Of course, every month is cybersecurity month here at JM Addington Technology Solutions but for most businesses your core focus is on something else: your core competency. But you still need a time to pull aside long enough to see how well your businesses is protected from ransomware and cybercriminals. It seems like the list of security controls to implement is never ending, and they are all important, but prioritizing is the art and science is putting things in order of importance.
With that in mind, here are the top things your business can do to stay secure*:
- Use strong passwords. By strong I mean passwords like HVtbiq1lyuMDcIFUfhrptKj. Stolen credentials are now the number one way criminals get into your data.
- Multifactor Authentication (MFA) on everything. This is more easily bypassed today than it used to be, especially for M365. But it still is one of the best things you can do. Go to https://2fa.directory/us/ to see if your logins are supported.
- Go beyond antivirus (AV). Antivirus (including NextGen) is a dated concept. Today there are applications that STOP bad programs from executing – ever. AV is fine as a security layer, but you can’t count on it like in years past.
- Phishing simulations – even after years of education, 20% of employees will click on a phishing link. I assume that someday I will click on a link. But dropping 20% down to 10% is still a MASSIVE mitigation of risk.
- Have a Security Operations Center (SOC) that focuses on your cloud applications. Workstation and endpoints are important…but your critical data is in the cloud. You need someone that watches it 24/7 and doesn’t take Christmas off.
- Store your data in secure cloud locations. This is a step beyond OneDrive and Dropbox. I’ll be honest: it isn’t always easy and sometimes you can’t move all of it into less accessible locations but do you what you can.
- Move from “blacklisting” to Zero Trust (ZTA). Blacklisting is stopping bad things, ZTA is assuming that everything is bad (apps, network connections, websites) and only letting things known to be good access your data. We’ve implemented ZTA for years now and no managed client has ever had a ransomware incident.
- Employee education – don’t overestimate what your employees know about cybersecurity. Even the sharpest and techie people have blindspots. Education at company meetings, video clips or in-person training is always a good idea.
- Don’t use free wifi. Just don’t do it, if you MUST, use a SASE application (think VPN on steroids) like
Todyl, ControlOne or Perimeter 81.
- Separate your personal and work devices to the max extent possible. As a business owner, I understand that it’s not 100% possible, but you sure can make progress. For example, my social media is synomous with my companies’: I will use LinkedIn on my computer, but you won’t catch me playing games on my machine.
*I didn’t say compliant! Insurance, PCI, ISO, HIPAA, FTC, SEC regulations and more will all require more, but
we all have to start somewhere.