Every Organization Is Vulnerable To Increasingly Damaging Cyberthreats, But Best Practices Can Help Them Mitigate The Risks And Their Overall Impact.
- Increased digitization has created both unsurpassed opportunity and unrivaled risk for all organizations in 2021.
- Smaller and newer businesses are particularly vulnerable to cyberthreats — and less prepared to prevent or respond to them.
- Understanding the most important cybersecurity best practices positions business leaders to maximize their digital potential while mitigating their cyber risk.
Digital technology is the great equalizer. It gives any business — no matter its size, geography or age — the potential to compete in today’s marketplace. But all that interconnectedness also places them at greater cyber risk. By staying up to date with best practices, organizations will be well-positioned to protect themselves should they end up in a bad actor’s line of fire.
What Is Cybersecurity and Why Is It Important?
Cybercrime cost its victims $4.2 billion in 2020 — and that’s just in the U.S. — with most money lost to business email compromise (BEC) scams, romance and confidence schemes and investment fraud, according to the FBI’s Internet Crime Complaint Center. And in Mimecast’s State of Email Security 2021 (SOES) report, more than 60% of companies encountered a ransomware attack during roughly the same period, email threats rose 64%, and 79% of organizations were impacted by their lack of cyber preparedness. What’s more, the FBI figure is only a small fraction of the true total cost, according to research from Cybercrime Magazine: Factoring in all the costs that cascade out of cybercrime, from business disruption, forensic investigation and reputational damage to intellectual property and personal identity theft, the true cost, globally, is projected to reach $6 trillion in 2021.
Cybersecurity is the practice of protecting against all of these cyber risks. Smaller or newer businesses can be particularly attractive targets for digital attack specifically because they may lack the cybersecurity infrastructure and tools of larger or more experienced businesses with more robust cybersecurity best practices in place. Indeed, the vast majority of small business owners (88%) feel vulnerable to attack, according to a survey by the U.S. Small Business Administration (SBA).
Top Cybersecurity Best Practices
Nearly four out of five companies said they experienced a business disruption, financial loss or other setback in 2020 due to a lack of cyber preparedness, according to the SOES survey. Company leaders can better arm themselves against growing cybersecurity threats by understanding exactly where their businesses are most vulnerable and taking steps to address those weaknesses. To that end, here are 12 key cybersecurity best practices leaders should consider incorporating as soon as feasible.
- Avoid pop-ups, unknown emails and links: Malware infections are among the most common cybersecurity threats organizations face; some 5.6 billion were reported in 2020. Viruses, Trojan horses, spyware — no matter the type, they tend to infect computer systems through similar mediums: unsafe pop-ups, spam emails and downloads from unknown sources. Having up-to-date virus scan and spam detection software is a great safety net, but it’s also critical that all users are trained to understand the dangers of clicking on unusual links, pop-ups or emails.
- Use strong password protection and authentication: Another powerful prevention method for avoiding data breaches is good password protection. At the most basic level, it’s important to require all users to create strong, difficult-to-guess passwords and credentials for their accounts and change them often. Sounds simple, but getting them to do so requires constant (and preferably automated) reminders. In fact, some 61% of breaches in 2020 involved credentials like passwords. Consider multifactor authentication (MFA), which requires an additional token of identifying code to access systems, thus providing protection even when a password is stolen or compromised.
- Always connect to secure Wi-Fi: An unsecured Wi-Fi network poses numerous risks. For example, unauthorized users can piggyback on the internet connection to conduct illegal activity, monitor or capture web traffic, or steal data. Bad actors can launch an evil twin attack, creating an imposter network with a stronger signal and then read any data sent by users over the impersonated network. And when employees use public access points that are not secured, cybercriminals can use wireless sniffing tools to access sensitive data, transactions and, combined with unsecured file-sharing, any directories and files made available for sharing. Thus, it’s critical to secure any personal Wi-Fi networks in use, avoid unsecured public networks and give employees a virtual private network (VPN) so they can securely connect to the business network remotely.
- Enable firewall protection at work and at home: Firewalls are important gatekeepers, restricting traffic in, out or within a private home or business network. For an added layer of security, host-based firewalls installed directly on wireless devices offer further protection if someone is able to get around the network firewall.
- Invest in security systems and software updates: Cyberattack prevention can save companies thousands — perhaps millions — of dollars. Making sure your organization has security software in place is a prime defense against cyberthreats, as is installing software updates as soon as they’re available. Automation is also your friend. Antivirus software, for example, can be set to scan after each update.
- Employ third-party controls: In the digital age, organizations are connected to a growing ecosystem of third parties, including external partners, suppliers and customers. Protecting any organization means putting in place cybersecurity controls for third parties that may have access to sensitive or protected information, networks or facilities, or that provide a critical service to the company. Best practices include limiting third-party access via the “least privilege” approach (see No. 11), as well as performing due diligence around and monitoring the third party’s own cybersecurity controls. After all, a compromise at any one of those points places the entire supply chain at risk.
- Consider biometric security: Biometric verification — authenticating a user’s identity using a fingerprint, iris scan or facial analysis — is becoming more prevalent. The biometric approach comes with advantages (easy to use, hard to mimic) and disadvantages (costly, sometimes prone to errors), so it’s important to understand those fully before proceeding.
- Create a hierarchical cybersecurity policy: Having an overarching, written and well-communicated cybersecurity policy is non-negotiable for cyber-savvy organizations. But it’s also important to recognize that one size does not fit all. Different departments and units may have varying cybersecurity risk and management needs. A hierarchical, or tiered, approach allows for the creation of an organizational policy as well as more specific, customized (but still aligned) policies for various departments or functions as needed.
- Back up data: Regularly backing up critical data is key to defeating ransomware and to business continuity in general. These include documents, spreadsheets, databases, financial data and human resources information, for a start. Automatic backups, at least once a week, are ideal. Even smarter: storing the data in the cloud.
- Control physical access: As data becomes more distributed — and mobile — it’s important to protect an organization’s physical assets as well as its digital ones. Preventing access or use of desktops, laptops and mobile devices should be a high priority as these can be easily stolen or lost. Make sure such devices are set to lock when unattended and grant only limited administrative privileges for such hardware.
- Keep an eye on privileged users: Speaking of administrative privileges, maintaining tight control over user privileges is more important than ever. The more privileges any individual person has, the more danger each privileged account poses should it be compromised. Current wisdom points to the principle of least privilege — that is, giving individuals only the minimal access required to do their jobs. An audit of existing user privileges is an important first step. Then, practicing privileged access management (including user permission governance, active monitoring and limiting temporary permissions) can help to mitigate future threats and prevent future data breaches.
- Practice robust and continuous employee awareness programs: Even with the best cyberthreat protection technology and processes in place, the human on the other side of a potential attack is often the weakest link. Indeed, most cybersecurity studies have found that human error is responsible for some 90% of all security breaches. That’s why one of the most important best practices in improving cyber resilience is vigorous and ongoing cybersecurity awareness training for all users. Indeed, the infusion of cybersecurity understanding and skills is ideally so ingrained that they become part of the cultural fabric of the organization.
The Bottom Line
While cybersecurity threats continue to increase, so do the tools organizations have at their disposal to mitigate their impact or prevent them from happening. Integrating these 12 cybersecurity best practices will help organizations increase their responsiveness and cyber resilience in the digital age.
 “Cybercrime To Cost The World $10.5 Trillion Annually By 2025,” Cybersecurity Ventures