Cyber-security
Randy Brunson, AIF, CKA
CEO at Centurion Advisory Group | Board Member | Mentor | Financial Advisor | Author | Connector | Investor | Husband | Father | Pops
Recently, our friends at Integricom hosted a security workshop which I attended. During the workshop, Nathan Martin shared guidelines for securing your technology infrastructure. His comments were intriguing as he spent more than 20 years as a commercial lines insurance underwriter. And his perspective was driven by business best practices designed to ease cyberliability underwriters’ minds.
I was completely impressed with his comments and the supporting documentation and checklists he sent. And with his permission, I’m sharing some of that information with you. Password change/protection protocols and multi-factor authentication are assumed.
Suggested minimum guidelines for newer or smaller companies:
1. Employees must receive continuous cybersecurity training, phishing testing to test the security training
and be briefed on security policy.
2. All PCs must be equipped with antivirus and EDR (endpoint detection and response) software and must be
kept up to date.
3. Businesses must use central patch management to ensure critical updates are applied in time.
4. The company network must be protected using a next generation firewall.
5. Business data must be regularly backed up using external media or a secure cloud service. Following the 3-2-1 backup strategy.
6. Vulnerabilities must be identified through vulnerability scanning or penetration tests.
7. User accounts and permissions must be actively managed and routinely audited following the principal least privilege.
8. Multi-factor authentication must be implemented for securing all accounts where technically feasible.
Suggested minimum guidelines for larger or mature companies
1. Continuous Cybersecurity Training: Employees must receive ongoing cybersecurity training, including phishing simulations, to reinforce the security policy and identify vulnerabilities.
2. EDR Software: All PCs must be equipped with endpoint detection and response (EDR) software, kept up to date to protect against malware and other threats.
3. Central Patch Management: Businesses must use central patch management to ensure timely application of critical updates to software and systems.
4. Next-Generation Firewall: The company network must be protected using a next-generation firewall to defend against advanced threats.
5. Regular Data Backups: Business data must be regularly backed up using external media or a secure cloud service, following the 3-2-1 backup strategy (three copies, two different media, one offsite).
6. Vulnerability Management: Vulnerabilities must be identified and mitigated through regular vulnerability scanning and penetration testing.
7. Account and Permission Management: User accounts and permissions must be actively managed and routinely audited, adhering to the principle of least privilege.
8. Multi-Factor Authentication: Multi-factor authentication must be implemented for securing all accounts where technically feasible.
9. Incident Response Plan: An incident response plan must be developed, maintained, and tested regularly to ensure preparedness for potential security breaches.
10. Data Encryption: Sensitive data must be encrypted both at rest and in transit to prevent unauthorized access.
11. Physical Security: Physical access to critical systems and data centers must be controlled and monitored to prevent unauthorized access.
12. Logging and Monitoring: All networks and systems must be monitored and logged for suspicious activities, with alerts set for security incidents.
13. Access Control Policies: Implement robust access control policies, including role-based access control (RBAC) and periodic review of user access rights.
14. Endpoint Security: Secure all endpoints, including mobile devices and laptops, with appropriate security measures such as mobile device management (MDM).
15. Data Loss Prevention (DLP): Implement DLP solutions to prevent the unauthorized transfer of sensitive data outside the organization.
16. Compliance and Auditing: Regularly review and ensure compliance with relevant regulations, standards, and internal policies through audits and assessments.
17. Secure Development Practices: Integrate security into the software development lifecycle (SDLC) by following secure coding practices and conducting code reviews and security testing.
18. Third-Party Risk Management: Assess and manage the security risks associated with third-party vendors and partners, ensuring they adhere to security standards.
We know this is a lot of information. However, all of us are aware of (or should be) cybersecurity threats and the negative impact they can have on our business lives. If you have an interest in visiting with Nathan or connecting with one of our strategic partners in the IT services space, please let us know.