20 for 2020

Develop a top-level cyber-security policy that is issued by the board, CEO or executive committee, which stresses the company’s commitment to cyber security and the expectation that all employees and contractors will abide by its cyber-security policies and procedures and report any system weaknesses or violations.

Assign an employee with responsibility for cyber security, being mindful of segregation of duties between privacy, IT and cyber security.

Conduct civil and criminal background checks on employees in proportion to their access to sensitive information and other business requirements.

Develop cyber-security policies and procedures on key cyber-security issues (for example, access controls, data classification, handling of information, use of IT systems, encryption), require compliance, and establish a disciplinary process for non-compliance.

Develop and maintain digital inventories of applications, data and hardware—an organization has to know what assets it has in order to secure them.

Assign business unit leads ownership of the data and applications they use. Cyber security is a shared responsibility, and business executives should be responsible for the risks their data and systems bring to the organization.

Classify your data: top secret, secret, confidential, public or whatever scheme you desire. All data are not equal; define your data, require labeling and handling, and put these requirements in a policy.

Establish strong access controls for systems and data based on need to know (least privilege). This is a big one.
a. Use two-factor authentication for remote access.
b. Do not allow shared user accounts.
c. Require strong passwords or biometric authentication.
d. Change all default passwords, even on printers, copiers, scanners and digital cameras.
e. Limit access to only the data and systems needed for job performance.
f. Privileged access for system administrator functions should be controlled and monitored. Only system administrators should be allowed to install software or add hardware, and this access should be restricted and closely monitored.
g. Establish procedures to establish and revoke user access at time of departure.

Remove local administrator rights from workstations. This helps secure your network and reduces the risk of malware. It also prevents the user from installing or removing software, adding devices, and changing computer settings. Removing local admin rights helps guard against insider actions and malware maneuvers that manipulate local admin rights.

Segment your network to protect certain operations—for example, credit card processing (this is required by the Payment Card Industry Data Security Standard), proprietary or confidential processing, and high-risk operations. Protect the segmented portion using access controls and firewalls.

Restrict the use of personal devices (smart phones, tablets, laptops) and use mobile device management software to ensure consistent configuration, device usage, and monitoring and tracking of devices. Restrict the use of these devices to the employee only; no sharing with family members or others.

Establish rules for working from home and remote sites. Require devices to be secured at all times, never left in vehicles unless in a locked trunk (last resort), and never checked in luggage unless required and, in that case, powered down.

Train, train, train. Really important. Train all employees and contractors on cyber-security policies and procedures, security awareness, and current cyber threats.

Restrict the use of removable media, such as thumb drives, CDs and external hard drives. These devices are commonly used for removal of data from company premises.

Establish a process for the return of IT assets from employees and for their sanitization and/or disposal to prevent data leakage or disclosure.

Install anti-malware software, automatically update it, and run scans frequently. This is an important defense against malware.

Replace equipment and software that is not within vendor support (check Microsoft products by referring to this site). The destructive WannaCry and NotPetya attacks exploited out-of-support equipment and software. This may require replacing old legacy applications that require out-of-support software or operating systems.

Use full-disk encryption for laptops and encrypt sensitive data at rest.

Develop an incident response plan capable of managing all types of incidents and test it, involving all stakeholders. Breaches of personal identifiable data continue, but more complex—and even multi-pronged—attacks are on the rise. An incident response plan must be able to guide an organization through all types of attacks.

Regularly back up systems and data, store backups offsite, and develop and test recovery plans. Current forms of malware target backups and, if accessible, erase or corrupt them, making recoveries very difficult, if not impossible. Tested backup plans are essential to business continuity.