Human error is the single most vulnerability in business continuity.

Action Plan:

  • - Perform a risk assessment to determine what the highest probable disaster events are that could affect your business.
  • - Create a list of the departments and/or personnel that are most critical to keep the business going during emergency crisis. Think about payroll, processing invoices and payments, and client-facing resources and deliverables.
  • - Determine who is responsible for backing up your critical data and the various ways that data can be access when normal means of operation are closed.

Measure Success:

  • - Test your DR Plan with each department manager, then extend the test to the rest of the workforce that will be expected to act during a crisis.
  • - Have your cybersecurity provider observe and participate in the DR Plan test and review process. Many business skip this step, and this potentially leaves gaps in planning.

Review and Update Password Policies

Whether your organization still requires complex passwords (i.e., mixed case, numbers, and symbols), the best passwords are minimally twelve to sixteen characters in length. It used to make sense to enforce complexity when brute force attacks were performed manually. Today’s brute force attacks can perform thousands of guesses per minute with computer algorithms that neuter the complexity policy.

Longer passwords made by joining random words are mathematically harder to break because each added character adds exponentially more combinations for hackers to guess.

Action Plan:

  • - Review the password policy with a cybersecurity provider and implement a policy to make passwords twelve to sixteen characters long.
  • - Add multifactor authentication (MFA) everywhere it is possible.
  • - Allow users to reset and create their own passwords within each organization resource.

Measure Success:

  • - Hire a penetration testing company to test the integrity of your password policy.
  • - Use a cybersecurity provider to maintain your policies and continually audit for compliance.

This checklist is a great starting point for strengthening your organization’s protection in the face of a cybersecurity attack, but it should be noted that this is only the top when it comes to the layers of cybersecurity protection. If you’re worried your business may be lacking in its cybersecurity practices and protection, reach out to Paul Stoessel to learn more about MCA’s managed services and how we can proactively address your technology needs.


About the Author:

Serving as MCA’s Director of Managed Services, Paul Stoessel holds more than 20 years of experience in Information Technology and Managed Services.

His primary focus is partnering with clients as an expert consultant in managed services and working with them to design and implement customized solutions.

He is responsible for the growth and development of MCA’s Managed Services Division and ensuring it meets and exceeds customer needs. He works closely with MCA’s Project Managers, Account Managers, and their clients.