You probably know of an organization that has been the victim of a cyber attack because according to the 2020 Verizon Data Breach Report, 28% of all data breaches involved small businesses.
These cyber attacks don't make the news for a few reasons.
- Companies tend to be tight-lipped when something like this happens, so unless it affects thousands or millions of people, the news won't get wind of it.
- Even if they did get reports of every incident, there are far too many of them! It would be like the evening news reporting all of the speeding tickets that were written on any given day.
Cyber attacks are happening with increasing frequency and it’s clear that the minimum requirements for security don't cut it anymore.
As business technology has evolved, cyber criminals have improved their technology too. Unless your IT team has advanced cyber security tools and expertise, your business probably isn't able to keep up with managing all the cyber risks that threaten it every day.
But how do you know if your IT team has cyber security covered for your business?
Here are some questions you can use as discussion starters with your IT team to get a handle on what protections your company currently has, and where you may have some security holes.
If you find these conversations out of your comfort zone and want to know for sure if your IT team is doing everything they need to in order to manage cyber risks, the best thing to do is to get a third-party cyber security assessment.
8 Questions to Ask Your IT Team About Cyber Security
1. Are We Using Advanced Email Spam Filtering?
Spam emails and phishing scams continue to be a preferred way for cyber criminals to infect email inboxes with viruses and other malware, and to get people to do things that they wouldn’t ordinarily do.
Using the right email filter, however, you can catch and block out the majority of emails that are malicious in nature. These systems scan emails before allowing them into your inbox. This lessens the chance that you or your employees will accidentally click on malicious attachments or links that download harmful malware.
Setting up filters that flag external emails is also a good safety measure to lessen the possibility that emails sent from a look-alike domain will successfully impersonate your CEO in a scheme to transfer money or get access to bank accounts.
These systems aren't fool-proof though. Just as you are setting up blocks, hackers are actively working to get around them.
Keep your email is as safe as possible with these best practices:
- Don’t open emails if you don’t know the sender.
- Only click on emails or attachments when you trust the sender.
- If anything seems odd about an email you receive - even if it’s from someone you trust - don’t interact with it. It could be a hacker impersonating someone you know.
- Alert your IT professional, outsourced or otherwise, immediately if you notice high volumes of “spam” looking emails.
- When in doubt, delete.
2. Are We Filtering Internet Content?
Safeguarding your business from malware and data leaks on the web is important. The same tricks used in emails are used on the web. One employee clicks this and downloads that, and BAM, a virus has infected your whole system.
To encourage productivity and limit risky website use, companies are turning to internet filters as a layer of protection. Modern internet filters don’t just recognize known malicious websites, they monitor the web pages that your employees routinely visit, and if a web page pops up that isn’t familiar or known to be legit, it can be blocked immediately.
When you’re setting up filters, consider your company size, budget, culture, and needs. Feel free to customize it too. If you've okayed social media platforms, you can always disable playing games on those sites. This limits what your people can do but still allows them to browse Instagram on their lunch.
3. Is Our Network Segmented?
The way you manage your network can add to or detract from your overall security. Segmenting your network is like adding locked doors between the digital spaces that hold your data. Even if a hacker gets into one section, they can be stopped before they infect your whole IT ecosystem.
For example, one segment of your WiFi should just be for guests. Guests should NOT be able to access the internet connection that runs your business. If they do, they'll have direct access to valuable data on your network. The best thing you can do is set up a separate wireless connection for your customers and guests. This should still have its own password, which should be changed periodically. This gives you the best protection and still allows you to accommodate your guests at the same time.
4. What Are We Using for Mobile Device Management?
With the influx of remote workers because of COVID-19, more workers are using cell phones, tablets, and their own personal devices. This setup might have been your only choice when you needed your people to become operational fast, but BYOD (Bring Your Own Device) adds risk.
Employee smartphones should be managed while they’re on your network to keep them from creating an entry point for cyber criminals. Different management techniques will control encryption and the access that your employees have.
Best practice is to provide your people with a company-owned and managed phone so that you can deploy robust mobile device management without creating conflicts with employees’ personal space and needs.
5. Is All of Our Operating System & Software Up-to-Date?
When was the last time you updated your operating system or software? Are you up-to-date with the latest patches and security? If your answer is "I don't know," it’s time to figure it out.
If your company has skipped by without any harm, consider yourself lucky. Updates are there to fix security holes that have been discovered. Sure, it might take some time to download and restart your computer, but if you don’t update your operating system and software when new patches are released, your whole system is left vulnerable to malware and other security threats.
In many businesses, your IT team will centrally manage and push out these updates to devices after they've been tested.
If you don't already have one, come up with a plan to stay on top of all updates to better safeguard your sensitive information. This should be a top priority and should be evaluated regularly.
6. Are We Using Advanced Firewalls?
Firewalls are a critical piece of network security, protecting you from online threats and unauthorized access to your network. Modern firewalls have advanced tools like Endpoint Detection and Response (EDR) that use Artificial Intelligence to monitor network traffic and alert you when something happens that is outside of normal patterns.
Consider firewalls the superheroes that combat hackers that lurk in the figurative night. In addition to EDR, they work with your other IT security devices, providing things like virtual private network (VPN), antivirus, anti-spam, anti-spyware, and content filtering.
New viruses, worms, and malicious attacks are created and released into the wild DAILY. That’s why keeping your firewall and other IT security devices current should be a priority to you and your IT team.
Better safe than sorry.
7. Are Our Backups Solid (And Are They Capturing Everything That's Important)?
Because cyber criminals have resorted to using extortion if you don’t pay a ransom to get your data back, you can’t look at your backups as insurance against a ransomware attack anymore. However, they’re important for disaster recovery because you need to know that you can continue operating in the event that something catastrophic happens that deletes or corrupts your data.
Your backups aren’t going to be complete if they don’t include all of the data that your employees work with.
Make sure that employees are saving files in the right place (not to their PCs and laptops) and that they’re using data storage that is visible and managed by your IT department. While these practices might not have been an issue when everyone was working in the office, make sure these bad habits didn’t get started when your people began to work from home.
Chat with your IT professional about the different kinds of backups and which one is best for your business. You should also cover how to keep your backups safe from hackers and malware.
8. Are Our Employees Getting Cyber Security Awareness Training?
Educating your employees and yourself and how to recognize and respond to potential threats can make your people a strong layer of defense in your fight against cyber crime.
EVERYONE should participate in ongoing cyber security training – from the CEO on down – because we've all fallen for social engineering tricks, clicks, downloads, and fake offers.
Cyber security awareness training should be ongoing. A once a year workshop isn’t going to be enough to keep employees up to date with current dangers and warning signs. Training is delivered through online platforms and practice that includes test spam messages to see who might need more training.
Don’t forget about physical security, like making sure that computers are locked when not in use, and that your office (or your employees’ home offices) are keeping company equipment safe and out of the wrong hands.
Cyber Security Confidence Through Expertise
Your company is a target for cyber threats 24/7 and it’s a full-time job to protect your people, data, and network. Your IT management personnel should be up to date and engaged with all the latest in cyber security warfare, but it’s probably unrealistic to expect them to have the depth of knowledge and the investment in tools that are needed to be confident in your security.
Related: 17 Foundational Cyber Security Measures Southern California Businesses Need
Uncover Security Gaps with a Risk and Security Assessment
Get a Risk and Security Assessment to find out FOR SURE if your IT team is doing everything they should be doing to prevent your business from becoming a victim of cyber attack.