While staying up to date with cybersecurity tactics is an important part of your security strategy, you shouldn’t focus solely on adding new tools and processes. You also need to think of behaviors and practices that you need to stop doing.
Sometimes you need to stop certain behaviors because doing things the way you’ve always done them doesn’t serve your organization anymore. Additionally, you might not need to just address behavior because there’s very likely an attitude that needs to be addressed that’s at its root.
Faulty Practices and Behaviors to Stop to Improve Security
As you learn about some things you need to stop doing to improve security, you may not immediately know if it applies to your organization. We’ve included action items to give you a next step to follow so you can find out.
1. Stop Overestimating Employees’ Level of Security Knowledge
The only way that people develop secure behaviors is by being taught what’s expected and given opportunity to practice the behavior. That’s why cybersecurity awareness training needs to be ongoing and everyone in your organization needs to be included – from the young technician to the mature executive.
ACTION ITEM: Find out how often employees receive cybersecurity awareness training. If it’s a once or twice a year workshop, then it’s not enough for employees to internalize the behaviors that will keep your data and IT systems protected from cyber-attack.
2. Stop Ignoring Your Security Policies
Employee training regarding your security policies is not the same as cybersecurity awareness training. Security policies set out the details of how people can access your network. Policies include everything from password management and permissions for data access to admin rights and acceptable use of devices and internet.
ACTION ITEM: Ask your IT team if your security policies are up to date. Ask HR about security policy training for employees. The answers that you get will give you a good idea as to whether your policies are being ignored or utilized. If new hire onboarding is the only time when employees are exposed to your policies, it’s time to set up an ongoing schedule for training and revisit policies to keep them up to date.
3. Stop Being Lazy About Data Access
If your policies are up to date and your people are trained to follow them, then you’re less likely to have problems with inappropriate access to data. However, we’re talking more about enforcement here than we are about understanding your policies. For example, does your IT team grant more permissions than they should in order to get a quick fix? Are permissions designated for each job role according to the minimum access needed to perform the job?
ACTION ITEM: Ask managers if they are familiar with the permissions necessary for each person in their department. Revisit data access requirements then do an audit to see if the same parameters are set up for each role. Review your employee onboarding and offboarding procedures to see if there are appropriate checks and balances to manage data access.
4. Stop Being Halfhearted About MFA
Multi-factor authentication (MFA) is an essential layer of security for protecting online accounts, but the responsibility for using it correctly rests on the account owner. When an authentication approval pops up on a user’s phone, approving it should not be automatic. The person should be thinking about what they’re doing when they receive an MFA request. If they approve it when they’re not actually trying to log into their account, then they’ve essentially just allowed an intruder in the front door.
ACTION ITEM: First, find out if your IT team has pushed MFA out to all users for all accounts. Then provide training so that people understand that it’s their responsibility to determine if an authentication request is legitimate or not.
Related: Security for Your Microsoft 365 Login
5. Stop Relying on One or Two Security Tools to Do Everything
It used to be that if you had a firewall and antivirus you were doing pretty well at protecting your network. That’s not the case now. First your network isn’t the same as it used to be now that you have remote workers and connected IoT (Internet of Things) devices. You still need a firewall and antivirus but you need next gen tools like Endpoint Detection and Response (EDR) to keep up with modern cyber-criminal tactics.
ACTION ITEM: Ask your IT team if you have the capability to stop both known and unknown threats. Does your IT team have a security wish list? There may be tools that they’d like to have to round out their security capabilities but they don’t have the resources to buy them or maybe even the expertise to manage them.
6. Stop Thinking Your Internal Team Can Handle Everything Related to Security
Cybersecurity is a specialty that requires in-depth training and experience. And just as there are many roles within an IT department, there are different roles within a cybersecurity department. It’s unrealistic to expect a small IT team, or even a small IT company, to have all the capabilities you need to cover all of your security bases.
ACTION ITEM: Find out if there’s anyone on your IT team who is 100% dedicated to cybersecurity. Are team members working in security certified? Get a cybersecurity assessment to get an objective perspective regarding gaps you might have in security because your team can’t get to everything.
7. Stop Thinking That You Won’t Be a Victim of Cyber-Crime
Small businesses are prime targets for cyber-criminals and the companies who don’t invest in sufficient cyber defense are easy pickings. Try this if you don’t think you’re at risk – apply for cyber insurance and see what happens. Chances are good that if you’re not standing up a strong cyber defense, you won’t even qualify because your organization is exposed to too much risk.
ACTION ITEM: Get a wake up call with cyber crime statistics. Here are a few resources to get you started:
- 2021 SMB Data Breach Statistics | Verizon
- 2022 Data Breach Investigations | Verizon
- Small Businesses Aren’t Ready for a Cyber-Attack
Get Help to Carry the Burden of Cybersecurity
As a business leader, you have a lot more on your plate besides cybersecurity. Yet, you’re the one who is responsible for managing risk. That’s why more and more business owners and executives are turning to companies like XPERTECHS to set up and manage a strong cyber defense.
We work with clients to create and implement a security strategy that covers all the bases and gives business leaders confidence that they’re doing what they need to do to manage cyber risk.
Wonder what it would be like to work with XPERTECHS? Schedule a meeting and we’ll help you envision what a real IT and cybersecurity partnership looks like.