‘Tis the season to do some cybersecurity cleanup for your business’s computer system. What, you aren’t thrilled about getting started, so you are ho-humming instead of ho-ho-hoing? Well, you may feel a bit more cheerful once you clear the tinsel webs out of the way by starting your own cybersecurity holiday cleanup checklist.
Besides, knowing that you are shoring up your system to get through the holidays without any data breaches and that could damage your customers and your reputation is probably a good enough reason.
Grinches, also known as cybercriminals, will be out in full force to revel in the holiday season in their own nefarious ways, looking for vulnerabilities to sneak into everyone’s system, including yours. Before we get into the good security measures that you should check off your list, let’s talk about who’s on the naughty list this year.
Top 5 Computer System Vulnerabilities
Take a look at the five most common vulnerabilities in your organization’s computing system.
- SQL Injections (SQLi) – Even though this vulnerability was identified more than 20 years ago, it remains in the #1 spot on OWASP’s Top 10 List for web vulnerabilities.
- Poor Password Hygiene – This is another problem that has been on our naughty list for a long time, but is still a big one according to Tech Radar. Your organization could be exposed to major risk if employees are reusing the same password across several platforms.
- Out-of-Date Software Patches – When you and your staff do not immediately update new patch releases upon notification, it leaves an easy entry point for cyber criminals.
- Broken Authentication – Websites with broken authentication vulnerabilities are also very common these days. When a malicious actor utilizes brute-force approaches to either guess or validate genuine users in a system, logic flaws on the application authentication mechanism, such as improper session management prone to username enumeration, can enable them to gain control over an account or the entire system.
- In-House Designed and Developed Software – there is a great deal of risk involved with self-developed software. It doesn’t offer the same assurance of rigorous third-party testing, user feedback and many safeguards that popular and well-known app developers.
Cybersecurity Checklist for a Joyous and Incident-Free Season
You don’t have to fall prey to hackers’ plans, plots and schemes this year, as long as you have a plan in place.
Our own team of IT security elves has come up with a cybersecurity holiday checklist. This merry-making team features a Certified Information Systems Security Professional (CISSP) and a Certified Information Security Manager (CISM), and together, they have come up with a handy and highly proactive cybersecurity holiday cleanup checklist.
We believe yule love this list, and it may be just the inspiration you need to help you kick off the season with confidence.
1. Inventory data access and protections before New Year’s.
Answering a few basic questions about your company’s data can help you properly develop the rest of your office IT security checklist. We recommend the following three questions, based on ideas set forth by the Federal Communications Commission (FCC):
- What Kind of Data Does Your Business Handle? Most data have value to someone, but some sensitive data has a significant monetary value to hackers. Your basic operations files are likely not the primary objective for cybercriminals who are more interested in your customers’ sensitive data like social security numbers, home addresses, birth dates, driver’s license numbers and banking information.
- How Do You Handle and Protect Your Data? Basically, what are you doing right now to protect all data under your care, whether at rest or while on-the-move? Data that is on-the-move and active is any data that is in use for transactions, analysis and marketing purposes. Each time your data is accessed, it becomes exposed to unique risks.
- Who Has Access to Your Data and Why? Not everyone has, nor should they have, access to all company data. Restricting access to data makes it easier for you to monitor any usage of that information to keep it safe and prevent any unnecessary movement that exposes it to dangers. Assign access to employees upon hiring, depending on their department and any other factors you determine, so you can manage and track their usage from the onset of their employment.
2. Update and upgrade everything with the latest jingle bells and whistles.
Cybercriminals work overtime during the holiday season, scouring your system’s gateways, looking for the smallest vulnerability to sneak their way in. Unfortunately, older versions of hardware, software, and anything else are classic infiltration zones.
From your operating system to your software programs to your hardware, updates are critical to keeping your system healthy, according to the American Institute of Certified Public Accountants (AICPA). Following are some of the key updates and upgrades that we recommend.
Operating System Updates.
Whether you use Microsoft Windows or Apple OS, it is important that you set your system up for automatic updates.
Outdated hardware is a huge vulnerability for today’s businesses. Take your payment terminals as one example: any time that a credit card is swiped for payment, the customer’s data becomes vulnerable; particularly if the merchant is still using outdated payment hardware and gateways. If you have outdated payment hardware, or any other outdated hardware, now is the time to upgrade.
Following are additional hardware pieces to inspect:
- Mobile devices
- Point-of-Sale terminals
- Wi-Fi routers
With any necessary upgrades and updates in place, you can greatly reduce security flaws, thwarting holiday hackers and shutting them down at the gateway to your workshop.
If you are using older software versions, which no longer receive updates and are known as “end-of-life” software or devices like Windows XP, it is time to upgrade. No matter how great those programs were a decade ago, they are simply not safe for your operating environment now.
In addition to your desktop and laptop computers, remember your employees’ mobile device apps while attending to the software portion of your holiday checklist. If your staff members regularly use smartphones or tablets for work tasks, make sure to update—or ask them to update—their devices for the latest system upgrades and minor updates to help prevent any type of infiltration.
This one is crucial to keeping your system safe, of course. Make sure your anti-malware programs are set up to frequently check for updates and scan the device, or devices, on a set schedule. In larger firms, you may update your antivirus through a centralized server. Even better, when you work with a cloud service provider, they continually monitor and manage antivirus updates.
Old and outdated browsers often contain security holes. New browser versions are easy to find, download and install, and they are much faster and more secure.
Wireless Router & Network Devices
Go over all wireless networks and access points to make sure there are no rogue devices camped out. Put password policies in place, or simply tighten up existing policies to ensure everything is being strictly followed during the busy season.
3. Put a bow on password concerns with a thorough audit.
Password management is one of the toughest areas for IT to wrap up with a nice neat bow for the holidays. In the meantime, one promising strategy includes using a “password manager” tool that your employees can load onto their desktop. A few password management options include LastPass and Dashlane. These tools remind employees to periodically update passwords. They also require them to create a strong password, according to your company’s standards.
4. Let your heart be light and your system run faster.
It’s the most wonderful time of the year to purge any unused software and applications. Send out a reminder to staff to identify any programs that they are no longer using and uninstall them. This will help their hardware run more efficiently and eliminate any unnecessary security vulnerabilities that are associated with these outdated programs.
5. Update IT policies for peace on Earth, or at least in the office.
To help protect data in an ever-changing threat environment, compliance regulations are updated often and standards become more stringent. That’s why now is a good time to review regulations and get informed about upcoming compliance changes. Then, you can remind employees of their ongoing responsibility to help keep the computing network safe. Give employees new copies of the policy manuals when updated, and provide any necessary training to help reinforce policies.
6. Offer a workshop for your own elves to prepare for seasonal cybersecurity threats.
No matter how experienced your employees are, it never hurts to add in a holiday training workshop to raise awareness in time for the busy, high-risk season. If you don’t already have one, develop a security incident response plan that details the measures for understanding when, where, and how data has been compromised, as well as what subsequent steps should be taken. Distribute this incident response plan manual to personnel on how to document events leading up to a breach, notification of appropriate staff, and the internal and external communications strategy.
7. Check the chimney with care, as well as the rest of your physical office space.
Technology theft is still a real threat; when hardware is stolen it can lead to a massive breach of sensitive data. All industries, including retail, manufacturing, and finance can fall prey to real-life Scrooges. Stay vigilant and implement security controls, such as installing security cameras at building exits and limiting access to key areas.
8. Call in IT security experts to help tick off items on your holiday security checklist.
Call in reinforcements to perform a full-scale threat assessment on your system to identify any lumps of coal that haven’t been addressed yet. Hiring outside security techs brings in a fresh set of eyes to check firewalls and encryption settings, and run a full anti-virus scan to make sure all security software is up-to-date.
9. Perform a pen test to ensure all is calm, and all is bright.
The main objective of penetration testing is to spot any security weaknesses. A pen test can also be used to test an organization’s security policy compliance, employee security awareness, and organization’s ability to identify and respond to security incidents. Pen testing can be a great step at the end of the year. This way, you will be ready to clearly lay out the plan for addressing specific vulnerabilities in the new year.
Prepare for the Holidays & a Bright New Year with I.S. Partners
Our team understands the extra stress, as well as joy and potential profits, that accompany the holiday season. We are here to help you dash through the holidays with our checklist, or we can come in and run through the list ourselves to give you an objective perspective on all of your cybersecurity concerns.
Our auditing professionals at I.S. Partners, LLC. are here, ready and able to help you develop an ironclad office IT security checklist to ease your workload at every time of year.