6 Best Practices for Business Cybersecurity [October 2021 Update]
This post was last updated on October 6th, 2021 at 12:29 pm
When we first published this article in July of 2019, the RSM US Middle Market Business Index survey reported that 15% of mid-market businesses had suffered a data breach that year. This was already a considerable jump from 5% in 2015, and the trend has continued: today 28% of mid-market executives report that their organization experienced a breach over the past year. And while security breaches in large companies such as Facebook or Marriott still capture the international news headlines, mid-market businesses are quickly becoming the prime targets for cyber criminals.
Another report reveals hackers attack mid-market businesses almost as often as they do large corporations. In addition, ransomware has risen to join phishing, malware, and DDoS among the most common types of cyberattacks. The report also shows middle market businesses do not invest nearly enough in their security infrastructure, while smaller businesses are less likely to become cybercrime victims altogether. So let’s discuss ways mid-market companies can up their security game.
1. IT Asset Inventory Management
This is the first step you should take when building your business cybersecurity program from scratch. Tracking your IT assets allows you to gain valuable insight into the data existing on your company’s networks. Businesses should conduct an inventory of their IT assets, people accessing their networks, current security work processes, IT and cybersecurity reports, and existing security metrics. Furthermore, businesses should allocate a budget for security services as well as reevaluate existing security contracts.
One of the last steps at this stage is accessing existing security and network architectures, standing policies and work processes. This allows you to inspect your cyber hygiene and find the procedures and policies requiring an upgrade. It also enables you to make changes to the architecture and reduce risk exposure.
By the end of this stage, you should have an efficient asset management program in place. Furthermore, you will gain valuable insights into the state of your current network infrastructure and how your company accesses and handles sensitive data.
2. Cyber Security Compromise Risk Assessment
After getting the necessary insight into your business’ assets, you will need to conduct a security “risk” assessment or compromise assessment. You should measure your technology and business operations risk against a security management framework such as ISO 27001. This allows you to review and document your security solutions including AV solutions, firewalls, IDS/IPS sensors, as well as existing security procedures. These include patch management, incident response, vulnerability remediation, etc.
Security and IT professionals can then use your newly upgraded network diagrams to assess the efficiency of the existing security controls and suggest areas for improvement. This stage is the most technical of the five, so businesses should not be wary of seeking help from professionals. Third-party vendors will assess your security systems and find any existing security gaps. These will become your business’ future projects prioritized according to the level of risk exposure to vital business operations.
3. Prioritization of Security Tasks
At this stage, businesses should develop a security plan. You can do this by envisioning the upgrade of your current cybersecurity strategy, if you have one in place. You should review your entire existing cybersecurity program. This allows you to identify and take on challenges such as incomplete inventories, audit gaps, immature security practices, and lack of support from executives. Consequently, you will then have a list of risk exposures you need to focus on mitigating. However, it is extremely useful to prioritize these insights properly.
You should prioritize the insights according to the level of risk to business operations, their relevance to satisfying compliance requirements and any instances of unauthorized access to business information. You want to focus on the issues that provide value to your company. The goal is to create a new security agenda. The newly created list will help you update your business strategy and create a budget for mitigating security risks.
4. Cyber Hygiene
Today, we are witnessing an unprecedented number of phishing attacks, malware infections, and numerous other digital attacks. Such threats can seriously damage your business’ infrastructure as they cause loss of sensitive data. Therefore, make sure your elementary security processes and controls are performed correctly and continuously.
You want to have a digital foundation for your networks. It helps transfer data and applications to your customers and employees in a secure way. These fundamental cybersecurity measures fall under the term cyber hygiene and represent methodologies helping businesses mitigate cybersecurity risks.
Cyber hygiene best practices
- Deploy firewalls (correctly configured)
- Continually update antivirus definitions
- Run vulnerability scans on a regular basis
- Update and implement software patches and patching cycles
- Complete ongoing compromise assessments
- Backup and encrypt essential business data
- Secure personal data
This is not a definitive list of best practices because the services and solutions you use depend on your business environment and technologies. Therefore, you should use a custom combination of cyber hygiene best practices to mitigate any risks.
5. Business Cybersecurity Management
After completing all the above steps, you will have established a working asset inventory program. You will have finalized a risk assessment of your application portfolios and current technologies. You will have a list of existing deficiencies prioritized based on their influence on the business operations. Finally, you will have identified and incorporated cyber hygiene best practices into your security program. Now, it’s time to appoint a security manager.
Small businesses usually don’t require a comprehensive security program as they can manage security through the IT department or an MSP. However, mid-market businesses cannot rely on such practices as their size requires having a security program in place. More importantly, mid-market organizations need an experienced professional to lead the security program.
A security manager ensures your business allocates exactly the right amount of resources for mitigating security risks specific to your organization. They will also strengthen your defenses by educating your employees on the existing security risks your business is exposed to.
6. Utilize an EDR or MDR Platform
One of the most unsettling elements of cyberattacks is that you can do everything right and still suffer a breach. Threat actors are constantly trying to improve their skills and get past your defenses, so our final best practice will empower you to catch an attack even as it’s happening. Endpoint detection and response (EDR) and managed detection and response (MDR) watch for the sneakiest attacks and alert you to suspicious activity.
As many as 75% of companies that fall victim to ransomware were running up-do-date endpoint protection. That’s why detection and response is absolutely crucial to keeping your organization safe. Of course, not all EDR providers are created equal, so check out our blog on evaluating endpoint detection and response solutions are created equal,
Get Serious About Business Cybersecurity
Cybersecurity is an integral component of running a modern business. While smaller businesses sometimes handle these challenges in house, mid-market businesses should get more serious about their security. You should start by creating an asset inventory program, followed by a security assessment and prioritization of security tasks.
With the threats constantly evolving, you must practice proper cyber hygiene and think about hiring a professional to manage your business cybersecurity program. Sign up for a free trial of our EDR platform today – it only takes a few minutes to set up.