Following is a list of our current baseline cybersecurity recommendations.
Your organization may need additional protection depending on your industry’s regulations, such as HIPAA, PCI-DSS, or ITAR. Initial consultation is complimentary.
Proactive Monitoring, Advanced Endpoint Security, Patching
An endpoint can be a desktop PC/Mac, server, laptop, smartphone, tablet, thin client, or other specialized hardware such as POS terminals and smart meters. We recommend actively monitor such devices for security risks, plus updating malware protection and security patches as necessary.
One of the reasons the WannaCry virus was so devastating is because it was designed to locate, corrupt, and lock backup files. This is why we recommend our clients use properly gapped backups. A gapped backup is one that is disconnected from your network and thus cannot be impacted by ransomware.
Absence of a well-maintained, continuously updated network firewall is analogous to leaving the front door of your office wide open, not to mention allowing your end-users to roam any website on the Internet with impunity. We recommend the implementation and maintenance of a business-class firewall appliance as a part of your overall cybersecurity strategy.
Quarterly Technology Reviews
Information Technology progresses at breakneck speeds. Quarterly reviews of system status, budgets, necessary adjustments, and emerging technologies are necessary to keep pace.
Security Risk Assessments
We recommend conducting an IT risk assessment annually or more frequently if needed. The result of the assessment should be a list of security risks prioritized according to severity. Mitigation of the vulnerabilities should be scheduled according to the availability of financial and human resources.
Data Breach and Cyber Attack Response Plan
Even the most methodical plans for preventing security incidents can fail. We recommend the creation and maintenance of a cyber response plan customized for your organization with the goal of minimizing the damages, downtime, and financial losses for your organization.
Aggressive Password Protocols
Weak passwords are among the most attacked vectors. We recommend the implementation of enforceable, server-based password policies tailored to your company’s operations and compliance requirements.
Multi-factor authentication (MFA) is a security authentication process in which an individual computer user’s credentials are verified to grant them access to a secure environment. We insist that our clients use two-factor authentication for their e-mail and other sensitive services.
Adult content, online gaming, gambling, and file-sharing sites for movies and music are among the top online searches and are “clickbait” hunting grounds for hackers. These are web sites you do NOT want your employees visiting during work hours on company-owned devices. If your employees are visiting infected web sites, they can not only expose you to viruses and hackers but also expose you to legal hassles.
Cyber Security Awareness Training
Employees accidentally clicking on a phishing e-mail or downloading an infected file or malicious application is the number one method by which cybercriminals attack systems. Training your employees continuously with phishing simulation is one of the most important protections you can put in place.
E-mail Security and Confidentiality
Your employees have access to a wide variety of confidential and important electronic information. Phishing e-mail messages are often used to trick recipients into sharing sensitive information – senders often pose as a legitimate business or trusted contacts. We recommend filtering links and attachments in inbound email and using encrypted email for the transfer of sensitive information.
Secure Remote Access
Remote access to the workplace should be allowed only by way of an encrypted VPN (a virtual private network). IPsec and SSL VPN technologies are common and included in gateway security devices by top vendors such as Sonicwall, Fortinet, Sophos, and Watchguard.
Mobile Device Security Policy
Mobile devices should be backed up regularly, encrypted, and be equipped with remote wipe capabilities in case of device loss or theft. It is also vital that your organization has an acceptable device use policy, especially if you allow BYOD (Bring Your Own Device).
Disaster Recovery Plan
If your office, along with computers and data, were to be seriously damaged or destroyed, how much downtime could your company tolerate? What about the disappearance of data stored in the cloud? We recommend the creation and maintenance of a disaster recovery plan for your company which is in line with your recovery time objectives.
Dark Web Monitoring
Small and medium-sized businesses are just as vulnerable to cybercrime as large companies. We recommend monitoring cybercrime web sites and data for your specific credentials (email addresses, passwords, etc.) Once the presence of your personal information is detected, you will be notified so you can change your password(s).
Role-Based Access (RBAC) is the practice of assigning system access to users based on their roles within an organization. We recommend creating and assigning only the minimum privileges required for each of your team members in order to minimize both accidental and malicious actions.
Secure Hardware Disposal
Recycling equipment with stored data can result in a cybersecurity disaster. We recommend a process by which all data storage components such as hard drives, data cards, flash storage, etc., are uninstalled and either physically or electronically shredded prior to recycling equipment.