8 cyber preparedness best practices for businesses

Security News ThreatsCybercrime Uncategorized

Are your business clients absolutely certain they’re protected against a cyberattack? (Photo: iStock) Are your business clients absolutely certain they’re protected against a cyberattack? (Photo: iStock)

Cyberattacks may be the greatest threat to organizations in the 21st century. 

All businesses may be vulnerable, regardless of size or sector, public or private. Cybercriminals won’t ignore a company with a smaller market cap or fewer employees. They cast a wide net, and they don’t discriminate.

Your business clients are likely aware of the landscape — cyber extortion/ransomware attacks like WannaCry and Petya/NotPetya are just a couple of high-profile cyberattacks. But, awareness may not be enough for a client that doesn’t truly know how to protect their company’s assets.

Are your business clients absolutely certain they’re protected against a cyberattack? Will their people, processes and technologies protect their brand, without exception? If so, read no further.

For all those “imperfect” organizations out there, we have some advice: They can increase their cyber risk resilience with proper preparation.

Here, then, are eight best practices to help clients truly prepare for and protect against a cyberattack.

Tip 1: Inventory systems. Do your clients know what software and hardware is connected to their network? Is anything out of date or out of service and no longer receiving updates? If found, these systems can be a way in for cybercriminals; they will likely know exactly what to do, and that their target can’t fix it. Businesses should regularly take inventory of every asset, application and piece of software connected to their infrastructure. Anything out of date or unused should be removed immediately.

Tip 2: Maintain and manage software. Generally, when a software company sends out a patch, it means there is a vulnerability in its product — one that, without the patch, cybercriminals might exploit. Depending on how many assets a business has, updating and testing can take anywhere from hours to months; during that time, the system remains vulnerable. Businesses must define a process, then, to ensure patches are applied promptly. This is part of limiting software’s attack surface — the areas where vulnerabilities lie — or “hardening” the business’ systems.

Tip 3: Regularly scan the environment. Cybercriminals constantly scan the internet to find potential targets, and businesses should do the same. By scanning their infrastructure, they can identify and eliminate previously unknown exposures. Large organizations in particular may not be able to inventory the countless assets that connect to their main infrastructures. Regular scans can uncover a new web server or different software even at remote sites.

Tip 4: Implement a user security policy. Employees are, arguably, a company’s best asset. But they can also be its weakest link. Employees are the ones, after all, who share passwords over social channels, click on shady or suspect links and visit unauthorized sites. Their poor choices will render even multimillion-dollar security technology ineffective. And criminals know this, targeting employees through phishing and other scams. To help reduce the vulnerabilities introduced by human error, companies should manage endpoints like laptops and smartphones, and leverage antivirus software and a secure configuration policy that eliminates high-risk actions.

Tip 5: Follow the principle of “least privilege.” It’s convenient to provide access to everything by everyone in an organization, but businesses can’t do that without exposing themselves to risk. To follow the principle of least privilege, businesses would grant employees just enough user rights to do their jobs. To gain more access, employees would be required to authenticate themselves. Here, an identity and access management system can help, ensuring that the right individuals have access to the right resources at the right times and for the right reasons.

Tip 6: Implement network security solutions. Antivirus software is like a flu shot: It’s not 100 percent effective (not all attack signatures are known), but something is better than nothing. In addition to antivirus, businesses should consider monitoring their networks 24/7 and implementing third-party DDoS protection. Companies should also develop a strategy for end-to-end data encryption to protect the information within that data.

Tip 7: Properly segment networks. To limit an attack’s damage, businesses must identify their most critical assets and data, separate them from less critical assets and implement strict access control. This is akin to a speed bump: Segmenting an organization’s network may not stop an attack, but it could slow it down.

Tip 8: Ensure backup-and-recovery capabilities. In the event of a cyberattack — especially one involving a virus or ransomware — businesses should have a literal backup plan. System downtime can be expensive — mere minutes could cost thousands of dollars. It’s essential, then, for businesses to implement a policy for backing up and recovering data and to invest in tools that automate regular backups and enable data recoverability testing.

Bonus tip: Insure your losses. Cyber insurance can play a key role in cyber preparedness. Generally, this risk transfer approach should be used in conjunction with all the controls and processes offered here. No protection is perfect, after all, and should a sophisticated attack render your client non-operational, they’ll need a way to offset the associated costs. To get started with a customized insurance policy, a business will need to provide a complete and truthful picture of its vulnerabilities. Only then can a carrier properly perform risk quantification and pricing, and the business can be confident it’s protected itself at every point.

By choosing a carrier with cyber risk underwriting, you’ll be able to offer clients transparency. Look for a carrier offering innovative loss prevention tools and cyber consulting.

Vulnerability to breaches and other cyberattacks may be the price of doing business in the 21st century: Successful mitigation and cyber risk resilience begins when a business acknowledges this fact and does all it can to prepare for the inevitable. Remember: It’s not if a cyberattack occurs, it’s when. Businesses that embrace this reality and prepare early may find themselves a step ahead of the bad guys.

For more information on cyber preparedness and risk consulting services, please visit www.aig.com/cyberriskconsulting.