Each employee of a business, from end users to security professionals to executives, has a role in protecting their business from cyberattacks. The actions that each employee takes -- or doesn't take -- can make the difference between "just another day" and a major breach that harms the business's reputation and costs the business a lot of money.
To help businesses improve their security systems, we've compiled a list of cybersecurity best practices for security professionals to follow, and a list of cybersecurity tips for all employees to keep in mind. These lists focus on particularly important things for businesses today to address.
Cybersecurity best practices for security professionals
- Update security policies. Businesses often have outdated security policies that don't take into account the latest technologies, cyberthreats and cybersecurity best practices, such as zero-trust architectures. Security policies are the foundation for enterprise security. Make sure to update your policies first, update your security practices and then train your employees so they understand -- and, hopefully, comply -- with the new policies.
- Require strong authentication for all users. Cyberattacks often use compromised user accounts to gain access to a business's internal resources. Requiring MFA, such as a smart card with a PIN or biometric, for every user can be effective at stopping many cyberattacks. If that's not feasible for your business, at least require users to have strong passwords that attackers won't be able to guess, and implement MFA for security professionals, system administrators, and all others with privileged access to systems and networks.
- Refresh your network security controls. If it's been a while since your business reviewed its network security controls, consider whether they need a refresh. For example, do your firewalls and VPN gateways offer the functionality your hybrid workforce needs? Maybe it's time to upgrade or replace them. Also, are you able to monitor network traffic for all of your users, or has cloud migration reduced your visibility? Perhaps you need to deploy additional network security software, or consider adopting cloud-based security solutions like Secure Access Service Edge.
- Prepare for compromises. Security breaches and other types of security incidents are inevitable. It's incredibly important to be prepared at all times to handle compromises to reduce the amount of damage that's done. Along with that, your business needs to be equipped to detect security incidents as early as possible. That means not only having the security technology in place to detect and analyze suspicious activity, but also educating employees on what the potential signs of an incident are and how to report them. Ideally, your business should foster a culture of honesty, and not punish employees for making innocent mistakes -- otherwise people may hide their errors, which can allow compromises to last longer and do more harm.
- Keep your security knowledge current. One of the hazards of working in security is that you may be so busy that you don't have time to keep your security knowledge current. You're understandably focused on handling today's emergencies. However, not only should you stay up-to-date with the latest changes in your specialty areas, but also security is a vast field and there are always more things to learn. Cybersecurity topics such as risk assessment, cyberthreats, threat detection and zero-trust architecture apply to so many areas of security. Also, topics such as physical security often get overlooked altogether. Online courses can help you fill in the gaps.
- Improve employee awareness of security. All too often, security awareness activities for employees are just an hour a year of sitting through the same presentation, plus an occasional email. Security awareness activities may be perceived as a waste of time, and unfortunately, they often are. What's needed is a broader cultural shift to understanding the importance of security and the need for everyone to do their part. You can help your business change its cybersecurity culture by taking a few minutes to explain to employees why they are being required or asked to do or not do things a certain way. Cultural changes happen gradually, every time an employee buys into the need for a security practice.
Cybersecurity tips for employees
- Be skeptical. It's human nature to be trusting, but when you receive an email, phone call, text, social media request or other form of communication, the sender could be an imposter trying to trick you. Always do a sanity check before you open an attachment, click on a link or provide sensitive business or personal data . Does the communication look legitimate? Would this person or company send you this request? If you're not sure, call the sender and confirm that they sent the message in question. This helps you avoid phishing and other attacks intended to take advantage of your trust.
- Be selective. Internet access is available almost everywhere, but security threats differ from place to place. Whenever possible, use private networks, such as your home network, instead of public networks like the public Wi-Fi at your local coffee shop. On public networks, your computer is directly exposed to attacks from the internet. Private networks use a firewall, internet router or other device to block attackers from directly connecting to your mobile and other devices. Choose private networks to reduce your risk.
- Be organized. Many data breaches start with an attacker getting a regular user's password. The attacker can build from there to eventually gain access to the business's most valuable information. To help make things harder for attackers, be organized when it comes to your passwords. Use a password manager program that remembers all your passwords for you. This allows you to create a unique strong password for each business and personal website and app, and the only password you need to remember is the one for the password manager itself. But make sure the password manager's password is strong, and if it's an option, use MFA to safeguard your stored passwords.
- Be prepared. Even with your security team working hard to provide cybersecurity protection, malicious activities may reach your computer. You should be prepared for them by using antimalware software and keeping your operating system and applications fully patched. However, some attacks may succeed, no matter what you do, so you need to be prepared for that too. For example, ransomware attacks can make your data and your computer inaccessible. Make sure your data is backed up in accordance with your business's policies, and verify from time to time that your backups are still working correctly. This helps ensure your information is safeguarded just in case something bad happens.
Karen Scarfone is the principal consultant at Scarfone Cybersecurity in Clifton, Va. She provides cybersecurity publication consulting to organizations and was formerly a senior computer scientist for NIST.
This article is part of