It’s Cybersecurity Awareness Month—that time of year when we should all pause to take stock of our organization’s security. Whether you have a strong cybersecurity foundation or are just beginning your cybersecurity journey, you should be continuously strengthening your cybersecurity to counter today’s threats! Organization who already have managed IT services have a strong head start, but unless you have a concierge-style package or contract these services as an add-on, your internal team is still responsible for several areas of cybersecurity management and policy development. In this blog, we’ll share three commonly overlooked cybersecurity management and policy gaps, as well as advice for quickly filling these security holes. Keep in mind that these policy recommendations are first steps that deliver quick reductions in risk, but these are not comprehensive security policies. If you need more advanced risk assessment and policy development, contact us for customized advice or a risk assessment.
Three Common Cybersecurity Management and Policy Gaps
- Vendor and partner supply chain security management policies. Cybersecurity extends beyond your organization’s walls. The security of your vendors and supply chain partners can significantly impact your own security posture. According to the Identity Theft Resource Center, there were 40% more supply chain security attacks than malware attacks last year. Criminals know that most organizations are connected to Software as a Service (SaaS) providers (such as Microsoft 365), cloud environments, as well as vendor any partner systems for any number of functions from data acquisition to billing. These criminals are now commonly attacking big and small organizations and leveraging that access to infiltrate connected partners and vendors in supply chain attacks. What cybersecurity management and policy changes can you put in place to counter these attacks? Here are two quick ways you can strengthen your supply chain security:
- Change your contracts to add cybersecurity standards and notification clauses. Create minimum security standards and requirements for all of your suppliers (and even their suppliers) with access to any of your sensitive information or systems. You can also ask suppliers for a copy of their recent penetration test results which will provide insights into their security strengths and weaknesses. In addition, you should also require your vendors and partners to report any suspected breaches of their data within two weeks of uncovering the issue. You can roll these changes out as contracts renew or notify vendors now, so they have time to prepare.
- Make a list of vendors with access to your sensitive data or environments and be aware of what information could be exposed if they are breached. You can then better understand your risk and any reporting responsibilities if there is a data breach.
- Mobile device cybersecurity management and policy guidance for employees. With an estimated ¾ of employees that work remotely at least part of the time, it’s likely that your team will use a work supplied or personal mobile device to sign onto your network. While developing mobile security policies can be quite complex, you can get started and begin reducing your risk with a few easy policies and then grow your policies over time. Here are a few starting points:
- Develop policies for mobile device use and explain the security risks to employees. You may need to have separate policies for BYOD phones and work phones if employees have both. If your employees use their own phone for work (called BYOD), keep in mind that you can still ask them to follow some simple rules or require that they only access your organization’s environment from a more secure device (if you have stronger laptop security).
- For work devices, vet and create a limited list of the apps employees are allowed to download. This can prevent quite a few risky installations. For personal phones, remind employees that unsafe apps can lead to a damaging data breach for your organization and ask them not to save or store work passwords or access your organization’s systems or information on their personal devices.
- Consider using Mobile Device Management (MDM) software to enforce security policies and provide data encryption for work devices. This level of control may not be acceptable to employees on their personal devices, so consider restricting personal device use.
- Teach your employees how to recognize and avoid mobile phishing attacks. Use cybersecurity awareness training to promote safe user habits including regular password updates and suggest they only use secure connections or VPNs.
- Enhance Employee Cybersecurity Training. Employees can be your biggest cybersecurity risk OR your first line of cybersecurity defense, depending on how you train them and the culture you create within your organization. According to the FBI, phishing was the top crime type by victim count last year. Cybercriminals often target employees through phishing and social engineering attacks, and you want your employees to be your first line of defense against cyberattacks. You should strengthen your organization’s cybersecurity by investing in ongoing employee cybersecurity training. If you have our Cleartech Group Advanced Security Add-ons that includes cybersecurity awareness training, you are in great shape with the basics such as passwords managers, phishing testing, training, technical screening, and more, but there is still more you can do. If you don’t have cybersecurity awareness training in place for your employees, you should start immediately.
- Create a culture of security. Foster a culture of awareness where employees understand their role in protecting sensitive data and company resources. Ensure employees know that reporting mistakes quickly can dramatically reduce the damage from an attack. Never punish employees for mistakes or reporting an issue; always praise them so your team feels comfortable reporting incidents.
- Conduct regular cybersecurity awareness training sessions. Organize periodic training sessions that cover topics such as recognizing phishing attempts, safe web browsing practices, password security, mobile phone security and more.
- Use simulated Phishing Exercises. Conduct simulated phishing exercises to gauge employees’ awareness levels and their ability to identify phishing emails. This gives them real world experience and helps you assess your risks and training needs.
- Publish simple reporting procedures and contacts. Ensure that employees are aware of the proper channels for reporting security incidents or suspicious activities.
Cybersecurity Awareness Month is an excellent time to assess and strengthen your defenses, but cybersecurity should be a year-round priority. We hope you found cybersecurity management and policy development tips helpful. While the solutions above are not comprehensive, these quick but effective measures will not only protect your data but also quickly lower your risk. Please contact us if you would like more information on our managed IT services or supplemental risk assessments, policy development support, or strategic guidance.