888.624.6737

syse-blog-header

BLOG

10 Cybersecurity Best Practices in 2020

December 18, 2019 | Posted in:

IT Security

Posted by Matt McGrath

In light of the uptick in breaches at small and medium-sized businesses (SMB), I wanted to briefly review the cyberthreat landscape and offer some cybersecurity best practices organizations can implement to better position their businesses against the bad guys.

For years it’s been predicted that cybercriminals would eventually turn their attention to higher volume, smaller targets, namely SMBs. Compared to Q1 of 2018, the number of reported breaches among SMBs is up 57%, and the number of exposed records is up 29%. These numbers stress that the threat is very real. With cybercriminals actively targeting millions of businesses, it’s wise to assume one of those businesses is yours.

We see SMBs targeted every day and can attest that clients who follow recommended security best practices are materially better positioned to prevent and/or respond to today's threats. User behavior remains the most important link in the cybersecurity chain, so we will continue our “creating a culture of security” drumbeat as the foundation of any good security strategy. At the same time, users demand and require the ability to work seamlessly on multiple devices (many of them not company-issued) while traversing public and private clouds. The good news is that you already know how to drive this change, because, as with any change in business, creating a culture of security is ultimately a change management exercise, requiring vision and leadership. Since you’ve already got the leadership part nailed, here is some practical guidance on the vision in the form of 10 best practices to follow.

10 Cybersecurity Best Practices

1. Enable Multi-Factor Authentication (MFA)
2. Implement Security Awareness Training,
3. Conduct a Cybersecurity Risk Assessment,
4. Employ a Device Management Policy,
5. Know the Realities of your Backups,
6. Test your Business Continuity Plan,
7. Create Effective Security Policies,
8. Build a Vendor Management Program,
9. Obtain Cyber Insurance, and
10. Develop an Incident Response Plan.


1. Enable Multi-Factor Authentication (MFA).
Level of Difficulty:
LOW | Cost: LOW

The most recent Verizon Data Breach Investigations Report stated 81% of hacking-related breaches are due to compromised, reused, or weak passwords:

“As companies continue to transition to more cost-efficient cloud-based solutions, their email and other valuable data migrate along with them. Criminals simply shift their focus and adapt their tactics to locate and steal the data they find to be of most value. Consequently, there has been a corresponding increase in hacking cloud-based email servers via the use of stolen credentials.” 

Multi-Factor Authentication, or MFA has become a vital cybersecurity tool in preventing data breaches due to compromised credentials. MFA supplements your password requirements, offering multiple layers of identity verification. An example of MFA is requiring a device you hold, such as a smartphone or hardware token to receive a one-time code, in addition to something you know, such as your login credentials.

IF YOU DO NOTHING ELSE ON THIS LIST, ENABLE MFA.

2. Implement Security Awareness Training.
Level of Difficulty: LOW | Cost: LOW

Can you spot a phishing email when you see it? What do you do when you get an unexpected .pdf attachment from someone you don't know? Have you thought about how Mike in Accounting or Judy in Sales should handle these emails? The Verizon Data Breach Investigations Report found that 1 out of every 14 users fell for a phishing attempt. Given the sophistication of business email compromise (BEC) these days, it's no wonder untrained users are often tricked into doing something they otherwise would not normally do. With Security Awareness Training, you and your staff will stay on top of the latest cybercriminal tactics, so you can avoid them accessing your network, fraudulently transferring funds, and a data breach. 

3. Conduct a Cybersecurity Risk Assessment.
Level of Difficulty: LOW | Cost: MEDIUM

“IS MY BUSINESS SECURE?  HOW SECURE ARE WE?” are two questions we hear again and again. To know if your business is secure is to know your risks. A cybersecurity risk assessment of your defenses will tell you whether the current processes and policies you have in place are effective. A professional assessment will also provide you with recommendations to protect your business moving forward. Although I have identified this best practice as a medium expense, the knowledge and information you gain from a security assessment is PRICELESS.

4. Employ a Device Management Solution.
Level of Difficulty: MEDIUM | Cost: LOW

Device Management is how you extend the security policies you have defined to devices that are most often outside your office and used off your secure network. This can be as simple as having the ability to wipe the corporate data off of a device, to applying multiple layers of tests before letting a device connect to your network. There is a good chance you have been accessing corporate email from your smartphone for years, but you should not assume this is as secure as it would be with a device management solution.

5. Know the Realities of your Backups.
Level of Difficulty: DEPENDS | Cost: DEPENDS

Backup is no longer just about recovery after an accidental file is deleted or restoring data if your building burns down. Backup is now the best and fastest way to recover from ransomware and other cyber incidents. How much do you know about your backup and, more importantly, your recovery? Is it protected from ransomware? How fast do you need to recover? How short of a time period do you want to go back to in the case of a recovery? Your answers to these questions will determine what the right form of data protection(s) is for your business, the cost to implement and maintain, and what to expect should an incident occur.

6. Test Your Business Continuity Plan.
Level of Difficulty: DEPENDS | Cost: DEPENDS

From the coronavirus (COVID-19) to the  wildfires in California, to a data breach, to losing your internet connection, business disruption comes in all shapes and sizes. When disruption happens, your Business Continuity Plan (BCP) will help you to access business processes, data, and apps that are critical to keeping business operations going. Your plan shouldn’t be a document you dust off only in a time of need. Take time each year to think of your worst-case scenario and see if your BCP can help you sustain during a disaster. Testing can be as simple as acting out a table-top disaster scenario to a full-scale site-to-site failover exercise. 

7. Create Effective Security Policies.
Level of Difficulty: LOW | Cost: LOW

Security policies inform your staff on how to protect information and sets the stage for defining what security solutions you need to have in place. Without these policies specifying behavior and security controls, we’re relying on our users to ‘make the right choice’; this can be a risky proposition. These documents become critical in the event of a security audit or even an RFP response to win new business. If you don’t have someone on staff to build the proper set of policies, it’s worth finding an expert who can help you.

8. Build a Vendor Management Program.
Level of Difficulty: MEDIUM | Cost: LOW

In the Internet age, we have all become far more dependent on our business partners and vendors. These documents become critical in the event of a cybersecurity event or other business continuity event for that matter. If you don’t have someone on staff to build one of these, I recommend you find someone who can help develop a customized program for your business. In addition to having the plan, you need to test it annually with a table-top exercise.

9. Obtain Cyber Insurance.
Level of Difficulty:
LOW | Cost: MEDIUM

Cyber Insurance is a way to transfer your financial risk should a breach or significant security incident occur and it’s very important that you understand what’s covered and what’s not. First-party coverage is for items that directly happened to you, while third-party will cover expenses related to a breach that happened to your client. After that, what level of legal counsel, public relations, forensics, and restoration services are included? Will they pay the ransomware fee? Here is where we see the biggest gap in Cyber Insurance—while it may pay for much of the work to recover and get back to business, who is doing that work? You will typically need a partner with deep technical skills to do this in a secure and proficient manner.

10. Develop an Incident Response Plan.
Level of Difficulty: LOW | Cost: LOW

An Incident Response Plan (IRP) is a document or series of documents intended to guide you in the event of an emergency. These documents become critical in the event of a cybersecurity event or any other business continuity event for that matter. If you don’t have someone on staff to build one of these, it’s worth finding a cybersecurity expert who can help you. In addition to having the plan, you need to test it annually with a table-top exercise.


Keeping your business secure is critical to its success. Employing these cybersecurity best practices will go a long way into securing your organization and its critical data.

Matt_McGrath

Matt McGrath | President
Systems Engineering