If you’re concerned about cyber security best practices for employees and businesses but aren’t sure where to start, look no further—read on to find out the top nine ways to keep a business’s information safe and secure. (And if you aren’t concerned, reconsider!)
1. Conduct a thorough risk assessment
When it comes to information security, every industry has unique hidden risks. Conducting a thorough risk assessment is your best bet to increase awareness and avoid breaches. Through a comprehensive assessment, you can identify valuable assets, determine the current state of cyber security in the company, identify threat sources, and manage your strategy accordingly. Common threats addressed in risk assessments include unauthorized access, misuse of information (or privilege), data leakage or unintentional exposure of information, and/or loss of data. Not sure how to conduct a risk assessment? To get started, assemble a risk assessment team including key stakeholders to hit the ground running. Then check out the National Institute of Standards and Technology (NIST) Guide for Conducting Risk Assessments.
2. Secure your workplace networks
Wi-Fi networks used by employees should be secure, encrypted, and hidden. If any employees work remotely or need to access company data while traveling, it should be required that they use a virtual private network (VPN). Public Wi-Fi networks put company data at risk.
Home and office networks should also have a firewall. Firewalls—Packet Filters, Stateful Inspection, or Proxy Server Firewalls—prevent unauthorized users from accessing any company data that can be found on the web. Firewalls also filter network traffic, flag problems, and protect data from malware.
3. Back up your data
Regularly back up all company data on employees’ computers—and don’t forget about data on the cloud! Cloud storage works through data center virtualization, providing end users and applications with a virtual storage architecture. Cloud containers are virtual machines (VMs) that are quickly replacing traditional VMs because of their speed and simplicity. With their increased use, though, comes increased vulnerability.
The U.S. Small Business Administration (SBA) recommends backing up word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Store backups in a safe place (preferably outside of the office).
4. Practice the principle of least privilege (POLP)
Applying the principle of least privilege means that employees are granted just enough privileges to get their jobs done. Assigning the correct privileges prevents employees from gaining access to the systems or data outside of their job functions. This provides two levels of protection: the first being that the employee cannot compromise any company data, and secondly, if an employee’s credentials are compromised, the threat can only access what that particular user can access.
5. Monitor user data and activity (while maintaining employee privacy)
Some users in the company will need access to more data than others. Consider the use of privileged access management tools to prevent “privilege creep,” the gradual accumulation of access rights beyond what an individual needs to do his or her job. Consistently check how many users have privileged access to sensitive data, monitor their activity, and decide whether each person’s level of access is necessary for their job functions. Check out Capterra's list of top privileged access management software.
With effective user behavior monitoring, suspicious user activity can be flagged, identified, and investigated. Monitoring user activity can also reveal if users are uploading sensitive data to public clouds or engaging in activity that puts the company’s data at risk. However, be sure to prioritize employee privacy by anonymizing any data collected from employees, and communicate with them about the importance of behavior monitoring and cyber security policies.
6. Take password precautions
Encourage—or better yet, require—employees to create strong passwords. Strong passwords consist of:
● 10 characters or more
● At least one uppercase letter
● At least one lowercase letter
● At least one number
● At least one special character
Employees should never use the same password across multiple accounts. Another consideration is multi-factor authentication, which requires additional information (such as a PIN sent to the user’s email or mobile phone) to log in. Utilize two- or multi-factor authentication whenever possible.
Employees should be instructed to change their passwords regularly. It’s best to have passwords expire on a schedule and have mandatory character requirements to ensure all users follow best practices. When an employee with access to sensitive data leaves the company, be sure to change any passwords he or she had knowledge of.
7. Loop in (and keep an eye on) third-party contractors
Confirm subcontractors and freelancers utilized by the business are aware of and following the company’s cyber security policies, and monitor their activity similar to how employees’ activities are monitored. Third-party access not only entails a higher risk of insider attacks, but it also creates vulnerability for malware and hackers to enter a system. To reduce these risks, limit the scope of access that third-party users have.
8. Establish, document, and distribute the company’s cyber security policies
After considering all of the above best practices, decide what is relevant for your business and employees, then draft a cyber security policy to be distributed to everyone at the company. It’s also important to review and maintain the policies on a regular basis.
Cyber security policies may be as brief as one page or as robust as an entire glossaried guidebook. Need a little guidance? The SANS Institute offers free information security policy templates.
9. Hold training sessions to educate employees on cyber security best practice
It’s unrealistic to expect employees will set aside time to read the documents regarding the business’s cyber security policies—plus, trying to interpret a document with unfamiliar terms and jargon can lead to more confusion than understanding. Conduct trainings in small groups to encourage questions and discussion, ensuring all employees have a solid grasp of the importance of information security in the workplace. Not sure where to start? You can find information about free employee training and awareness on the U.S. Department of Homeland Security website.
Managing a business in the digital age doesn’t come without risks, but following these best practices for information security can assure your company’s data is safe and secure.
Looking to make a career out of securing the global landscape? Norwich University offers an online Bachelor of Science in Cyber Security designed with working adults in mind.