Corporate Security Checklist – a CEO’s Guide to Cyber Security
22 essential questions to evaluate your company’s defenses
Have you ever wondered if you, as a manager, CEO or investor are prepared to deal with a cyber security failure in your organization? Are there all the necessary systems in place? Do you have enough resources and is there enough careful planning to keep any attack from interrupting your company’s activity and causing it financial or reputation damage?
You may not know the figures yet, but data breaches are currently among the most common and most costly security problems for organizations of all sizes. The 2014 Cyber Security Intelligence Index by IBM shows that companies are attacked around 16,856 times a year, and data breaches are one of the preeminent causes for these attacks.
How do data breaches occur? The main cause, according to an IBM study, are misconfigured systems or applications, followed by user error. Both technical and human errors could end up costing your company much more than what it could have been an investment in strengthening your defenses.
If you’d like to read more about potential threats to your company’s confidential data or IT infrastructure, we recommend you go over these 10 critical corporate cyber security risks.
Cyber security is not a concern that belongs only to the IT department. The security layer of the company ensures:
- that your organization is working well
- that your reputation remains undamaged
- that your future plans are not endangered and
- that your finances and confidential data are protected.
So cyber security has a direct impact on business practices, on PR efforts, on internal communication and even on company culture. Moreover, imagine the huge volume of information coming from thousands of devices and from public web-based applications and services into your company’s system.
Does this complicate the process of protecting your company in terms of cyber security? It sure does.
Do you need to cover your basics and even go the extra mile? That would be more than wise.
This is why we put together a corporate security checklist, so you can use it to evaluate your cyber security plan and make the necessary changes to ensure enhanced protection of your digital assets.
1. When was the last time you met with IT management to determine possible areas of concern?
There are many priorities in a company’s daily activities, and sometimes cyber security doesn’t rank in the top 5 or even among the top 10. But don’t be surprised if you should find yourself in the situation described in this PwC study:
Most organizations’ cybersecurity programs do not rival the persistence, tactical skills, and technological prowess of today’s cyber adversaries.
It is a threat that is nothing short of formidable. In fact, the US Director of National Intelligence has ranked cybercrime as the top national security threat, higher than that of terrorism, espionage, and weapons of mass destruction.1 Underscoring the threat, the FBI last year notified 3,000 US companies—ranging from small banks, major defense contractors, and leading retailers—that they had been victims of cyber intrusions.
Make sure you’re up to date with your company’s challenges in terms of cyber security and address them with all seriousness.
2. When did you last do an inventory of your company’s critical assets?
Content is created all the time in your organization. Data flows through numerous channels, but do you have tight defenses around your most valuable assets? It’s essential for all key people in the company to know what these assets are and how they are protected. Don’t skimp on resources with this respect, because having critical data compromised could have lasting negative effects on how the company operates.
3. When did you last review your IT department’s organization chart?
Technology and people are equally important when it comes to cyber security. Do you know the people in your IT department? Are they fully committed? Are they skilled enough to handle the challenges ahead?
Make sure you know who is in charge, who has access to what and who should be in charge in case a data breach or a virus infection occurs.
4. When have you last performed a thorough research on all your company’s operating systems, software applications and data center equipment?
It often happens that software or hardware becomes outdated. Every week we get new updates and we don’t really care about them, as individual users, but their importance is not to be taken lightly. The software on your computer or your corporate environment is a huge risk if left outdated: in approximately 70% of web based attacks the direct target is a vulnerability on the user’s computer.
When software such as Oracle Java, Adobe Reader or Adobe Flash, present on 99% of computers, is not updated, exploits are made available to cyber criminals, who use them to penetrate your system and launch attacks. Without automatic patching (which updates your software silently), 99% of computers are vulnerable to cyber-attacks.
The specialists’ recommendation is that you update your software as often as possible, and an automatic solution that works silently in the background is a great solution to this problem.
5. When was the last review of the company’s IT policies and procedures?
Do you have a cyber security policy in place? If not, you should definitely create and implement one to give your team a set of guidelines to follow when it comes to information security. A compliance policy won’t do. You need one dedicated to protecting your company’s confidential information and intellectual property.
A cyber security policy or an information security policy ensures that all the hard work you put into building your company is shielded from cyber criminals. This will be your written plan to handle any and all issues related to cyber security, from encrypting and backing up data to handling a crisis situation in the event of a data breach. You can use one of these templates to get started and personalize it according to your needs.
Here are some of the chapters to include in your company’s information security policy:
- Acceptable Use Policy – an Acceptable Use Policy (AUP), acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager of your company’s network that restrict the ways in which the network or system may be used.
- Internet Access Policy – this policy applies to all Internet users (individuals working for the company, including permanent full-time and part-time employees, contract workers, temporary agency workers, business partners, and vendors) who access the Internet through the computing or networking resources.
- Email and Communications Policy – this policy regulates the way email and other communication channels specific to the company are used.
- Network Security Policy – a network security policy, or NSP, is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company’s security environment.
- Remote Access Policy – the remote access policy is a document which outlines and defines acceptable methods of remotely connecting to the internal network. It is essential in large organization where networks are geographically dispersed and extend into insecure network locations such as public networks or unmanaged home networks.
- BYOD Policy – a BYOD policy, or bring-your-own-device policy, is a set of rules governing a corporate IT department’s level of support for employee-owned PCs, smartphones and tablets.
- Encryption Policy – the purpose of an encryption policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively.
Remember that every employee in your company is important and every employee of the companies you work with is important. External contractors are often targeted by cyber criminals and their data is used to infiltrate the target’s system. This was the case of Target, J. P. Morgan, AutoNation, Lowes and AT&T and many more companies who were not aware of threats coming from third parties.
6. When did you last discuss the company’s IT budget and systems planning documentation?
The landscape of online threats is evolving at an astounding pace, so make sure you’re keeping up and understand the transformations. Talk to your IT department on a regular basis and make sure to do everything possible to offer them the resources they need.
The most frequent types of incidents comprise a greatest hits list of cybercrime: malware, phishing, network interruption, spyware, and denial of service attacks.
This is according to the US cybercrime: Rising risks, reduced readiness study, so remember that cyber security means getting protected against all these threats.
7. Do you have a cyber security incident response plan in place? Are there a set of predefined communication guidelines that can be used in the event of a security failure?
There are 6 common categories of costs when it comes to cyber security threats, according to the Understanding the economics of IT risk and reputation study by IBM:
- Reputation and brand damage
- Lost productivity due to downtime or system performance
- Lost revenue due to system availability problems
- Forensics to determine root causes
- Technical support to restore systems
- Compliance and regulatory failure costs.
A response plan in case of a cyber security incident is an essential part of your information security policy, so take all necessary precautions. This guide to help your company survive a data breach can also become a useful starting point for creating your own, custom version.
8. Does your company have appropriate back up procedures in place to minimize downtime and prevent loss of important data?
The general rule is that if it’s worth building, it’s worth backing up. No important data in your company should ever get onto a server before creating a back-up copy.
Moreover, remember that no backup should be trusted until you confirm it can be restored. Have a regular back-up procedure in place that automatically and frequently creates back-up copies, so no progress is lost for your company’s results.
9. Does your company’s data center have adequate controls to prevent physical damage?
When we think about information security, we almost always think about protecting untouchable assets. But your data center is quite material and can be affected by break-ins and other security risks.
Make sure physical security elements are present to prevent unauthorized access. Data center personnel should also be verified periodically, as well as the equipment itself. Don’t leave your data’s protection in your contractor’s hands. Unauthorized access or use of data, systems and networks is one of the most common causes for cyber security incidents across US companies, so leave nothing to chance.
Also consider setting up environmental controls to ensure that your equipment is protected from fire and flooding.
10. Is there a cyber security training program in place for current and new employees?
Having a training program dedicated to ensuring that cyber security policies are understood and applied by all employees (especially new ones) is a fundamental part of your company’s protection against cyber threats (both external and internal).
Consider offering your employees a resource hub with information about cyber security that they can turn to. This can help foster a company culture that is risk-aware, which could lead to early detection in the case of a data breach or other type of cyber attack.
11. Do you have a list of the servers you use and is there a specific person designated to ensuring that those servers are up to date? Can that person investigate any anomalies that can potentially occur?
Cyber crime is increasingly difficult to detect, because hackers use extremely sophisticated methods to penetrate your security system. Malware also morphs into versions that antivirus often doesn’t detect, and, combined with more factors, it leads to taking more time to detect and mitigate the effects of a cyber attack.
Simply put, cyber crimes require more time to resolve according to this study by the Ponemon Institute:
The average time to detect a malicious or criminal attack by a global study sample of organizations was 170 days. The longest average time segmented by type of attack was 259 days, and involved incidents concerning malicious insiders. The average time to resolve a cyber attack once detected was 45 days, while the average cost incurred during this period was $1,593,627 – representing a 33% increase over last year’s (2013) estimated average cost of $1,035,769 for a 32-day period.
So make sure you know how your servers are managed, by who and if that person is capable of detecting a cyber attack in its early stages, which is an absolute must for any organization.
12. Do you have a patch management application for both your servers and every computer/workstation used in your company?
When we asked more than 50 security experts to give us 3 tips to follow in terms of cyber security, there is one piece of advice that kept popping up: patching software as soon as new updates are available.
Of course, doing this manually for your entire company makes no sense in terms of resources allocated, so what you need is a solution that identifies and automatically updates third party software on any computer it is installed upon, so that cyber criminals won’t be able to take advantage of any vulnerability. It should also have low resource consumption, use as few system resources as possible and work without interrupting the user.
13. Do you have antivirus installed on your servers and on every computer/workstation used in your company?
Antivirus is no longer a fad for any user that surfs the web. It’s a vital element of your company’s security system and of your own information security layer. This reactive solution deals with threats that have already penetrated the system, which need to be contained and eliminated before they do serious damage.
If you allow your employees to bring their personal devices into the workplace, you need a BYOD (bring your own device) policy, which should also include antivirus. Don’t make information security their personal responsibility, because you won’t like the outcome.
But keep in mind that antivirus is not enough, because you also need a proactive solution to protect your company’s system from malware, especially from viruses that target financial information.
14. Does your company’s server infrastructure have a host intrusion prevention solution or a firewall installed?
Firewall is another indispensable piece in your company’s cyber security plan, and there are a lot of options that your CIO or CTO can offer to this respect. You do have to know what the best practices in terms of firewall security are and also how this particular security layer is evolving. Building an “Active Firewall System” should be a priority for your business and appropriate resources should be dedicated for these efforts.
15. Do you periodically perform vulnerability scans on your servers and all the computer/workstation used in your company?
Discovering vulnerabilities and solving them on time can be a tremendous asset to your company. The 2014 US State of Cybercrime Survey study by PwC revealed that:
Organizations that have detected attacks are considerably more likely to employ security capabilities such as vulnerability management, cyber threat intelligence analysis, intrusion detection tools, and Security Information and Event Management (SIEM) technologies. They are also more likely to include cyber risks in the enterprise risk-management program and to prioritize security spending based on the level of risk a threat presents to the overall business strategy.
So take from the ones that have been hit or almost got hit: managing your vulnerabilities in time can be essential for your company’s security.
16. Do you use local encryption solutions for every computer/workstation used in your company?
There is no justification for letting any workstation or portable drive go online without being encrypted. Encryption is the process that converts accessible data or information into an unintelligible code that cannot be read or understood by normal means. That means that hackers wouldn’t be able to access your information even if they managed to get their hands on your confidential data.
It is, therefore, essential to make it mandatory that all drives in your company are encrypted. We can even suggest 9 free encryption software tools for the workstations your employees and colleagues use on a daily basis.
17. Do you employ a password management system for every user in the company?
No password should ever be stored in a browser or in plain text. Although this is common knowledge, passwords are compromised each year by the millions. Let’s take the example of last year’s attack, when 10 million passwords for Gmail, Yandex and Mail.ru accounts were leaked. Old and weak passwords ranked first in this incident, and that’s no surprise.
Here are 4 simple rules to follow for managing passwords within your organization:
- Use a password management system, so that passwords are safely stored and shared
- Keep records of who has access to which passwords
- Change passwords often
- Use complicated passwords, generated automatically and make them as long as possible.
18. Do you use wireless networks within your companies? Are they secured?
Of course you do. Who likes to trip on cables around the office? But remember that Wi-Fi is very susceptible to cyber attacks. And it’s not just your company’s Wi-Fi networks that can be easily compromised.
Imagine that one of your employees travels for work and brings his work laptop with him. He then proceeds to connect to a public Wi-Fi network, which is, most likely, unsecured. Without a proper security system in place, any cyber criminal could access confidential company data in a matter of minutes. More than 89% of public Wi-Fi hotspots are unsecured!
Secure the networks within your company and make sure to train your employees to protect themselves when they’re outside the protected environment of your organization. Also, you can use these 11 security steps to stay safe on public Wi-Fi networks to get started.
19. Do you have email filtering and Internet traffic filtering software that protects users from the full range of email threats, including malware, phishing and spam?
Although spam volume dropped to 66% of all email traffic, according to the 2014 Internet Security Threat Report by Symantec, web-based attacks are up 23% reveals the same report. Other reasons for concern over email and Internet traffic include:
- A 91% increase in targeted attacks campaigns in 2013
- A 62% increase in the number of breaches in 2013
- And over 552M identities were exposed via breaches in 2013 (source).
Given that 1 in 392 emails contains a phishing attack, an email filtering solution is a must for your company’s security.
We also recommend employing a tool that constantly checks Internet traffic in your company, both outgoing and incoming, in order to block websites with malicious content or blocks access to servers which are controlled and operated by cyber criminals.
By using such a solution, your corporate network is protected from opening backdoors, uploading data into the hands of hackers or from having data ex-filtrated from company computers/workstations.
20. Do you have a solution that constantly scans for malware, working proactively to protect computers/workstations in your company?
And by this we don’t mean antivirus. Remember that antivirus works reactively, so you need an additional layer of security that can identify potential threats and keep the user’s system safe from leaking the malware’s data by blocking the communication between the system and hacker controlled servers.
21. Do you have a clear protocol for file sharing? Do you have a process in place to protect documents and data stored in the cloud?
File sharing has become an important security risk with the advent and widespread use of cloud services and apps. Make sure you add a chapter about file sharing in your cyber security policy and monitor how information flows with respect to this particular working method.
Insiders who committed cyber crime “often displayed behaviors such as violation of IT policies, disruptive behavior, and poor performance reviews,” shows the 2014 US State of Cybercrime Survey study by PwC. This is worth mentioning because your lack of a file sharing protocol can become a serious vulnerability when confronted with such behavior.
Make sure you take the necessary precautions when it comes to protecting the company data you have stored in the cloud and always keep up to date with modifications in this area.
22. Is there a well-defined process for remote access and is this type of access properly secured?
Remote access is one of weakest links in the cyber security chain. There are many ways in which cyber criminals can compromise your security and leak valuable information to the servers they control and many companies disregards this risk. Take this example from 2013, when a US government website was infected with the Zeus Trojan and $200,000 were rerouted into a foreign bank account.
This is just one of the many examples out there. Do include a process for protecting remote access to your servers (like a VPN) or any kind of data and don’t become an easy target for cyber criminals.
23. Does your company have a long-term plan concerning its cyber security strategy?
In the long run, cyber security can become an asset to your company. By making timely investments in your defenses, you can anticipate threats, detect vulnerabilities early on and prevent cyber attacks from happening and having dire consequences on your company’s finances, reputation and evolution.
Ensuring your company’s cyber security is a complex job and you need a trustworthy CTO or CIO to keep things up to date and working well. As a manager or CEO, you couldn’t possibly have the time to dedicate to understanding or coordinating all of this by yourself.
What we’re trying to help you is understand why cyber security is a necessity and a fundamental factor that influences your company’s stability and success.
On this blog, we strive to transform the complexity of the cyber security world into actionable advice that you can use right away, so let us know if there’s a subject that you need more information on and we’ll be happy to investigate and provide useful insights for you.