“Move along folks, nothing to see here!” is what I imagine stressed-out IT security crusaders worldwide murmur every night in their sleep. Especially after spending yet another day protecting their organizations from the hundreds of thousands of cyber criminals and villains who use their arsenals of malware and attack techniques to wreak havoc on core systems and hold hostage sensitive information like intellectual property, personally identifiable information, protected health information, financial data and trade secrets.
Mix in some job fatigue and it would be difficult to blame these hardworking superheroes for becoming distracted from maintaining good cyber hygiene, in other words, fundamental principles and practices that provide a solid foundation of security for any organization. While it alone does not guarantee any organization Luke Cage-like bulletproof protection, cyber hygiene remains effective at warding off risks from even some of the most common and sophisticated internal and external adversaries.
Schneider Downs believes basic cyber hygiene is so critical that its absence could undermine existing security programs and even sophisticated cyber defense technologies. While there is no magic spell available to banish cyber threats into a dark dimension forever, the following Schneider Downs “Security Superhero” checklist features kryptonite-like quality tips for weakening cyber criminals’ attack strategies and keeping your organization safe in the ongoing cyberspace battle between good and evil:
#1: Deploy robust endpoint security like antivirus software, encryption, data loss prevention tools, application whitelisting and other security safeguards on all computer systems.
#2: Conduct cybersecurity education and awareness activities (e.g., phishing simulations) that promote proper employee behavior.
#3: Limit the number of users with administrative privileges, and maintain appropriate system access that’s commensurate with job duties.
#4: Enforce use of multifactor authentication, complex passwords and/or passphrases, especially on corporate email and key systems.
#5: Maintain a regular patching schedule for applications and infrastructure assets, such as servers and databases, to maintain functionality and safeguard against malware attacks.
#6: Implement and test procedures that regularly backup and routinely recover data.
#7: Test periodically for exploitable vulnerabilities and unauthorized software installed on your network.
#8: Identify and manage risks associated with third-party suppliers and external dependencies.
#9: Build and maintain an inventory of key assets like hardware and software.
#10: Establish an incident response plan to detect and react to security incidents such that damage to the organization and time to recover business operations is limited.
#11: Secure personal mobile devices by enabling a passcode or fingerprint lock, engaging encryption, and/or keeping operating system and mobile app versions current.