Best Practices in Cybersecurity: Securing Your Digital Walls By: Lew Tucker, Gary Nichols
If you use your company web site, email or mobile phones, you are your company’s first line of defense against state-funded cyber armies, criminals and common hackers. Cybersecurity teams across all industries are actively engaged in a global cyber war against these bad actors, who aim to compromise your and your company’s data and information. Fortunately, there are three basic cybersecurity best practices to help you defend your company’s virtual walls like a veteran. 

1. Account for the human factor: Avoid scams and practice good password hygiene

“As the world goes digital, humans have moved ahead of machines as the top target for cyber criminals,” wrote Steve Morgan of CISOonline.com. Your cybersecurity teams are hyper-focused on building your company’s virtual wall against current and emerging cyber risks, vulnerabilities and threats. Criminals know this and look to exploit a softer target in your “wall” – you. Their tactics generally come in forms of password theft and Phishing scams.

Practice Password Hygiene

According to the 2017 Verizon Data Breach Investigations Report, “81% of hacking-related breaches* leveraged either stolen and/or weak passwords.” Password hygiene, routine password updates and upgrades, is your contribution to strengthening your company’s virtual wall. A simple three-step exercise can help you build a powerful password. 

  1. Think of something unique to you. “I like sailing and spreadsheets.

  2. Build a creative phrase you can remember. “One fine sailor loves numbers

  3. Strengthen your phrase with numbers, capitals and symbols.  “1fine$ailorL0ves#s

If you are one of the “39% [of online adults who] say that they use the same (or very similar) passwords for many of their online accounts,” according to a 2016 Pew Research Center report, use a “password vault.” Many companies invest in password vault services, where employees can safely store their collection of usernames and passwords in a single application. Password vaults are convenient and discourage forgotten, or written down passwords. 
 
Avoid Phishing links and attachments

Phishing is a nefarious email, masquerading as legitimate, intended to trick you into clicking on a hyperlink or opening an attachment. If you open one of these links or attachments, you may inadvertently welcome computer viruses or ransomware into your company. Ransomware, as the name suggests, locks down your data or device until your company pays the criminal. To avoid Phishing scams, scrutinize your emails, especially those with links or attachments. 

2. Ask your Third Party

Your cybersecurity strategy may be sound, but if you use third party vendors as part of your business strategy, ensure they meet your standards for protecting: themselves, the services they provide and the data they store. Here is a list of questions to consider:
  • Authentication – Authentication is verifying you are who you say you are. 
  • Ask your third party
    • how they authenticate users to their services, 
    • if they have a password policy, and 
    • if they implement other verification measures such as multi-factor authentication, security questions or other measures.
  • Monitoring & Response – Monitoring is all about visibility. 
  • Ask your third party 
    • how they monitor access to and activity within their systems, and 
    • how they respond to unauthorized access or unusual behavior.
  • Access – Access is managing who (or what) may enter and use a system. 
  • Ask the third party 
    • how they limit access to sensitive information with 
      • layered privileges to only those documents and 
      • systems their employees require to perform their daily duties.
  • Data Protection – Data is the currency of digital business.  
  • Ask the third party 
    • to identify where your data is physically located, 
    • who has access to it, and 
    • what steps they take to protect your data within their systems
  • Privacy & Trust –Trust, but verify. 
  • Ask your third party 
    • how they intend to use your employees’ and clients’ data and information. 
    • to agree to and comply with Terms and Conditions established in your non-disclosure agreements  

3. Lastly, Create a Culture of Awareness

Cybersecurity best practices should be a part of your workplace culture. Specifically, you and your employees should understand their role in protecting your company’s digital assets and clients. Reinforce the importance of maintaining information security and crowd source potential security issues and solutions through periodic security awareness and training, including computer based training, emails, posters, workshops and meetings.  

Cyber security is not a one-time event, but a continuous process. You want to routinely review your and your third party partners’ risks. If you continuously improve your employees’ cyber-awareness, they will be better prepared to proactively avoid potential threats and vulnerabilities to your business.

Sources: 
  • https://www.verizonenterprise.com/resources/reports/2017_dbir_en_xg.pdf
  • http://www.pewresearch.org/fact-tank/2017/01/26/many-password-challenged-internet-users-dont-take-steps-that-could-protect-their-data/ 
  • https://www.csoonline.com/article/3153707/security/top-5-cybersecurity-facts-figures-and-statistics.html 

*Breach - An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party. (¹)
DDoS – Distributed Denial of Service. A cyber-attack method intended to overwhelm a system – and in effect disabling or disrupting its services – by flooding it with various digital ‘stuff.’
Phishing – A digital fraud attempt to coerce individuals to provide information or gain access to a system. 
Malware – A digital virus, which causes conducts unapproved operations to systems or information.
Hackers – Individuals who use technology to access and/or disrupt and application or system. 
The information contained herein is for informational purposes only and not intended to be specific to your situation, nor be absolute protection against cyber-criminal activity. Please consult with an expert for how this applies to your specific situation.

0718-84J3
Lew Tucker

Lew Tucker is a Communications Strategist for Charles Schwab’s Cybersecurity Services organization. He oversees organization communications and cyber-awareness campaigns in support of Schwab’s vision. He has led IT communications for Ferguson Enterprises and Department of Defense’s Joint Chief of Staff...

More about Lew Tucker
Gary Nichols

Gary Nichols is the Managing Director of Security Design & Engineering for Charles Schwab. He oversees information security standards, researching and recommending security technologies, managing cloud security strategy, and establishing security designs and prescriptive architectures for the Firm. ...

More about Gary Nichols
Sign up for our Newsletter

More Articles From This Issue

Sign up for our Newsletter