22 things you can do right now to lower your cyber risk

In my book “Small Business Cyber Security, your customers can trust you… right?” I outline 22 things you can do to reduce your cyber risk right away.

Reading a whole book is so 2016.  Let’s just give you the stuff you need now, and if you feel like reading 150 pages of well formed words and phrases later, you can do that.  You’re your own boss after all.

This list will tell you what NIST Framework functions it helps with followed by my suggestion and explanation.

1 <Identify Protect Detect>

Consider outsourcing your security to a security provider.

You can either be an expert in cybersecurity or an expert in what your company does. You have a CPA, and you have a lawyer. You should also have a managed service provider.

2 <Identify>

Have a master list of the inventory of your devices.

You can’t protect what you don’t know you have.

3 <Identify>

Understand your business model so you can prioritize initiatives. Then act.  Don’t boil the ocean. You can’t do it all today. A lot of these things won’t cost extra money. Do those things first.

4 <Identify>

Know your data and your customers’ data and how they are used. Set a policy on what data is important to you. Track where it is, and make sure you know who’s using it and where they’re using it.

5 <Protect>

Use encryption on your wireless access points.

Make sure you enable encryption inside your wireless access points.

6 <Protect>

Hide your service set identifier (SSID).

Check the box to hide your SSID. This is the name of your wireless device that you see when you’re trying to connect to a Wi- Fi network. This will mean you will have to type the Wi-Fi name to connect to it.

7 <Protect>

Disable access from outside network.

If your router (wired or wireless) has a Web management interface, disable access from the outside network. And change the admin default password now. Most routers have the ability to do both quite easily. You don’t want anyone else coming in and changing your settings or reading your log files.

8 <Protect>

Use antivirus software and antispyware protection.

Make sure all of your PCs use antivirus software, and if you’re using Windows, add antispyware protection. This seems obvious, but it bears restating. While you are at it, check to make sure that all of your antivirus subscriptions are current. Anything out of date won’t do you any good.

9 <Protect>

Use remote web hosting.

For people without an IT background, it is complicated and risky to host your own web services. It is much safer to host it on Amazon, Google, or some other reputable service provider. Make sure you pay the extra money to enable the security features from these services.

10 <Protect>

Move your file hosting to a cloud provider.

Having a local file server is risky. You have to worry about physical security, fires, and people getting access to it manually. Online data storage is cheap, affordable, and highly reliable. Only store things locally if you have concerns about your Internet connection.

11 <Protect>

Disable file/ print sharing on everything other than your file server.  File and print sharing is a setting on all Windows devices that helps two computers communicate to each other and share files easily. With today’s technology, this sharing is often not needed. This is a tool that malicious people on your network will use to access confidential documents.

12 <Protect>

Use whole disk encryption on all laptops and computers.

Purchase a software product that encrypts hard drives before the operating system is even started. This will keep someone who steals a laptop or computer from using any operating system exploits to bypass username and password.

13 <Protect>

Start doing regular offsite backups now.

All it takes is a spilled drink on your laptop to lose everything. Life happens. Backup your stuff today. Use a cloud backup provider, such as Carbonite or Google.

14 <Protect>

Encrypt your data at rest, in transit, and where it is consumed.

Your data is everything. Make sure you encrypt it wherever it happens to be. This means use SSL everywhere. You can purchase SSL certificates from your web service provider.

15 <Protect>

Don’t forget physical security for your hardware.

It’s a lot easier for someone to steal a de- vice than to reach out across the Internet and touch you. Don’t make it easier. Lock things up.

16 <Protect>

Segment your network.

Offer a guest network for Wi-Fi and a private network.

17 <Protect>

Educate your employees through cybersecurity training.

The number-one security threat you will face is your employees. Invest in training programs offered by third parties.  For example, train them how to detect a phishing attack and best practices once they detect one.

18 <Protect>

Consider using two-factor authentication.

Passwords don’t protect anything. Use a second form of identification, such as a cryptographic key or a phone app.

19 <Protect>

Patch your infrastructure.

This is the number-one thing you can do to protect yourself. Microsoft has wonderful automated patching tools. Enable all automated patching for all software. The good far outweighs the bad with this.

20 <Detect>

Know who is on your network.

Your routers have logs that tell you who has been on your network from time to time. You should look at these to see if the devices on your network match the devices you trust. For extra safety, you can even define what devices are allowed to connect to these routers.

21 <Respond>

Have policies in place for BYOD.

If you do BYOD, create policies on how you handle data on those devices and consider implementing a software product to enforce those policies.

22 <Respond Recover>

Create a plan on what to do if your data or your customers’ data is compromised.

Make a plan on how to react before something goes wrong. Chances are, you’ll need help with this. Find out what your customers are expecting.

If you have any questions or need some help, book some time with me for a chat.

Don’t want to talk to a person just yet?  Start with this self paced online course.

Adam Anderson

Adam Anderson is the author of Built to Survive: A Business Person's Guide on How to Recover and Thrive After a Cyber Attack. Adam’s 15 years of entrepreneurial startup experience and his knowledge Enterprise Cyber Defense gives him a window into what’s wrong with communication between large and small companies. He combined this knowledge and the good works from the National Institute of Standards and Technology’s Cyber Security Framework to co-author the book “Small Business Cyber Security”. This book was later turned into an online class by Clemson University. Adam has been active in peer advisory boards for small business CEOs. He took this experience and co-founded a peer advisory board for Chief Security Officers of fortune 500 companies. This mix of small and large businesses has positioned Adam as one of the few people in the world to understand the complete supply chain of cyber security.
Posted in