It’s no secret. In this day and age, it’s necessary to protect your firm against cyberattacks. In fact, Forbes reported that cyberattacks continue to be on the rise. “In 2021, the average number of cyberattacks and data breaches increased by 15.1% from the previous year. Over the next two years, the security executives polled by Thought Lab see a rise in attacks from social engineering and ransomware as nation-states and cybercriminals grow more sophisticated. The main causes of these attacks will come from misconfigurations, human error, poor maintenance, and unknown assets.”1 Making sure your firm is on top of cybersecurity best practices should be of the utmost importance to your team. Below we have tips to guide you on beefing up your cybersecurity strategy.
Governance
To create a sound cybersecurity strategy, I recommend using governance created by a technology industry leader or an authoritative firm within your specific industry. I’ve used governance by the National Institute of Standards and Technology.
Cybersecurity Software
While there is a lot of cybersecurity software marketed to firms, not all of them are guaranteed to be effective. It’s better to invest in software that is proven to work. Having a small list of software that maintains productivity and cybersecurity best practices is better than having a long list of ineffective software marketed to look good. It’s very easy to buy all of the products and services out there advertised as providing cybersecurity. However, it’s important to have a strategic plan with your cybersecurity plans and the products you invest in.
Firewalls
Most companies have firewalls installed to protect their firm from cyberattacks. Even some households have begun installing firewalls for added protection. In this case, firewalls are generally installed on home routers. A firewall is essentially software that checks incoming and outgoing traffic for threats to a firm’s network based on previously established protocols. It’s important to select a firewall software that is proven rather than one that is heavily marketed to be effective. Proven history is more important than price or popularity.
It is also important to establish effective protocols to protect your firm. One example of firewall protocols is blocking access to personal emails by employees. For example, a firm may prevent employees from reaching their personal Gmail accounts using firm computers to help them avoid clicking on malicious links.
At Anders, we have a configuration that logs alerts that appear on our client’s firewall and automatically generates a service ticket. This way, we can determine if there is anything we need to investigate further. Another setting that can be enabled at the firewall level is geographic IP blocking. This can prevent visitors from say Iran or Russia from reaching your firm’s assets. Beyond geographic monitoring, it can be helpful to enable Intrusion Prevention (IPS) and block high risk network ports.
Network Security
Your first step to understanding your firm’s network security is to find out what assets within your firm connect to the network. Your reaction may be to think that your firm only has computers connecting to your network. However, you need to consider all other devices such as security cameras, manufacturing equipment, servers, workstations, or thermostats. All of these devices need to be protected, otherwise, hackers may gain access to them.
There are a few methods you can take to secure these devices. One way is to install an antivirus on susceptible devices. It’s also important to make sure all devices are up to date with current security patches and updates. Beyond your devices, it’s also important to make sure applications such as Adobe, Google Chrome, Java, etc. are updated when necessary. These applications will generally notify you of an update is necessary. All servers and workstations should also be kept up to date. Furthermore, wireless networks should always be secured with passwords and user credentials. A “guest” network should also be enabled to segment firm assets from other connected devices.
Past employees may have access to wireless networks if they know the password. In some buildings, wireless networks broadcast beyond the exterior walls which allows anyone, including past employees, to try connecting without building access. Policies can be in place that properly address the exit of an employee, such as terminating the user account or at minimum, changing the account password. This helps protect the firm against potential attacks on specific computers or files.
Ransomware
For this reason, cloud backups are becoming increasingly popular as they are less likely to be hacked. It’s harder for hackers to access a cloud backup. It can also be helpful to install software that alerts you when backups are unsuccessful. Mitigating this hiccup will be important for the safety of your firm’s data.
Incident Response Plans
Often, companies have recovery and incident response plans to showcase to their insurance companies to prove they have plans in place for any potential threats. Recovery and incident plans should be living breathing documents that are updated as systems are updated. They should not be pushed to the backburner and only thought of on a yearly basis. If you make changes in your network or changes in vendors, that document should be updated. Vendors should be listed to call if an incident does occur.
Password Security
Password policies can help secure your firm from outside attacks. Multifactor authentication is one of the most effective password protection methods. You can also enforce password complexity rules, as well. Another fail safe is locking the incorrect password attempts a user has within your firm.
In addition to password security, VPN’s can be used to offer remote access to a network. By using a VPN, companies can provide a secure connection from employee computers to the firm network. Tie VPN technology with multifactor authentication, and you have the best protection dynamic duo around.
Cybersecurity Training
If you have noticed that employees are continually clicking on malicious links, you can deploy cybersecurity training to help educate your employees on how to identify such links. Cybersecurity training can involve phishing simulations, cybersecurity awareness training, and reports generated based on training results.
Phishing simulation emails help determine which employees are struggling the most and may need additional training. To further motivate employees to learn about cybersecurity, you can offer incentives for reporting emails and make it a game of sorts for employees. For each reported email or completed training, employees could be entered into a drawing, for example.
Cybersecurity Insurance
Cybersecurity insurance is something I recommend. Cybersecurity insurance allows you to place some of the financial burden associated with cyberattacks on your insurer for a monthly or yearly fee. Cyberattacks can quickly become an expensive event. In fact, Business News Daily says, “The research shows that, on average, small businesses can expect to pay $10,000 in professional services following a cyberattack. These services can include the hiring of IT security consultants, risk-management consultants, lawyers, physical security consultants, auditors and accountants, management consultants, and public relations consultants.”1 That’s why insurance is generally well worth it.
Email Security
The Cybersecurity and Infrastructure Security Agency (CISA) released a statement suggesting that companies should evaluate the risk of using an in-house mail server after a string of vulnerabilities were identified and subsequently exploited. In-house mail servers are hard to protect, and there are many vulnerabilities to stay on top of. Some of these vulnerabilities are hard to patch. For this reason, it can be helpful to have a Microsoft certified professional set up your mail configuration and move your mailboxes to Office 365.
On the topic of email security, make sure your employees are aware of safe email practices. Ask them to be cautious of emails coming from outside the firm and to not click on any attachments or links they weren’t expecting. Also, ask them to pay attention to any email addresses or signatures that seem out of place or incorrect. These are often signs of a phishing email. It can also be helpful to disable email forwarding to prevent attacks from being passed on from one employee to another.
Email threat controls are important to keep your firm safe. There are many controls available. Spam filters can help prevent malicious emails from entering employee’s mailboxes from the start. Tagging any emails that come from outside the firm alerts employees to the potential of risk. Just like other platforms, multifactor authentication can keep your employees’ emails safe and sound. Furthermore, it is a great idea to configure domain keys identified mail (DKIM), as well as sender policy framework (SPF).
Security Testing
One final measure you can take to protect your firm from cyberattacks is to invest in security testing. Penetration tests can be used to test whether hackers are able to attack your firm or if adequate security parameters are in place. The best evaluations will provide you with potential vulnerabilities and risks and what steps can be taken to mitigate them. While the price tag can be quite steep at an average of $12,000, they may be worth it to your firm if that number is affordable. If not, you can find out what factors are included on penetration tests and investigate for yourself if your firm has taken appropriate precautions. Network assessments can also be deployed. These assessments should include an inventory review, executive summary with an overview of potentials risks to your network, a detailed report with potential solutions, and finally, a security assessment.
Conclusion
There are many important factors to consider when building a cybersecurity strategy. From firewalls to email security, it’s important to build a robust plan to secure your firm. When in doubt, I suggest turning to trustworthy agencies within your industry that can guide you on best practices. I hope this article has sent you down the right path to build a cybersecurity strategy for your firm. If you have further questions, reach out to me at jgotway@anderscpa.com
.
1. Business News Daily: The dangers of being the target of a cyberattack.
1. Forbes: Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know