10 Steps to Implement Now for IT Risk Mitigation
Did you know that 60% of small businesses that experience cyber-attacks go out of business? With the rate of cyber-attacks increasing (and cyber-attackers sharpening their tactics), it’s never been more important to practice IT risk mitigation.
There’s a lot to consider when it comes to your organization’s risk mitigation, but it doesn’t have to be overwhelming. To simplify this process, we made a 10-step IT risk mitigation checklist for you.
1. Deploy Device Management and Patch Management
Device Management enables organizations to protect and secure their resources and data from different devices.
Many employees now work remotely. This often means accessing company files and apps from personal laptops or mobile devices, so you’ll want to secure access to proprietary information.
If your organization is on Microsoft 365, your IT team or administrator can use Microsoft Intune to ensure only the computers and phones you approve are allowed to access your data.
And if the phone is approved, you want to be sure it is protected. Software publishers often release updates to the software to defend against ongoing new threats. You will want to ensure your IT team keeps track of updates and when they are released.
Luckily, many cloud-based programs update on their own these days. For example, you can configure Microsoft 365 to update automatically when new security patches are released. But not all do, and automated updates sometimes fail. Check to be sure all devices have the necessary updates regularly. You may want a Remote Monitoring and Management (RMM) tool to schedule third-party patch updates and monitor for failed implementations.
2. Configure and Require MFA
Multi-factor authentication (MFA) adds a layer of protection to the sign-in process. How does it work? When accessing accounts or apps, users supply more identity verification, such as scanning a fingerprint or entering a code received by phone.
If you’re using Microsoft 365, you can use the Windows Authenticator app to simplify the process.
Concerned about slowing down work in the office with repeated MFA requests? Consider conditional MFA and single sign-on.
3. Password Security: Deploy Single Sign-On or a Password Vault
Single Sign-On (SSO) can improve employee productivity by reducing time spent re-entering user credentials. SSO allows users to sign into multiple independent software systems with a single user ID.
SSO can also reduce the risk of breaches. Users with multiple passwords are more likely to record them somewhere accessible. That sticky note of passwords at their office desk is a breach waiting to happen.
SSO is not always the best solution for password management. A password vault can save time and increase security when there are too many passwords and user IDs to remember.
With a password vault, a single “super” user ID and password (known only by the user) allow access to all the other passwords for various sites and applications.
Password vaults can be helpful when an employee leaves. You can restrict access to the vault by changing the super password and—by extension—the other sites and applications. Taking control of the vault when an employee leaves also ensures continued access to the sites and applications they managed.
4. Keep Security Configurations Up to Date
It’s essential to secure your cloud environment with a baseline hardening. You’ll want to re-harden every month to ensure all the doors and windows in your environment are (metaphorically) locked.
Security hardening differs for each customer and depends on risk tolerance and regulatory requirements. We recommend taking several baseline actions, which include enabling MFA, setting standard mail filtering and quarantine settings, updating built-in alerts, implementing retention policies, and archiving.
TechHouse offers ongoing hardening as part of our SafetyPlus product line to help ensure cybersecurity best-practice adherence across your organization.
5. Defend Against Phishing Attacks
Anti-phishing software helps prevent phishing emails from reaching your employees. If your organization uses Microsoft 365, anti-phishing policies can be configured in Microsoft Defender (if you have a subscription).
We also offer TechHouse PhishingNet, a training tool that will send fake phishing emails to your employees and provide them with awareness lessons if they click on suspicious links.
6. Install Barriers: Firewalls, Anti-Virus, CloudVPN, and Endpoint Detection & Response (EDR)
In the past, barriers like firewalls, antivirus software, and anti-malware software created an effective buffer between IT systems and external networks.
These barriers are still necessary, but nowhere near enough on their own. Virus threats still exist, and more diverse threats have arrived on the scene.
For employees working from anywhere, a Cloud VPN can help secure the connection between the user’s laptop and cloud services like Microsoft 365, DropBox, and SalesForce.
An EDR product monitors devices for unsuspected behavior. It helps reduce IT risk by detecting these behaviors, isolating the device, and notifying administrators. This often all occurs before you would otherwise identify the threat.
7. Secure Business Critical Financial Data with QuickBooks
Most organizations work in the cloud because it’s the modern way of work. With emails and files remotely accessible, remote work has never been easier.
Working in the cloud isn’t just more convenient; it’s often more secure. Cloud backups and security measures are more agile than bulky on-prem servers and risky hard-paper records.
Moving to the cloud is a no-brainer, yet many organizations have neglected to move their finances to the cloud.
When you move to the cloud with TechHouse and QuickBooks Online, you’re taking command of that most important aspect of business: your finances. TechHouse and QuickBooks online bring you an affordable, best-in-class financial and business management platform that connects your business processes directly to your financial health.
8. Train Your Employees (And Keep Training Them!)
Your employees are your business’s backbone and use technology daily to do their jobs. It’s essential to train your employees to recognize and report cyber threats.
9. Create a Business Continuity Plan
Even if you have done everything listed above, something could still go wrong. A business continuity plan outlines your organization’s steps to continue operations in case of significant disruption.
Consider each of the 5 Stages of the NIST Security Framework: Identify Risk, Protect Assets, Detect Attack, respond to the Attack and Recover from the Attack.
Make the document easily accessible and test the procedures regularly to ensure your organization has recovery strategies for various threats.
10. As Always, Work with a Partner
This checklist should provide a good starting point for creating your organization’s risk mitigation plan. Contact us today if you would like further help securing your organization and creating a personalized risk mitigation plan.