This list is from Crucial Point:
- Use a “framework” that will guide your action. Our favorite one is the NIST Cybersecurity Framework, but there are many. This framework will help guide your policies, procedures, contracting and incident response. The NIST framework divides actions you need into categories of: Identify, Protect, Detect, Respond, Recover.
- Work to know the threat. Knowing the cyber threat will help you more rapidly and economically adjust your defenses. We wrote a book to help you get a quick baseline on the threat (see TheCyberThreat.com). Since the threat is dynamic you need continuous information. Sign up for our daily ThreatBrief and our weekly Cyberwar and Cybersecurity Review.
- Think of your nightmare scenarios. Only you know your business and only you can really know what could go wrong if the worse happens. Use these nightmare scenarios to help determine what your most important data is, this is going to help prioritize your defensive actions.
- Encrypt your data. And back it up! Prioritize this protection on your most important data. This will help mitigate the risks of your nightmare scenarios.
- Ensure you and your team are patching operating systems and applications. This sounds so basic, and it is so basic. But it is too frequently overlooked and it gets companies hacked, again and again. So don’t just assume it is going on. Check it.
- Put multi-factor authentication in place for every employee, including on their use of cloud based services. Depending on your business model, you may need to do this for customers and suppliers too. This is very important for a good defense.
- Configure your DNS to make it harder on the bad guys. There are simple configuration changes you can put in place that will greatly reduce the risk of malicious code and privacy attacks. See DNS Configuration Tips Here.
- Configure your email to make it harder to be spoofed/phished. By using widely used configurations called DMARC you can significantly reduce the chance that your email will be spoofed and your partners or employees tricked because of you. Learn more about DMARC here.
- Use a password manager, at work and at home, and encourage every employee to do the same. Our recommendation: Dashlane.
- Block malicious code. This is easier said than done, but work to put a strategy in place that ensures only approved applications can be installed in your enterprise, and, even though anti-virus solutions are not comprehensive, ensure you have them in place and keep them up to date.
- Prepare for the worse. Know what your incident response plan is and make sure it is well documented and reviewed. Ensure it includes notification procedures.
- Design to detect and respond to breach. This means put monitoring in place and also use proper segmentation of your systems so an adversary has a harder time moving around.
- Ensure you are able to communicate with others in a way that cannot be monitored by criminals/hackers. This is important in day to day business and urgent in incident response. Our recommendation: Wickr.
Reducing digital risk requires far more than the list above. But this list will get you started on a good foundation for continued improvement and will help you make an immediate difference in your security posture. We would strongly encourage you to take advantage of a free consultation with one of our experts. To start that process, contact Crucial Point here.