Is your network secure? Are your employees maintaining strong, safe security practices? Is your small business a tempting target for cybercriminals?
Through recent years, the digital threat to small businesses has increased exponentially. Likely, if you aren’t proactive about protecting your digital assets and tools – including your business’s connected devices, networks, software, websites, and more – you are at-risk for a data breach, and soon. Fortunately, there is a way to test your security: by understanding more about security hygiene.
Security hygiene, which is also called cyber hygiene, is an individual’s daily responsibility to uphold cybersecurity. While an organization should build security into the network architecture and maintain common defenses, individuals retain significant power to support or topple that security. Poor security hygiene is marked by insecure habits, such as using weak passwords, sharing login information, disabling encryption, interacting with dubious links, attachments, or webpages. Such behavior easily compromises even the strongest cyber security practices.
If you are spending a fortune on cybersecurity but are still suffering from malware and data breaches, it might be time to question your employees about cyber hygiene. The following five issues are common culprits for insecurity, and the questions associated with them should help guide you toward better, more secure practices.
1. Endpoints
How many endpoints are on your network? How many are managed, and how many are unmanaged?
You can’t secure what you don’t know. It’s possible that your employees are adding endpoints, or computers and other devices, to your network without your knowledge. These devices probably lack sufficient protection, such as anti-malware programs, firewalls, and even passwords. Every endpoint on your network should be managed, which means they should adhere to specific requirements before they are permitted network access. You should search for unmanaged endpoints on your network and institute rules regarding endpoint management.
2. Software
What software is installed on your network? How much is authorized, and how much is unauthorized?
Once again, if you don’t know about software on your network, you can’t be certain it is secure. Unauthorized versions of software are less likely to be up-to-date on patches and proper configurations, which means they probably contain vulnerabilities for cybercriminals to exploit. Vulnerability management programs can detect authorized and unauthorized software on a network – to include active content and browser extensions – so you can more adequately protect your network from attacks.
3. Compliance
Are the endpoints and software on your network compliant with industry baselines and standards?
In most industries, compliance is an expensive, stressful, and never-ending endeavor. However, compliance also serves to keep your business safe from all sorts of attacks which could cost you and your customers even more than you are spending to be compliant. Worse, most industries punish organizations that are not compliant, which means by allowing endpoints and software to fly above the rules, you are asking for fees and fines. You can perform your own thorough compliance audit to identify sources of insecurity before you are subject to penalties.
4. Vulnerabilities
How are you assessing and correcting vulnerabilities? Is it a continuous process?
Unmanaged endpoints and unauthorized software are the primary sources of vulnerabilities on your network, so identifying them and addressing them should eliminate much of your risk. However, it isn’t enough to scan your network once, resolve any issues, and move on. Not only are endpoints and software no the only weak spots cyber criminals can use to infiltrate your network, but employees can easily add more endpoints and software in the future. You need to install vulnerability scanning software to continuously look for chinks in your cyber-armor, and you should institute policies regarding appropriate security hygiene.
5. Administration
Who has administrative privileges on your network? Are there controls on administrators?
Network administrators have more power to affect your organization’s cybersecurity, so the fewer employees who have administrative privileges, the better. In truth, there are only a few good reasons that an employee should have administrative privileges, including installing software and updates or altering system settings and utilities, and both of these actions can be handled by an IT team or service provider. Even if you restrict administrative access, you should have proper auditing and change control in place to view who makes changes – and most importantly, you should have the ability to roll changes back if necessary.