Your company is on the move this year.
Unfortunately, so are the bad guys — the malicious actors probing your company’s IT security defenses for weaknesses. If you’re not careful, they’ll succeed.
How can I make my business more secure? Take these 20 security measures now to protect your assets in 2020 and beyond.
1. Invest in a Comprehensive Cloud Backup Solution
Start with the basics. If you haven’t yet invested in an Office 365 backup solution — or other comprehensive solution that accommodates your business needs — then 2020 is the year to finally get it done.
Why invest in a comprehensive cloud backup solution? Because, in so many words, you can’t predict the future. Frequently backing up your company’s sensitive files and programs to a secure cloud storage locker is essential to manage and mitigate such risks as:
- Data loss due to fire, earthquake, or other physical disruption at your place of business
- System corruption due to malware attack
- System lockout due to ransomware attack
If and when you no longer have full access to uncorrupted company data, you’ll be glad you had cloud backup.
2. Upgrade Your Anti-Malware Suite
Your company can’t afford a second-rate anti-malware suite — no matter how good the deal looks on paper. Upgrade to a best-in-class solution that delivers commercial-grade protection at every turn, and settle for nothing less.
3. Understand Your Firewall Options
How much do you know about system firewalls?
If you’re like most non-technical business owners or executives, the answer is some variation of “painfully little.” If your life depended on it, there’s a good chance you couldn’t define “firewall” in 50 words or less.
Welcome to the club. The first thing you need to know about being a member: You don’t need to become an expert in the ins and outs of firewalls. That’s for your IT security team. From you, a basic, high-level understanding will do.
You do need to know more than you know right now, though. And you’ll get there, easy enough if you put in the work. You’ve surmounted far more difficult challenges to get to this point in your career.
4. Hire a CISO Who Knows a Thing or Two
Does your company have a Chief Information Security Officer?
If the answer is “no,” it’s well past time to hire one. In 2020, no medium-sized enterprise’s C-suite is complete without one.
What should you look for in your next (or, more likely, first) CISO? In short, someone who’s been around the block — who’s made a career anticipating and resolving IT security threats, and who remains at the top of their game. Someone who can help you peer around the corner and address potential threats before they become crises.
5. Purchase a Best-in-Class Virtual Private Network Solution
If you’re not familiar with the ins and outs of firewalls, there’s a good chance you don’t know much about virtual private networks (VPNs) either.
That’s okay. You’re in good company, again.
The nice thing about virtual private networks is that they’re much easier to understand than firewalls. Or, for that matter, most other network security concepts.
When you use a virtual private network, you’re sending Internet traffic over encrypted plumbing that looks — to outside observers — as if it’s totally separate from your corporate network. A VPN has its own IP address and everything.
The leading VPN providers have hundreds of encrypted servers, each with their own IP addresses, in dozens of countries around the world. It’s not difficult for non-technical people to see the utility here. For instance:
- A VPN allows you to mask the geographical origin of your traffic, which is useful if you want to appear as if you’re in another jurisdiction or access content that would normally be off-limits to people in your jurisdiction.
- A VPN provides an extra layer of encryption on your web traffic, making it difficult for bad folks to see what you’re doing online.
- A VPN keeps you safe from governments that might not like what you’re doing online, although even the best VPNs aren’t totally foolproof in this regard.
Some VPNs are free but don’t be tempted. Free VPNs usually come with strings attached, like sharing your data with advertisers or governments. Some may even stealthily load spyware onto connected devices, infecting your corporate system and creating a problem worse than the one you’re trying to solve.
So, get a VPN — but make sure it passes the smell test.
6. Upgrade to Fireproof Storage for Physical Files
Your cloud backup provider uses a host of security measures to keep the servers housing your digital data safe. This includes anti-fire measures that dramatically reduce the risk of a catastrophic conflagration.
Why should your physical storage be any different? Upgrade to fireproof file cabinets and safes, and take the opportunity to evaluate your building’s fire defenses. If your sprinkler system isn’t working, for instance, lean on the property manager to fix it (or fit it yourself if you own the place). If they’re not willing to do so, start looking for another location.
7. Lock Your Company’s Crown Jewels in a Safe
This is physical security 101, but don’t laugh. Many, many organizations fail to keep their crown jewels under lock and key.
No, a locked filing cabinet doesn’t count. We’re talking “hardened safe” territory, here.
“Crown jewels” mean different things to different executives, of course. You’ll need to determine exactly what deserves extra protection, probably in consultation with your corporate board and security personnel.
One type of information that immediately comes to mind, though, is intellectual property. If your company would suffer irreparable harm from the loss or public dissemination of trade secrets or other proprietary information, it needs to be accessible to as few individuals as possible — which means it must be kept offline, in a hardened safe or lockbox.
8. Institute Keycard Access at Your Headquarters and Branch Offices
You should know exactly who has access to your headquarters and branch offices at all times. Better yet, you should know exactly who’s inside your headquarters and branch offices at all times — or, more realistically, have easy access to that information.
Keycard access is the most practical means of turning this necessity into a reality. For best results, work with an outside security consultant to develop a comprehensive access-control plan that doesn’t unduly restrict the free movement of employees, clients, and goods.
9. Harden Physical Security at Server Locations You Control
This is another aspect of physical security 101 that, unfortunately, many business leaders fail to take seriously.
The importance of controlling access to your headquarters and branch offices may actually be secondary to hardening premises containing your company’s servers. It’s much easier for a single bad actor to wreak havoc after gaining entry to your server housing, perhaps by cutting the power or manually disabling or destroying servers themselves.
Many smaller organizations don’t directly control locations at which their servers reside — they use colocation services or third-party cloud storage providers for all their data storage needs. These service providers typically have best-in-class physical security measures in place. Your objective with regards to your own servers is to mirror those measures to the extent practicable.
10. Thoroughly Understand Your Cloud Vendors’ Physical Security Protocols
On the matter of cloud storage, it’s imperative that you understand the precautions that your service providers take to keep your data (and their physical premises) safe.
This is also the case for other cloud vendors not directly involved in data storage (except as necessary to perform their functions). Countless hacks and breaches are caused by lapses in third-party cloud vendors’ data security practices. You’re well within your rights to refuse to work with vendors that don’t take security and privacy as seriously as they should.
11. Use Two-Factor Authentication for All Company Accounts
Two-factor authentication is the practice of using two credentials for account access. It’s the single easiest step you can take to enhance data security across your organization, and it demands virtually no sacrifice from your team.
Usually, one credential is a traditional password. The other may be a biometric marker, such as a fingerprint, or a unique code sent to the user’s phone or email account during a login attempt. The nature of the credentials is less important than the objective: to stymie malicious individuals who gain access to stored passwords.
12. Change Passwords Regularly, Even If There’s No Sign of a Breach
Even with two-factor authentication, password protection is vital. Require employees to change their passwords at least once per month, even if there’s no sign that anything is amiss. You never know when a critical credential will fall into the wrong hands, but the risk increases with every day that goes by.
13. Institute a Companywide Policy of Minimum Necessary Permissions
You wouldn’t give your 12-year-old the keys to your coupe. They don’t know how to drive and aren’t mature enough to learn, even if you wanted them to.
So, then, why would you give the passwords to your company’s financial accounts to a junior accounting staffer?
You wouldn’t because they have no business accessing those accounts. That’s your CFO’s job, and perhaps one or two senior lieutenants. No one else.
Your entire credentialing and permissions-granting process should follow suit. Allow only those whose jobs entitle them to access critical information to, well, access that critical information. If and when there’s a breach that you suspect comes from within, you’ll have far fewer suspects to weed out.
14. Don’t Give Everyone All the Keys to the Kingdom
This is the logical extension of your minimum necessary permissions policy. No one should have carte blanche access to all of the sensitive parts of your organization — not even the president, CEO, and/or chairperson.
Call it “compartmentalization,” if you wish, but see it for what it is: vital protection against powerful insiders gone rogue.
15. Think Twice Before Relying on Remote IT Security Staffers
For the same reason you don’t want anyone in your organization to have access to its entire set of crown jewels, you probably don’t want to entrust sensitive security matters to people who don’t directly work for you. Secondary and tertiary IT security work is one thing; the big stuff is quite another. Of course, that doesn’t mean you can’t rely on integrated security systems to warn you of danger. Using a security monitoring system is a must for all businesses that want to thrive in this digital age. Although it’s more expensive in the short term, hiring adequate internal staff is the best way to reduce the risk of a breach from within.
16. Conduct a Top-to-Bottom Security Review
It’s a new year, which means it’s time for a top-to-bottom IT security review. For more on what that entails, read this overview from Boston University, then task your CISO with devising an all-department strategy for assessing and improving IT security.
17. Use SSL Certificates on All Web Addresses You Control
SSL is no longer a “nice to have” for companies serious about Internet security. It’s mission-critical.
More importantly, Google is treating it as such. Recent updates to the search giant’s algorithms may penalize websites without SSL certificates, regardless of the sensitivity of their content. And many web users simply won’t patronize websites without adequate security measures, including SSL.
18. Educate Your Staff on the Dangers of Email Phishing
Your IT security team’s motto for 2020 might as well be, “Phishing: yep, it’s still a thing.”
Well, it is. And it’s not getting any easier to manage.
Indeed, phishing tactics have grown considerably more sophisticated in recent years. Spearphishing is now all the rage, and it’s frighteningly effective at convincing key employees to part with sensitive credentials. We’ll explain in a moment why it’s so crucial to recognize and parry spearphishing attacks; for now, educate your team on the nuts and bolts of an anti-phishing policy. (For Office 365 users, this a good model to follow.)
19. Silo Your Employees’ Personal Social Media Use
Don’t allow your employees to use personal social media accounts on company devices, nor to access personal social media accounts on personal devices connected to your company’s network. The security risks are simply too great — not to mention the obvious deleterious effects on productivity.
20. Adopt Email Hygiene Best Practices Across Your Organization
To prevent spear phishing and mitigate messages designed to transmit malicious files, institute a companywide email hygiene policy that draws on best practices from leading security organizations. This policy should include prohibitions on:
- Asking for passwords or credentials over email
- Granting permission to transfer money or access financial accounts over email
- Communicating with external senders over company email, except as necessary to conduct company business
The list could (and should) go on.
You Are Your Company’s Last Line of Defense
For better or worse, this is the undisputed truth. Without a full-bore digital and physical security policy, your company risks a catastrophic hack or breach in 2020. Whether it’s equipped to survive such a breach is a separate question, but there’s no use in waiting to find out.