If you’ve never reviewed your computer security, you may be surprised at what you find. Some of it may be easy to fix, some may take a while. So how do I triage security exposures?
In this video, we’re not talking about how to respond to a security incident. That’s an important topic for another time. If you have an incident and you don’t have an incident response plan, you’ll probably want to pull in a service provider to bootstrap one fast.
We’re also not talking about how to create a security plan. You’ll want to do this and several good frameworks exist.
Instead, we’re talking about the stopgap measures – the obvious exposures you need to plug while you’re building your full security plan.
Several things are obvious. Enforce strong passwords. Install antivirus, firewalls, and an email filter. Is it easy for someone to take over an account or break into email? Use two-factor authentication so stealing a password isn’t enough to get in. Hire someone to provide security awareness training so your staff is less likely to get tricked or do something careless.
Don’t forget about business continuity. An obvious but often overlooked piece of this is data backups. This is a huge risk. Put something in place. I’ve been known to copy vital data to another drive as one of the first steps in protecting the client.
Beyond that, the Center for Internet Security has a “Top 20” list of ways to protect your systems. The FCC publishes a CyberPlanner with similar goals. These let you cover a lot of ground fast while in the background you’re working on your full cybersecurity plan. As you discover gaps, you’ll want to pick which ones should be addressed first.
Communication is important. If you have gaps, make sure stakeholders know that you’re putting basic measures in place as you’re beginning your full security assessment. If you have serious gaps, you can get a leg up by hiring a service provider who has a strong security stack. This can improve your security posture in a hurry while you figure the rest out.
Again, none of this substitutes for a full cybersecurity plan. As you address the urgent gaps, you’ll also be working through your risk management, data classification, and policies….all measured against a framework such as the NIST Cybersecurity Framework.
Tomorrow, we talk about thing that get in the way of serving customers.
I’m Carter Edmonds with 20Creek. We solve IT challenges.
Episode #32 – 1/23/2019