From the most basic perspective, using the Internet has become incredibly risky because the bad guys, criminals, hackers, malicious, and, in some cases, just curious users, have recognized the Internet as a source of almost limitless information. In today’s digital economy, information = money. All data, no matter how innocuous or almost irrelevant it may seem to you, has value to someone. And because even today with everything we know about the risks and about protecting ourselves, the vast majority of both large and small companies online aren’t taking adequate steps to protect themselves. Combine a wealth of information (remember, information=money) along with a bunch of unprotected systems hosting that information, and you create a breeding ground for criminals to make a very comfortable living online stealing information and holding systems hostage (the cost of cybercrime is estimated at $6 TRILLION in 2021 by Cybersecurity Ventures). If you aren’t taking reasonable effort to protect yourself and your business online, you’re simply helping to perpetuate the problem. It’s time to break the cycle!

You may have heard of the Internet of Things (IOT). IOT refers to the billions of devices in comparison to people that are connected to the Internet. Rather than laptops and desktops being used by people, IOT devices are typically purpose-built devices that are performing a specific function. Think of the myriad of new smart home devices like the Google Nest and Amazon’s Alexa. Even your Smart TV is connected to the Internet so you can run Netflix or Disney+ right from the TV without any set top boxes. Every one of those devices (TVs, refrigerators and other smart appliances, smart home devices like light switches, garage door openers, front door cameras, the list goes on) has an Internet address and is able to talk to the Internet, just like you do when you’re on your laptop or home PC surfing. Each one of those devices represents a potential security risk if it hasn’t been properly secured. If the average household now has 10 or more connected devices, that’s 10 places where poor or non-existent security controls could provide a hacker into your home network. With so many people now working from home, someone on your or your employee’s home network is one step away from accessing the sensitive company information on your corporate network.

Simply put, cybersecurity protects everything companies (large and small) and individuals require to prevent hackers from gaining access to the information and possibly disrupting their business operations. Cybersecurity includes people (you, your users, and your suppliers), processes (things you need to do, things you and your users shouldn’t do), and technology (tools to protect your users and systems, tools to identify potential or actual security issues, and to alert, track, and record what’s happening and help you respond if a security incident does occur). Good cybersecurity hygiene helps ensure your company is proactively ready to deal with an incident, rather than reactively responding to an incident without any type of game plan or response capabilities already in place. It’s the door that you always lock, the alarm you always turn on at the end of the day, the camera system that’s always watching. Proactive activities help prevent an incident from happening in the first case and provide you with accurate and instant information if it does.

First you need to know what a risk management program is before you decide if you need one. Simply put, it’s a program that helps you identify the risks your business faces and provides guidance for addressing those risks. It’s not something you do once, instead it’s something you revisit at least annually and sometimes more often depending on your business and regulatory/compliance requirements you may face. The goal of the program is to help you be prepared to deal with common risks you face, have your tools and processes in place to respond if need be to an incident, and ensure that what you’ve put in place is effective, not just at the time you implement it but also in the future. Networks, systems, and people all change with surprising regularity in most companies. The periodic “health checks” ensure that your people, processes, and technology are all up to the task which you’ve assigned them.

In most companies, having an acceptable use policy allows you to set a baseline set of expectations for your employees and any users of your corporate network and resources. Think of it as a list of do’s and don’ts: Users shall use strong passwords, users won’t share their account information with anyone else, users won’t go to inappropriate websites while using a company PC or laptop, or while connected to the corporate network. Most statements should be common sense, but not everyone will understand them. Another challenge of the acceptable use policy is that it usually talks about what users should and shouldn’t do, but it doesn’t talk to them about why they should or shouldn’t do those things. Aligning your acceptable use policies with employee awareness training ensures that your users understand why they are being asked to do or not do certain things, making it far more likely they’ll follow your policies.

Policies are the lifeblood of risk management for any organization. Without policies, people don’t know what they should or shouldn’t do, how they should behave, etc. This leaves your company and its information open to unnecessary exposures. With a good set of policies in place, you ensure your users will take reasonable efforts to help protect the company. You can also demonstrate to your customers what you’re doing to manage risk inside your company (and more and more these days, they’re starting to ask about the protection of these risks). Policies are implemented using 3 key components: The policy itself which outlines the requirement/s, some process or technology to help enforce the policy, and a way of validating the effectiveness of the policy-in other words, is it doing what it’s supposed to be doing? Without all 3 pillars, you’re actually exposing the company in many cases to greater risk. If you just have a policy but do nothing to enforce it, people may think you’re protected when you’re not. If you create a policy and put something in place to enforce it but then don’t validate it periodically, it may stop working or a change may make the policy ineffective, without periodic health checks you may be exposed and never know it until it’s too late.

Viruses and malware and ransomware, oh my! These are just a few of the risks that users face every time they connect to the Internet. Phishing emails are sent to unsuspecting users with links that, when clicked, try to install software on your laptop, pc, and even your mobile phone. This allows them to do things you wouldn’t want them doing. In some cases they can take over the machine and steal information from the machine. With ransomware, they can even encrypt your machine entirely, after which they’ll happily sell you a key to unlock your files but for a healthy price of course. Losing access to your computing device, having your data stolen and sold to the highest bidder, and having your bank account emptied out-all of these are very real risks that people suffer every day while using the Internet. You can go a long way towards managing these risks by taking a proactive approach to risk management for you, your company, and your employees.

We are well into the days of BYOD: Bring Your Own Device. As an employer, it’s great because you don’t have to buy your employees a device to work on and the employee gets to use whatever form factor they’re comfortable with (smartphone, tablet, laptop, etc.). The drawback to BYOD can be that those devices don’t have the same level of protection that you’ve applied to corporate PCs and mobile devices. There are a couple of ways to address this–either hire employees to install corporate protection software prior to allowing them to connect to the company network, or create a guest network that bypasses the corporate network and goes directly to the internet. Make sure to only allow employee personal devices to connect to the guest network. Both of these approaches are effective in significantly reducing the risk associated with letting your employees use their own devices at work.

Employees are your greatest strength. They can also be your biggest weakness when they aren’t trained adequately or equipped with the right tools. By teaching your employees about cybersecurity and the risks they face using the Internet, you’re making them part of the solution. Training your employees helps them contribute to the safety and security of your business and its data.

Shared accounts seem to make sense and many small organizations use them. You can save a few dollars on licensing. It’s easy for two or more people to share a role within your company and overall it may just be more convenient. But convenience also means less control. You can’t implement things like 2 factor authentication, for example, because the second factor would have to be shared across a group of people which isn’t practical (for example, a smartphone to receive texts). One of the biggest downsides is lack of accountability. If something goes wrong, the shared account is used to do something that negatively impacts the business, how do you know who actually did it? You want non-repudiation where possible (the ability to prove that a single person is responsible for an action). Having each user with their own account gives you a lot more visibility and control into your network, resulting in more secure systems and reducing risk to your network and data.