I culled this list from the article below, which is useful but I thought it a shame the author didn’t think to write a condensed intro with a top ten list, so I decided to do it myself. Just be aware that with input from 45 people it is quite long:
Here is my list based on the answers and my own thoughts (not in priority order as it might alter depending on your business):
- Be aware of outsider attacks — the British Airways hack from a few years ago is a perfect example. Code on the payment page was modified to grab card numbers (mine was one).
- Focus on the core function of your business and let a vetted third-party provider take care of the rest — lots of companies will help to train your staff and manage your security. It’s a specialism and you don’t need to do it alone.
- The weakest link in any organization is your staff. — you can never do enough repeated training and education, creating a Slack channel for everyone and using it to post details of current malware exploits and other tips can be useful.
- Take regular backups — the most mentioned item other than I think the next. What no-one mentioned is something as important, which is regularly testing your backup. You should at least monthly test a restore and make sure it brings back the data you want and you know how to do it. Remember you might have perform this for real under great stress…
- MFA — Always implement multi-factor authentication if its available, ideally using a dedicated app and not SMS,
- Cyber insurance — think about how much the loss of data might cost you, not just from an operational perspective but also in terms of liability and time spent investigating and mitigating any attack.
- Implement a 360-degree cybersecurity plan — this includes firewalls, antivirus software, a backup policy, network security and solutions to protect all connected devices.
- Use a VPN for external network access — a lot more people these days are working from home. If they are connecting into your internal network it must be over a VPN.
- Mobile device management — just about everyone uses a smartphone and a lot of us for business. If it’s stolen and it has access to company systems and data you might need to remove those applications and/or wipe the data.
- Limit exposure generally — this is called the principle of least privilege. Only give users the bare minimum of permissions they need to perform their job.
One last point is there are a couple of mentions of regular password change being enforced. Interestingly this is no longer accepted good practice and without going into all the reasons why, the best thing is a strong password of at least 14 characters and MFA. If you are interested in the reasons behind this change of recommended practice there is a great article here.