Most businesses know that cybersecurity should be a priority, but many don’t know where to start. The list of potential cyber threats to a company is nearly endless, as is the list of potential solutions. However, firms don’t need to get lost in the weeds when they are trying to understand cybersecurity. By understanding a few simple cybersecurity principles, and taking some simple steps, most firms can greatly increase their level of security. This article summarizes a variety of basic practices firms should follow. For more information about cybersecurity principles and frameworks, see our article titled “Developing a Cybersecurity Strategy”.
The practices that firms need to follow come from two directions—the top down, and the bottom up. In other words, there are some practices that are established by company leaders and that govern the entire company, while “bottom-up” practices need to be followed by each individual employee. This article covers several practices from both areas.
Best Practices on the Firm Level
For a company to establish effective cybersecurity, company leaders must make certain top-down decisions that will determine the direction the rest of the company follows. Some of these decisions have long-term ripple effects within an organization that will affect virtually every position and decision. Leaders need to be aware of the repercussions of their decisions as they plan and develop their cybersecurity strategy.
One of the most important policies an organization can establish is a standard system of access control. Access control refers to the structure established by an organization that determines any given individual’s level of access to data, information, property, or other company assets. There are two main types of access control to consider—physical and logical.
Physical access control refers to the physical access individuals have to property such as buildings, rooms, or other physical assets. Physical access control may seem unrelated to cybersecurity, but in many cases, it is the first line of defense. By physically protecting the organization’s assets, especially their computers and network devices, a firm can prevent a variety of technological threats.
In addition to physical access control, firms also need to establish a system for logical access control. Logical access control refers to the access each individual has to technological resources such as company networks and data. This could also include access to a company’s proprietary information, customer data, company systems, software, or other resources or devices that are owned by the company. Logical access control is often less tangible or intuitive and thus more complex to recognize and establish effectively.
The first access control practice companies should consider is creating a specific plan that details exactly which individuals will be given access to the resources and capabilities within the company. Access to the company’s computer networks or data should only be given to individuals who need it to accomplish their job function. This is often referred to as the Least Privilege Principle. Each person that is given access to a given system or database is a potential point of vulnerability. Giving access to unnecessary individuals leaves the firm needlessly vulnerable. This is why many companies use an established access control framework to maintain greater security.
One of the most common access control frameworks is referred to as Role-Based Access Control (RBAC). This framework sets an individual’s access to company networks based on the individual’s role or position within the organization. For example, a manager might be given more access rights than a lower-level employee. Access might also be divided between functional roles such sales, product development, management, and human resources. An example of the access needed by different roles is shown in Figure 1. In addition to RBAC, there are other types of access control frameworks including Attribute-Based Access Control (ABAC), Discretionary Access Control (DAC), and Mandatory Access Control (MAC), among others. Each access control framework uses a different set of criteria that allows companies to determine who needs access and when.
In addition to a predetermined framework to implement proper access control, there are several other best practices that a company can follow. For example, an organization should carefully consider how it concentrates high-level access to company systems. Best practice is to have high-level control shared by multiple individuals. Leaving control of the systems and assets to only one person can be dangerous. If the only employee with access leaves the company suddenly, or is otherwise incapacitated, then the company is left with no way to access important information.
Another important practice is to promptly revoke an individual’s access to certain information after that individual changes roles or leaves the company. Forgetting to revoke access can leave a company’s assets and information vulnerable.
In Pittsburgh Pennsylvania, a local healthcare facility was hacked by a man from Texas named Brandon Coughlin. Coughlin had at one point been hired by the healthcare facility as an internal computer systems administrator. However, after less than a month of working for the facility, management asked him to resign his position, which he did. Later that same year, Coughlin hacked the facility’s computer network and caused a significant amount of damage. According to the records of the US Department of Justice,
Coughlin hacked the computer network of the healthcare facility, disabled all administrative accounts needed to control any and all of the computer servers of the healthcare facility, and deleted users’ network shares, business data, and patient health information data, including patient medical records, causing a loss of more than $5,000.00. 2
Coughlin also attempted to use the purchasing account of the facility to try and order iPad Air tablets on the facility’s account with Staples.
In 2017 in Arlington Tennessee, a man named Jason Needham was caught accessing the networks of his former employer, which was a competing engineering firm. In fact, Needham had been accessing these networks for over two years. He used his access to view and download documents varying from projects to proposals and from budgetary documents to email accounts and fee structures. In all, according to the US Department of Justice, the business information was worth approximately $425,000. Needham pleaded guilty to the charges brought against him. 3
Another important consideration for companies that are establishing a system of access control is the variety of laws and regulations that govern the collection and use of customer information. If access to legally controlled or protected information is granted to an untrained employee, that employee might unwittingly misuse or reveal the information to someone else with malicious intent. For more specific information and examples about cybersecurity laws, see our article about cybersecurity laws and regulations.
In addition to access control, another important consideration for every organization is network security. Most modern firms or organizations have an internal network of devices and internet services. As such, establishing the proper security measures within that network are incredibly important in preventing cybersecurity attacks. An important part of network security is understanding how networks can be hacked and what implications these types of hacks have for the company.
Network Security Threats
The first type of security breach to understand is Wi-Fi hacking. Wi-Fi hacking is when someone gains access to your network which allows them to monitor your Wi-Fi activity. By monitoring your activity, these individuals can see everything that is communicated through your internet connection—including information processed on any web page, such as logins and browsing history.
The second type of hacking is data exfiltration, which occurs when a hacker gains access to a corporate network. This means that the hacker has established a connection inside the company network or servers that potentially allows them to access and transfer sensitive information and data. These hacks can be done physically on the devices within the company, or by remotely gaining access to the company network. In some cases, if a hacker can plug into an ethernet port, they will have access to the internal network. Hence the need for proper physical security. In the case of both physical or remote attacks, hackers often gain access because of simple weaknesses within the company such as weak or preset passwords.
Network Security Best Practices
Most organizations can do several things that will help establish a basic level of security in their network. These actions include establishing firewalls, securing wireless networks both physically and technologically, and dividing company and guest networks.
The word “firewall” is frequently used in movies and television productions, often leading it to be misunderstood by those that don’t work in technological fields. On a basic level, there are two types of firewalls: physical devices and software. Typically, a firewall is a physical piece of technology that sits at an entrance point to a company’s network. This physical device is responsible for verifying any incoming data. If the device detects malicious, unverified, or unwanted information, it will block that information from entering the network. Most organizations need this type of firewall. In addition, most organizations can also implement firewall software on each individual device or computer. This adds yet another layer of protection.
Another aspect of network security is proper segmentation. Even within an organization, technological boundaries need to be placed between portions of the company. This means establishing firewalls between company departments or divisions the same way a company has set up security to stop attacks from outside the company. By segmenting the network properly, a company can increase security and decrease the ability of hackers to damage or access multiple parts of the company’s network. One famous example of a company that failed to segment its network is Target, the large retail company. The events of this cybersecurity breach are detailed in the toggle below.
Another important step in establishing effective network security is to properly secure an organization’s wireless network, which most commonly involves securing the Wi-Fi systems. Wireless security has become increasingly important as more individuals have come to rely on wireless technology such as cell phones, tablets, and laptops. When given access to the company’s network through Wi-Fi or other wireless signals, each of these devices can become a potential entryway into the company’s network.
There are several important steps firms must take to secure their wireless network. First, companies need to physically secure their routers. Some organizations leave their network devices, such as their Wi-Fi router, in an open or generally accessible area. However, this creates a vulnerability to cyberattacks. This can be prevented by relocating the device or technology to a locked room, closet, or cabinet. Second, companies need to change the default information such as the password that came pre-installed on the router. Third, firms need to establish separate networks for employees and customers. Separating customer and employee networks will prevent the network from becoming overburdened or slowed down by customers.
Other important pieces of wireless security include enabling encryption on your router (WPA or WPA2 encryption is available on all wireless routers), and changing your SSID, which is the name of the network. Making these simple changes only requires a one-time set up, and they can greatly enhance the security of a wireless network. Because access can sometimes be gained to a firm’s network, companies should scan their network for unauthorized access points. There are a variety of other suggestions that are available in other online articles, several of which are cited in the resources consulted section at the end of this article.
In 2013, Target experienced a cybersecurity breach that exposed the credit card payment account information of over 41 million of its customers. Interestingly, the hackers gained access to Target’s network through the account information of an HVAC contractor. 4 Once they were inside of Target’s system, the hackers were able to maneuver their way into the payment processing part of Target’s system and steal the information about its customers. Target might have been able to stop this attack if the company had better segmented and monitored its internal network. In the end, Target paid “$18.5 million [in a] multistate settlement.” 5 While the one-time legal costs were substantial, the larger cost in this case was the long-term damage to Target’s reputation, which is demonstrated by the fact that this cybersecurity breach has continued to be discussed and remembered, even today.
An additional aspect of network security is proper cloud configuration. Many companies—smaller companies and startups in particular—have taken advantage of cloud services to advance their business. The mistake many companies make, however, is to assume these services are, by nature, secure. This is not true if the company does not take the time to properly configure these services. In general, any time a company is implementing a new technology or software, it should keep security a priority and configure the systems and software properly to create a secure system.
Data management is one of the most important parts of any cybersecurity strategy. A company often has a wealth of data about their own internal processes and other proprietary information. If this information is stolen, or if their internal operating system is brought down by hackers, companies can often lose not only financially but competitively as well. Most firms also store information about individuals including employees and customers. The information that most firms store about their customers is required, by law, to be secure. These data privacy laws, such as HIPAA or COPPA, can be very strict, and companies need to be aware of them and follow them closely. For more information about cybersecurity laws, see our article about cybersecurity laws and regulations.
One of the most important actions a company can take to protect its systems and data is to create a backup of all a company’s systems and important data. While creating these backups will often take a substantial amount of time and resources, a functional backup can prevent potential disasters. One of the reasons backups are important is because every system has vulnerabilities. These weaknesses might be exploited by hackers, and employees might accidentally corrupt the system or delete important data. Thus, both internal and external threats can be mitigated by creating effective backups.
In addition to creating backups, a vital part of effective data backups is proper testing. Testing will ensure that the backups are fully functional and available for use in the event of a cybersecurity breach or a system failure. If a company fails to test its backups, then by the time the backups are needed, it will be too late to avoid disaster.
Software Updates and Training
Another key aspect of cybersecurity is having processes in place that assist all employees in keeping their software and hardware up to date. Most software providers regularly release updates that increase the integrity and security of their products. Thus, missing these updates can leave company systems at greater risk of exposure to successful hacks. One crucial aspect of keeping systems up to date is training employees to be proactive about updates. Employees that are proactive can catch mistakes or insufficiencies even before regular processes come into play. Firms may also need to enable automatic updates. This will reduce the burden of unnecessary downtime that distracts from an employee’s normal workflow. Employers should also be careful not to deploy new software, hardware, or access rights without giving employees the proper training. A well implemented update today can prevent a disaster tomorrow.
In September of 2017, Equifax, the large multinational consumer credit reporting agency, reported it had been hacked. The data of over 147 million people were exposed. The breach was accomplished because of a weakness in a web application that allowed hackers to install rogue applications on web app servers. Sadly, a patch for this weakness had been released by the provider two months prior to the hack. 6 If Equifax had chosen to perform the update on its webservers, it would not have experienced this data breach. In the end, Equifax reached a settlement that totaled up to $425 million. 7
Other Important Cybersecurity Decisions
Some other important cybersecurity decisions are made on the company level. These include decisions regarding the company’s device policy. If employers have employees bring their own devices into the workplace, this can create added risks. Remote work is also becoming more common, which also creates a host of cybersecurity threats for companies who are relying on the internet connections and security of each employee’s home, where the company has less control. Becoming aware of the cybersecurity threats that these organizational decisions create is imperative for business leaders.
Another important cybersecurity measure to put in place is an incident response plan. When an incident occurs, firms need to have a clear plan that delineates who has decision making authority, how the crisis should be handled, and what the plans are to deploy backups or solve the problem. In addition to making a response plan, many firms may also benefit from running incident response drills that allow employees to experience what should happen in the event of a breach.
In addition to the internal security needs of a firm, companies should also ensure that they are checking for proper security controls any time they do business. This is especially relevant when companies are forming partnerships and purchasing technology or software. Business decisions should always be made with security in mind.
There are far too many possible cybersecurity decisions to cover in one article. In the end, the most important decision a firm can make is to be committed to security, and to constantly be on the lookout for ways to improve. A firm commitment to security will help a company avoid problems and potentially identify new opportunities.
Best Practices on the Employee Level
In addition to the high-level decisions made from the top down, every organization also needs to be aware of the various cybersecurity decisions made on the level of the individual employee. These decisions will have a significant impact on the security of any given organization.
Awareness and Training
One of the most important things a firm can do is establish processes that keep employees well trained and aware of security threats. Proper training will decrease the threat of outside attacks and prevent employees from inadvertently becoming a threat themselves. This type of training should include instruction on how to comply with the many different laws that govern aspects of a business’s operations such as data privacy laws. In some cases, laws such as HIPAA require employees to be trained in how to maintain privacy and security laws.
If a company has a software development team, it is imperative that the software developers have proper training on how to keep security in mind as they develop software. In almost every case, retrofitted security is harder to implement than building security into the system during development. One study by IBM showed that costs increased dramatically the later a problem was found in the development process. 8 The study showed that “defects found in testing were 15 times more costly than if they were found during the design phase and 2 times more than if found during implementation.” 9 In the past, security was often implemented later in the development process. However, there has been a movement for “Shift Left Security,” which refers to the idea that cybersecurity should be involved from the very beginning of the development process. Developers can start developing an awareness of security by utilizing online resources such as the OWASP Top 10 Proactive Controls, 12
While keeping employees trained and informed is important, employers should also be careful not to create the type of security fatigue that can cause a lackadaisical or resistant attitude among employees. Keeping employees properly trained without overburdening them will allow an employer to create the kind of culture that supports, rather than resents, security measures.
Authentication and Passwords
One of the most fundamental aspects of good cybersecurity is the ability to properly authenticate each user within the system. This is most often supported by strong passwords. Most people use passwords for a plethora of platforms such as websites, company accounts, and personal devices. Because passwords are such a ubiquitous part of modern life, many individuals and organizations take for granted how important they are. Firms need to understand the principles of authorization and authentication because they are often foundational to the rest of the cybersecurity measures a business pursues.
Some of the basic password principles that should be followed include using long, complex passwords and using different passwords for different accounts. Strong passwords typically need to include a long string with a combination of letters, numbers, and other characters. Most accounts should also use different passwords to prevent hackers from using one password to access all of an individual’s accounts and data. In most cases enforcing these types of basic requirements on employee passwords can prevent a variety of threats.
Another common password security suggestion is to update passwords regularly. In many cases, this is a good practice. However, the effectiveness of regular password changes is disputed by some cybersecurity professionals, who say that most people will experience password fatigue and end up using similar passwords anyways. Thus, the length of time someone uses a password isn’t as important as the attributes of the password itself. According to NIST recommendations, passwords should only be changed when there is a threat or compromise to the system.
One of the best ways to increase the strength of your company’s password, or authentication, system is to establish a multi-factor authentication platform. This type of platform is becoming increasingly popular and has become a necessity for many organizations to maintain their security. Multi-factor authentication requires a person who is signing into a system to use multiple verifications to prove their identity. This often involves codes sent in text messages, an app on a separate device, or other methods. This type of system is especially useful for certain aspects of a company, particularly production and development environments where sensitive information is stored, and where progress can be wiped out instantaneously by a malicious hacker. Many platforms exist for this type of authentication such as Authy, PING, or DUO. There are also hardware devices such as Yubikeys that provide a second layer of authentication. Deciding which technology to use will often depend on a firm’s individual needs, specific scenario, and budget.
Another potential tool that companies can use to increase password security is a password manager. These tools automatically fill in an employee’s passwords by saving password information in the password manager software. As long as access to the password manager is protected by a particularly strong password, these tools can be an effective way for employees to have strong and unique passwords for each account they use without forgetting or needing to record passwords in less secure locations. However, like any other cybersecurity solution, these tools also introduce new potential risks. Thus, companies should consider which tool best meets their needs and integrates well with the other systems they have in place.
Another crucial element of cybersecurity is guarding against phishing attempts. Every employee that has any access to company systems needs to be trained in how to recognize and avoid phishing attempts. Many people often mistakenly think of phishing as emails or communications that are obviously suspect because of their bad grammar or outlandish claims. While this may have been true in the past, phishing attempts have become increasingly sophisticated and can easily fool any employee who hasn’t been actively trained to notice and avoid them. Even employees at large and prominent tech companies such as Google, Facebook, and Sony have fallen prey to phishing attacks that have cost millions of dollars. 13
Every employee will need to be trained to understand the different types of phishing attempts they might face. For example, phishing attempts often imitate internal company communication or appear to be from a trusted supplier or vendor. Any time documents are being sent and received, the receiver should carefully examine the communication and the documents to ensure they are not falling victim to an advanced phishing attempt. A variety of online resources exist to help individuals who want to increase their knowledge and catch phishing attempts more often. For example, Google offers a free test that allows individuals to see whether they can successfully identify phishing emails. Companies such as KnowBe4 also offer free resources and tools in addition to their paid services that help companies increase their security in this regard.
By taking the simple steps detailed in this article, many organizations can increase their level of cybersecurity. However, these steps alone will not protect the firm forever. Firms need to establish a long-term strategy that allows them to continue to change and adapt as the world of cybersecurity continues to change and adapt. By continually remaining vigilant on the cybersecurity front, companies have the potential to prevent lawsuits and other reputation-damaging events that could cost the company millions. Thus, while it will never be possible to stop every threat, companies that remain proactive will increase their chances of long-term success.
- Brooks, Ryan. Netwrix: “Data Security Basics and Data Protection Essentials.” 28 Sep 2020.
- Brooks, Ryan. Netwrix: “What is the CIA triad?” 20 Oct 2020.
- NIST Small Business Cybersecurity Corner: “Cybersecurity Basics.” 17 Nov 2020.
- NIST Small Business Cybersecurity Corner. “Cybersecurity Risks.” 28 Feb 2019.
- Tunggal, Abi Tyas. “What is Access Control? Important security data protection.” 2 Mar 2021.
- Bird, Richard. Forbes: “Cybersecurity Starts With Access Control.” 7 Feb 2019.
- Martin, James. CSO: “What is access control? A key component of data security.” 21 Aug 2019.
- Lutkevich, Ben. Target Tech Search Security: “Access Control.” Sep 2020.
- Zhang, Ellen. Digital Guardian: “What is Role-Based Access Control (RBAC)? Examples, Benefits, and More.” 1 Dec 2020.
- Segal, Chelsea. Cox BLUE: “Network Security Best Practices – A 12 Step Guide to Network Security for Business.” Accessed 12 Mar 2021.
- RSI Security: “How to Set Up a Secure Network: Back to Basics.” 3 Apr 2020.
- Jones, Martin. Cox BLUE: “10 Ways To Secure Your Business WiFi Network.” Accessed 12 Mar 2021
- Vector Security Networks: “7 Ways to Secure Your Business Wi-Fi Network.” 14 Feb 2019.
- ZenMate: “WiFi Hacking Explained.” Accessed 12 Mar 2021.
- Lord, Nate. Digital Guardian: “What is Data Exfiltration?” 11 Sep 2018.
- Password Depot: “Secure Password Management in Companies.” Accessed 12 Mar 2021.
- Datashield: “Successful Password Policies for Organizations.” Accessed 12 Mar 2021
- Maxim, Merritt and Andras Cser. Forrester: “Best Practices: Selecting, Deploying, And
- Managing Enterprise Password Managers.” 8 Jan 2018.
- Chiodi, Matthew. Palo Alto Networks: “4 Practical Steps for ‘Shift Left’ Security.” 23 Jul 2019.
- Cloudfare: “What is role-based access control (RBAC)?” Accessed 7 May 2021.
- United States Department of Justice: “Texas Man Charged with Damaging Computers at Western PA Healthcare Facility.” 20 Mar 2017.
- United States Department of Justice: “Tennessee Man Pleads Guilty to Unauthorized Access of Former Employer’s Networks.” 14 Apr 2017.
- Wallace, Gregory. CNN: “HVAC vendor eyed as entry point for Target breach.” 7 Feb 2014.
- McCoy, Kevin. USA Today: “Target to pay $18.5M for 2013 data breach that affected 41 million consumers.” 23 May 2017.
- Goodin, Dan. ars Technica. “Failure to patch two-month-old bug led to massive Equifax breach.” 13 Sep 2017.
- Federal Trade Comission: “Equifax Data Breach Settlement.” Jan 2020
- Dawson, Maurice; Darrell Norman Burrell; Emad Rahim; Stephen Brewster. “Integrating Software Assurance Into the Software Development Life Cycle.” 2010.
- Dawson, Maurice; Darrell Norman Burrell; Emad Rahim; Stephen Brewster. “Integrating Software Assurance Into the Software Development Life Cycle.” 2010.
- OWASP: “OWASP Proactive Controls.” Accessed 11 March 2021. 10 or the CIS Top 20 Critical Security Controls. 11 Center for Internet Security: “The 20 CIS Controls & Resources.” Accessed 11 March 2021.
- Expert Insights: “The 3 Most Damaging Phishing Attacks On Businesses – And How To Stop It Happening To You.” Nov 15, 2018