In the last blog, we identified 4 security controls to help your business become cyber resilient – plan ahead, provide security awareness, practice recovery and look into cyber insurance. They are vital to protecting your business and should be in place for every organization of any size. In this blog, we will review the 13 parts of an effective business continuity plan to protect against ransomware. The 13 parts are suggested by Cyber Secure Canada.
Please note, over the next few months, I will be diving deeper into each of these security controls because throwing money at new technology is not an effective strategy. An effective strategy involves a proper evaluation of what’s on the market and the gaps in your organization.
Be sure to follow our blog and stay on top of the how to effectively create a business continuity plan. We also go deeper into which elements are the most important to start with in the video at the end of the page.,
An incident response plan that monitors, detects and responds to an incident. In other words, if something goes sour, you will have systems in place to identify what goes wrong. The average time it takes for a company to identify a breach is over 250 days. However, with a good incident plan in place, you will have the proper tools to identify when something goes wrong. The incident response plan is then a detailed set of instructions telling you what to do should something actually go wrong.
As IT professionals, we are responsible for the business continuity of the organization. Therefore, we must restore critical systems and data and keep services going. This includes getting a copy of your data from your backup storage and making sure there are a few funds as possible required to keep the business afloat after an incident. It’s a lot of responsibility. But that’s why it’s such an important part of an effective business continuity plan.
Over the past few years, two-factor authentication has increased in popularity as more of the workforce works from home. In all honesty, however, that is the bare minimum you can do to protect your systems. It is recommended to continuously authenticate your employees. It’s ideal for when employees are working in public places, on office trips and even in the office. The correct password does not mean the right person is using the system. For more information on continuous authentication, check out this page.
I believe most companies are already taking on this step. Activating firewalls, installing anti-malware software and installing Domain Name System (DNS) filtering on devices seem to be where companies feel the most comfortable. And that is great! However, it’s only one of 13 parts of an effective business continuity plan.
As we’ve seen in the last few months with Microsoft, patching applications is SUPER important. There were many ransomware attacks in the last year that were successful because of vulnerabilities in applications. We recommend enabling automatic patches where possible. It can be overwhelming to do them all manually but it’s extremely important.
The 3-2-1 Backup Rule is an easy way to backup your data. It stands for 3 copies of your data, in at least two different locations and at least one of them offsite. And yes, in the cloud in considered a different location and is offsite. Many businesses are opting for cloud backup as one copy of data and on-premises backup as the second copy of their data.
When backing up your data you also want to establish your response time objective and response point objective. Recovery Time Objective (RTO) is a time, within which all operations must be back to normal after disaster strikes. Recovery Point Objective (RPO) is a maximum period on which data and operations can be lost between the last backup and the disruptive event. These are VERY important to keep operations going if hit with a cyberattack. Our suggestion is to establish these metrics and then test your backups regularly.
As mentioned in the previous blog, training employees is one of the most effective ways to reduce a ransomware attack because 95% of them are cause by human error. Training employees on cyber security should be the standard for every employee and part of the onboarding process of a new employee.
There are some very immersive training programs offered in multiple languages for multi-lingual companies. As a company operating out of Montreal, we offer our training in English and in French thus ensuring everyone is learning in the language they are more comfortable in.
Securing a website always seems like the developers’ “problem” when in reality we must take responsibility to ensure our websites are protected. If you outsource the website, consider the following:
- Ensure certificates are up-to-date
- Use strong passwords
- Use HTTPS for the website
- Limit the number of people with the password to the website
- Change your password after an outsourced project is complete
Another VERY important part of the website is how it collects data. GDPR scared everyone back in 2016. In Canada, we were so thankful we didn’t have to deal with it. However, the privacy policies are changing. In the province of Quebec, for example, businesses will need to comply with a long list of changes. However, most businesses don’t even know about the changes! Therefore, stay alert for privacy laws in your area. It’s coming!
This is more important for companies who allow employees to work from their phones. It’s not uncommon to have Outlook or Slack on a phone. How are you protecting those devices?
How are you protecting the cellphones that are given to employees? To prevent fraud, create a list of applications and reliable sources to download them so your employees know what they can put on their company phone. How are you protecting the phone when an employee connects to a Wi-Fi connection? Is connecting to Wi-Fi even allowed?
Protecting cellphones requires a device deployment model, a list of approved applications and endpoint management on the devices.
There are three reasons to limit access to files, credentials and other things in your network.
The first reason is asset management. When an employee leaves, you know exactly what that person had access to and you can remove that access immediately. The second reason to control access is to limit a breach. If an employee falls victim to a phishing email and clicks the email, the cyber criminals will be limited to what that employee has access to.
The third reason is information can get into the wrong hands. You want to reduce the changes of an employee going rogue, trying to cause harm on the company. This does in fact happen. It happened to a Canadian bank called Desjardins. A marketer in the company copied data onto a USB key. It got on the dark web and affected over 9 million people.
More and more companies are handing out laptops. Before handing them over to employees, ensure the default password is reset, that the cyber security software is already on the device, that location services are turned off and that unnecessary features are turned off.
Proactively monitor and hunt threats. Antiviruses are not enough anymore. Consider looking into Managed Detection and Response. It extends threat detection across the network, endpoints, and the cloud. Threat hunting includes: Antivirus, Endpoint Detection, Inbox Detection, Proactive Threat Hunting, Threat Intelligence from numerous sources, Network Detection, Insider Threat Detection (employees), In-memory analysis (reverse engineers code and predicts malicious intent).
Every few years companies update their fleet of devices. Make sure to sanitize your devices before getting rid of them. Make sure your organization is encrypting data and using media that is easily accessible. For example, using a USB key is not ideal. Losing a USB with valuable data is not something anyone wants to tell their IT department.
This is a tough one. And only recently have people started to talk about this because when we outsource a provider, we assume they are taking the right measures to stay protected. Unfortunately, that’s not always the case. Toyota had to shut down operations because one of its suppliers got hacked. Ouch! Therefore, get to know where your providers have their data centers and learn more about the privacy laws in their area.
But here is a 25 minute deeper dive into the most important parts of the 13 security measures listed above.