Cybersecurity has quickly become a critical investment for businesses, with its rapid growth fueled by the surge in cybercrime and growing technological advances. So, you’ve got an antivirus installed on your corporate computers — does this mean your business is covered?

The short answer is no.

Cybersecurity has become an exponentially growing challenge and is immensely broad. There are countless creative ways a system can be compromised by cybercrimes and these ways continue to change on a daily basis. That being said, a wide range of protection needs to be considered and constantly re-evaluated for any company. While an antivirus software is a great first step, malicious attackers are finding new ways to compromise your system beyond what a simple antivirus program can defend against.

This blog outlines the basic elements to arming your company against cybercrime, according to best practices recommended by the National Institute of Standards and Technology (NIST).

Protecting Your Business From Cybercrime

1. Define Your Company’s Framework
To protect any organization, you must be aware of all aspects of the organization that could be at stake. It is important to clearly understand the company’s structure, which includes defining roles and relationships among all the technology used, the processes in place, and the people involved with the company and data.

A public example of a framework for the United States critical infrastructure can be found here, where it is broken down into smaller frameworks for each sector.

2. Identify What Needs Protection
Once you understand a company’s framework, the next step is to assess the scope of the data that needs to be protected. Key elements include identifying who has access to what data, how changes to this data are tracked, and what procedures are in place regarding this. It is important to be comprehensive and extensive so that all aspects of the company’s data are protected. An organization’s security is only as strong as its weakest link.

3. Assess Risks
Next, the vulnerabilities within a company need to be assessed and the possible impacts for each resulting Risk modeled. The company needs to determine which risks are worth accepting (low risk or impact) and which need to be mitigated (high risk or impact). Useful tools to determine this are vulnerability scanners (passive) and penetration testers (active), which can be used in-house or contracted out.

4. Protect Accordingly
Once the risk assessment is complete, it’s time to ensure appropriate protections are put into place. There are countless best practice procedures to follow for protection, such as:

• Employees: Provide employees minimum access to data and only as needed. Train employees in basic cybersecurity practices to minimize internal accidental risks. Set up web and email filters to further prevent users from running into harmful malware.
• Physical security: Protect your physical equipment via an uninterrupted power supply (UPS) system or surge protectors, store it at the recommended temperature, and keep it in a locked environment. Install physical security systems and take regular back-ups to help protect and minimize damage from physical security incidents.
• Software: Maintain updated operating systems, and apply patches regularly to ensure third-party software risks are minimized. Use firewalls on all business networks and encrypt all sensitive data to further protect your company’s data.

5. Plan for Incidents
Regardless of how many resources are used to protect your company, there is still a chance for a security Incident. An incident response plan should be established. This plan should include ways to detect a breach (antimalware programs and baselines) and a set process on how to respond accordingly. An adequate plan protects your company by minimizing the time it takes to detect an incident and build a plan to stop the incident’s damage.

The National Institute of Standards and Technology (NIST) has published a comprehensive Computer Security Incident Handling Guide, available here.

Glossary of Cybersecurity Terms

Cybersecurity — The act of working to prevent unlawful events in cyberspace by detecting and responding to cyber incidents. Read more: https://www.ready.gov/cybersecurity

Framework — Through a collaboration of private industries and governments, the Cybersecurity Framework includes voluntary standards and guidelines, as well as recommended best practices for businesses to follow in an effort to prevent cybercrimes. Read more: https://www.nist.gov/cyberframework/new-framework

Malware — Also called malicious software, malware is a type of computer virus capable of stealing information from the computer including personal information. There are different forms of malware, such as spyware which can actually record keystrokes and monitor what’s happening on your computer. Read more: https://www.ftc.gov/news-events/media-resources/identity-theft-and-data-security/spyware-and-malware

Ransomware — Another type of malware but unique to others, ransomware takes information from a computer and demands some sort of ransom from the user, usually a financial sum, before they return the information. This type of a cyber attack can be especially harmful to businesses as it can stop them from operating altogether. Read more: https://www.fbi.gov/investigate/cyber

Social Engineering — Social engineering is a type of cybercrime that uses people’s personal information to gain access into a system. One of the most common form is phishing. This is when an email or website tries to get a user to give over some piece of information that can be used to get into a company’s network. Read more: https://www.us-cert.gov/ncas/tips/ST04-014

Stay In the Lead

There is a constant race between cybersecurity and cybercrime. While there are countless commercial solutions available that can better arm your system, your organization should have a dedicated cybersecurity team. This team should constantly evaluate, implement, and enforce the company’s policies involving the framework, its data scope, the risk and associated measures of protection, and the incident response plan. With diligent action and proper planning, your company can stay ahead in the ongoing race against cybercrime.