To build an effective cybersecurity plan, you will need to know exactly what devices are residing inside your company’s environment. Clearly record all the details of your company’s IT infrastructure within a spreadsheet or diagram that can easily capture this information. Consistently update this spreadsheet or diagram as your environment changes.
Create a spreadsheet that clearly captures all makes, models, and serial numbers of all company devices. Also include all firmware versions and patch levels, default configurations and permission levels, hostnames, IP and MAC addresses, and open ports.
A trained and aware workforce is the most effective tool that you can use to defend against security incidents. Keep all users up to speed on your company’s IT and sensitive data security procedures. Provide continual opportunities for education on user best practices and threat mitigation.
Phishing scams are one of the most common and costly attacks your company could face. Implement a phishing simulation that tests users’ ability to safely identify and handle a phishing email. Provide training following the simulation.
Prevent end users from having access to administrative accounts or privileges. Grant admin privileges only if required for a specific role (e.g. an IT administrator). Swiftly and accurately deprovision user accounts when needed.
Reduce your system’s attack surface by identifying and eliminating potential attack vectors. Harden applications, operating systems, servers, databases, and networks. Tailor this strategy according to your organization’s risk management plan.
Use Microsoft Office’s “Protected View” when viewing external documents. This will prevent any macros or scripts from executing unless specifically permitted to do so. Only enable editing with trusted documents.
Protect your company from data loss by backing up and encrypting your data regularly. Develop a recovery plan that describes procedures should an unexpected event occur. Continue to test recovery plan as your environment changes.