On March 21, the White House released a fact sheet on what businesses should do to protect against cyber threats. Though at of the time of writing this, there has not been a huge increase in attacks from Russia in particular, it is expected they could come as the current world climate is one of tension.
The fact sheet calls out a number of things businesses should do to ensure they remain secure against threats. The advice is all sound and should be followed by all businesses, but security is a journey. As such, let's review three important items on this list. In a future post, I may break down some of the others.
The first and arguably the most important item on the list is Multi-Factor authentication. This is where to log in you get prompted for a code, push notification, or some other method that sends you something you need to deal with. This will make it harder for attackers to use your password if they get it via other means.
People often push back on the inconvenience of multi-factor, and I understand. It can get annoying to constantly have to type codes in or approve logins. However, in the end, it's definitely more disruptive to have to clean up from some sort of breach.
Once we get MFA settled (or before, as MFA can often be a process) we should move to ensure all of our systems are patched. If systems aren't up-to-date, they can be compromised. Once in, attackers can easily move between systems, giving them access to other sensitive information within your environment.
Windows systems are often kept up to date, but the patching advice goes beyond them. There are printers, phones, and other devices that have had vulnerabilities that have led to breaches. Even your firewall, which is designed to protect you, can be a point of entry if not kept up to date.
Once you get your patching in place, we should address the human element. The biggest single thing leading to breaches at the moment is phishing or another human-related compromise. This being the case, we'll cover education as our last point to tackle. Implementing security and phishing awareness training will make your employees more resistant to phishing and other attacks. This will in turn make it harder for a bad actor to get an initial compromise. Good awareness training is written in such a way that non-technical people can relate and understand it.
There are many more important items on the list such as backups, but security is a process. The important part is you begin. If you are overwhelmed or need help, we're here for you. Click below to schedule time to discuss how we can help you with your security needs.
