Cybersecurity Best Practice Guide for IT Managers
If you’re an IT manager tasked with designing, implementing, and maintaining a cybersecurity program, this can be a challenge. How would you start? Should efforts begin at the external boundary of your IT infrastructure? Should the internal workstations and servers be the first priority? As an organization focused on cybersecurity empowerment, we’ve outlined a few cybersecurity best practices that IT managers can focus on implementing now.
The entire process of this sequence has been a challenging journey for many of the small businesses we assist. Each step takes time, resources, and careful consideration to successfully execute. This is not a comprehensive list, but what we often recommend to small businesses that are trying to improve their cybersecurity posture immediately.
- Choose a set a security controls like NIST 800-171 or CIS Critical Security Controls
- Create a System Security Plan (SSP) containing policies, processes, and procedures with respect to the chosen security controls i.e. the cybersecurity program blueprint
- Develop a Plan of Actions & Milestones (POA&M) with Corrective Action Plans (CAPs) to produce a roadmap for how the organization will meet the cybersecurity best practices you have chosen to implement.
- Conduct a cyber risk assessment
- Chosen security controls with policies, technology, or a combination of both, i.e. the “get-well” plan, to prioritize the execution of the CAPs found in the POA&M based on either qualitative or quantitative risk
Below we list a few cybersecurity best practices that we believe every company, regardless of size, can implement.
As an IT manager, do you know precisely the hardware and software details of your IT infrastructure? This goes beyond model numbers and software suites. What about version numbers, open ports/protocols, physical locations etc.? Clearly, this requires an appropriate medium to properly display and organize such metadata. Since Totem.Tech is a small business with less than 20 workstations and servers combined, we use an Excel spreadsheet based on a free template provided by the US Navy. There are certainly free and open-source software solutions for IT asset management including Qualys and others. Such solutions should be considered when scalability becomes a relevant factor. The level of granularity for configuration management is your decision, but we recommend that the bare minimum to meet the best practice of tracking IT assets is collecting the following metadata:
- Make, Model, and Serial Number of Devices
- OS/Firmware versions, Software Patch Levels
- Hostnames, IP and MAC addresses, and Open Ports/Protocols
- Default Configurations, Administrator and User Accounts, Permission Levels
Ultimately, how can you protect your IT infrastructure if you’re not entirely confident of what comprises it? Check out Adam Austin’s blog for further discussion on cybersecurity best practices and why configuration is crucial for protecting IT assets.
Regular, Scheduled Patching
Patching IT infrastructure components is essential for improving an organization’s cybersecurity posture. The Equifax breach is an unfortunate example of how failure to patch web servers ultimately resulted in personally identifiable information (PII) disclosure. The argument that small businesses aren’t targets for similar cyber-attacks is fallacious. There are many articles and studies exhibiting why small businesses are ideal targets for cybercriminals. A common factor often discussed is the lack of a formal patching process. Patches can be scheduled on a weekly, bi-weekly or monthly basis. This cybersecurity best practice should be simple enough for any small business to implement. Ideally, devices and software suites should be configured to automatically install updates and patches when they are released. At Totem.Tech, we have configured our Microsoft workstations to automatically install Windows OS and Office 365 updates when they are released. Check out Adam’s blog where he further discusses the importance of regular, scheduled patching.
Data and Configuration Backups
Would your organization survive from a ransomware attack like WannaCry? The purpose of having information and device backups is to be prepared for the loss or destruction of such assets. In many cases, organizations could fail to continue operations if the availability of their data and IT infrastructure were compromised. We at Totem.Tech conduct weekly backups to mitigate the risks of cyberattacks targeting our IT systems’ availability. Disaster recovery is a whole domain in IT/cybersecurity covering how organizations can continue its critical operations following events like ransomware infection with established policies, processes, and procedures. Check out this article by IBM which goes more in depth regarding backups and disaster recovery as cybersecurity best practices.
Cybersecurity Awareness Training
Without doubt, the biggest cybersecurity vulnerability for organizations is the end users. People are much more susceptible to manipulation than computers. We at Totem.Tech believe that end users can become an organization’s greatest defense against common cyberattacks like phishing. We accomplish this by holding annual cybersecurity awareness training covering the following topics:
- Exercising Acceptable Use Policy (AUP)
- Strong Passwords, Email Security, Device Security, Reporting Incidents
- Insider Threats
- Operations Security (OPSEC)
Cybersecurity awareness training is often cited in various articles and blogs on cybersecurity best practices. Conducting these types of trainings will facilitate a culture where everyone is accountable for recognizing potential indicators of cybersecurity incidents. As an IT Manager, you can be creative on cementing the content within these trainings. For example, Totem.Tech holds a contest where the employee(s) who recognizes the most phishing emails in our campaign simulation wins a prize e.g. an Amazon gift card. These types of positive reinforcements make cybersecurity awareness trainings more fun and engaging for employees!
Incident Response Plan
How will your organization react when a cybersecurity incident occurs? You should assume incidents will occur and thus, preparation beforehand is paramount. Many small organizations overlook this cybersecurity best practice while creating the company’s cybersecurity plan. Best practices developing an Incident Response Plan (IRP) is broken down in stages following incident discovery. At Totem.Tech, we recommend utilizing the PICERL model:
- Lessons Learned
I won’t go into detail for each stage but instead focus on the most important stage, containment. When it is determined an incident has occurred, you must ensure that the cause of the incident e.g. ransomware infection, is properly isolated. This could be as simple as disconnecting a device from the corporate network to ensure the device is quarantined. Adam illustrates this with a great analogy in our Cybersecurity 101 Lesson 4.2: “Put the kitchen fire out first! Then assess damages later.”
Cybersecurity best practices for Incident Response Planning is not only having a plan but to practice execution of incident response with real-life scenarios i.e. table-top exercises. We recommend the following free resource for brainstorming cybersecurity incidents, but you can find more at the end of Lesson 4.2. Some relevant participants for these exercises could include IT/cybersecurity staff, managers, and executive personnel
Totem.Tech's Offerings for Cybersecurity Best Practices
At Totem.Tech, we’ve created an online course Cybersecurity 101 Lessons for DoD Contractors for fleshing out what is required to build a robust cybersecurity program for Defense contractors and small businesses. Check out the following free lessons published on our blog to give you a taste of the content and format:
- Lesson 1.1: “What is DFARS and NIST 800-171”
- Lesson 2.1: “Introduction to the System Security Plan”
- Lesson 4.2: “Incident Response Planning”
We’ve also created a workshop series DFARS/NIST 800-171 Compliance Workshops where Totem.Tech’s instructor and security compliance analysts work one-on-one with your company’s associates to help develop your SSP, POA&M, and Incident Response Plan (IRP).
We hope that as an IT manager, you found our cybersecurity best practice guide valuable. You can always contact us directly to learn more about cybersecurity best practices or to get assistance in creating a cybersecurity program that works best for your business.