Posted on 15 November 2019 at 3:43 PM by Ger van Hees
1. Inventory your critical systems and data and classify Make sure you know what systems and data you have and what of it is business critical. Determine for each system what the classification is and what risk you have. Ask yourself: if I would lose that system or the data on it, how much damage would I have? The higher the damage would be, the more important the systems and data. More important systems get a higher classification. 2. Segment your network into data classification zones and use least privilege access control Create different "zones" in your network and use these zones to separate the different classes of systems/data (found in the previous step). Use firewalls, VLANs, micro-segmentation, and so on. Three zones is probably enough: “Public” for information that may be publicly shared, “Confidential” for company internal information, and “Restricted” for more sensitive information like financials and strategic documents. Only give access to higher classified systems to a selected subset of people that really need it. 3. Actively manage vulnerabilities found in your systems Check all your systems and network components for vulnerabilities with an up to date vulnerability scanner. This is MOST important, because hackers will try to exploit those vulnerabilities if they get the chance. Fix the vulnerabilities you find by installing software updates and patches. 4. Use a mail filter on your incoming email Use a mail scanner or a secure mail gateway that checks all your incoming emails for malware, phishing and spam. Ensure that its scanning database is updated daily and monitor the logs it produces. Use a well-known product with a good reputation. Don't go for hype but go for quality and a solid system. 5. Train your team to recognise phishing, business email compromise and other malicious emails Some phishing emails and emails with malware will slip through your technical security systems, so give all your staff good security awareness training. They should be taught how to recognise ransomware, phishing, spam, social engineering and so on. Make them into Human Firewalls. Help your team understand why cybersecurity is important and how they can protect themselves and their family. That will automatically make them more secure in your business. Ask me for advice if you are not sure on how to implement a security awareness program or if you want any help. 6. Make backups of all important data and test if the backup is successful by doing a test restore Use good backup software to make backups of all your important data. Think about a backup schedule. How often will you need to make a backup? How many versions do you need to keep? Where are you going to keep your backups? Designing a good backup is specialist work. Ask an expert to help you and don’t forget to test your backups by restoring something regularly. Your backup is only as good as the last successful restore! 7. Keep your backups offline Do not keep your backup files on a connected network share or a portable disk that remains plugged in. If you are hit by ransomware, all your backups will be encrypted too and useless unless you pay the ransom. Taking them offline will protect them against cyber-attacks. Storing them offsite will make you even more resilient. 8. Have an information security expert assess your situation and/or have an information security audit. Having a complete and ongoing information security program is not an easy task. Invest in hiring the right person(s) and have the expertise in-house. This will give you the continuity you really need. If you don’t have enough funding, you can hire a consultant. Be aware that this might not give you the continuity and perhaps not the level of dedication you would get from a motivated internal resource. That said; There are excellent “virtual” security officers or virtual CISOs out there. Let me know if you want to know more about that option. 9. Practice your business continuity and incident response plans You should practice / exercise your Business Continuity Plan and Incident Response Plan. Of course, that means you should have those plans! You can do a tabletop reading exercise, a walk-though exercise or even go all the way and do an actual disaster simulation test. The more effort you put in, the more resilient you will be. 10. Have a good cyber-insurance Getting cyber-insurance is a good idea. Although having insurance will not help you protect against ransomware, it will help in reducing the financial damage afterwards. Read all the terms & condition well and understand what they mean. Perhaps ask your legal counsel to review and explain them. For example, most insurances require you to have an ongoing security awareness program that has provided ALL your employees with information security awareness training. This will be something you’ll have to prove in the event of a claim. Make sure that you understand all the requirements and meet them. There is nothing worse than having insurance that is not paying out in the event of a claim. Even if you were always loyally paying all that premium. Bonus tip: Use our "Security Awareness Program As A Service" Use our Security Awareness Program As A Service and make your people into human firewalls. This is the BEST way to protect against ransomware. Contact me now!