MFA is the use of two or more factors to grant a user access to a resource. For example, in addition to requiring a password, a system may send a one-time numerical passcode to a user’s smartphone that they then have to type into a challenge screen. Or a system may require an additional biometric identifier such as a fingerprint or facial recognition.

Strong password policies include requirements on the length of passwords (at least eight characters), characters (at least one number and one other mark), rotation (e.g., quarterly), prohibition of reuse. Strong password controls are the mechanisms you use to make sure that users’ passwords do in fact meet your criteria for strength, rotation, and non-reuse.

The security community is constantly discovering vulnerabilities in popular software products, which are then publicly announced as a Common Vulnerability and Exposure (CVE). So software companies are constantly issuing security “patches” to address those CVEs. The longer it takes your IT team to install those patches, the longer you remain vulnerable to attackers who constantly search for and exploit CVEs wherever they find them.

Your current employees have lots of access to your data and systems. So when you terminate an employee, it’s important to revoke all of those access privileges. This is especially true in the case of a disgruntled employee who may want to do harm to your company as an act of revenge—or one who goes to work for one of your competitors.

Cybercriminals commonly penetrate an organization’s cyberdefenses by tricking users with fake emails and/or deceptive phone calls (“phishing”). One of the most important ways organizations protect themselves against these social-engineering tactics is to train their users in best practices for safe computing. The safest organizations also perform simulated phishing attempts on themselves to see if the training has been effective.

Getting hacked or phished doesn’t have to spell disaster for your company IF you can detect and interdict malicious activity inside your network before the invader can reach your most valuable data and systems. But to do that, you must have a reliable way of detecting indicators of suspicious activity in your environment. And you must be able to respond to the detection of such threats quickly and decisively.

Score

The administrators of your IT systems (sysadmins) have the most far-reaching privileges in your organization. And they need those privileges to perform their everyday technical tasks. But if a hacker gets hold of those sysadmin credentials—which they invariably try to do—they can do virtually unlimited damage. That’s why it’s essential to limit the damage hackers can do by making sure no single administrative credential can grant them access to everything.

Your firewall is a key component of your cyberdefense—ideally capable of blocking any unauthorized network traffic while not blocking any traffic that your people need to be productive. But it’s not easy to achieve that balance. Any hackers will take advantage of any gaps in your firewall protection.
So smart companies regularly test their firewalls from the outside (penetration testing) to find

gaps and fix them before the bad guys do.

Cyberinsurance provides vital financial protections from the consequences of a cyberattack or other technology-related business interruption. But due to unsustainable losses, insurers are adopting increasingly stringent underwriting policies. To qualify for the right coverage at the right price, organizations must therefore be able to demonstrate that they have taken steps to minimize their prospective insurer’s exposure to risk.

Your backup files can be your last line of defense against a costly, extended business interruption. But it’s not enough to just copy your files. You must ensure that you could actually restore those files successfully to production-readiness if you needed to. You must make sure you’re backing up the files you need as often as you need to. And you must make sure that hackers can’t get to those backup files at the same time as they attack the rest of your business.

Once cyberattackers succeed in compromising one organization, they often use that beachhead to launch attacks on other adjacent organizations. So if you do business with companies that are lax when it comes to cybersecurity, they are putting you—and your customers—at risk every day. The solution, of course, is to set some minimum standards for your vendors—and to require them to provide some documentary evidence that they are in fact fulfilling those standards.

Cloud-based applications and services offer compelling value by allowing your organization to acquire new digital capabilities without the additional capital and operational expenses associated with deploying more IT infrastructure internally. But your cloud providers are not responsible for your security and compliance. You are.

Cybersecurity isn’t just about keeping criminals from hacking you over the internet. It’s also about keeping them from getting to your sensitive data and critical systems by more ordinary means, such as simply sticking a thumb drive into an open USB port. To maintain this physical security, organizations must control physical access with the same rigor as they do digital access.

Business email compromise (BEC) is a common occurrence—which is just one reason that your employees should never transmit sensitive data such as Social Security numbers and banking information as plain text in their unencrypted emails. Organizations can prevent this from happening by implementing a number of measures that include employee training, email encryption, recipient authentication, and data loss prevention (DLP) technologies.

Just about every company is subject to regulatory mandates regarding the way it manages data. For companies that handle credit cards, that mandate is PCI. For healthcare, it’s HIPAA. For financial services, it’s SEC and FTC guidelines. Compliance with these mandates requires that companies implement specific types of cybercontrols. Compliance also requires that companies be able to document their implementation of those controls to auditors.

Every bit and byte and every computer in your organization and every application you use in the cloud is data. But not all data is created equal. The flier announcing your next company picnic is not the same kind of data as the HR file where you keep all of your employees’ Social Security numbers and ACH banking instructions. An effective risk mitigation strategy treats each of these data types appropriately in terms of access controls, encryption, backup, and other cybersecurity measures.

Organizations increasingly depend on remote workers. Some of those remote workers
are salespeople, field service workers, and other road warriors who need to stay productive wherever they are. Others are the new generation of work-from-home (WFH) workers who only come into the office when they need to. Any organization seeking to attract the best talent—and to keep that talent productive even if extreme weather or a natural disaster keeps them from coming to the office—therefore needs to safely enable remote work.

Despite all your precautions, your organization may still get hit by ransomware or some other type of cyberattack. But you can still significantly reduce the short- and long-term adverse impacts of those incidents by responding quickly and decisively. And your IR plan needs to encompass more than just restoring data from backups. It has to include pre-rehearsed processes for identifying and neutralizing the attack, communicating

with employees via alternative channels, and making appropriate disclosures to customers.

Effective cyberrisk management requires more than just installing some security tools.
It requires strategic leadership to ensure that your security budget is being allocated wisely, that technology-related risks are proactively factored into executives’ business decisions, and that your organization’s security and cybercompliance posture is subject to the discipline and accountability needed for continuous improvement.

In an increasingly tech-centric world fraught with risk, effective security and cybercompliance are as central to an organization’s performance as its human capital, its intellectual property, its go-to-market strategy, or its financial management. That’s because security and compliance failures can permanently alienate customers, destroy brand reputation, and significantly diminish a company’s valuation in the eyes of investors.