TECH INSIGHTS: A 2021 Cybersecurity Checklist: How Do You Rate Your Organization?
The information contained in this article is not intended as legal advice and may no longer be accurate due to changes in the law. Consult NHMA's legal services or your municipal attorney.
You know cybersecurity is important. You hear about ransomware, viruses, and cyberattacks nearly every day. And you sense that your current cybersecurity defenses may not defend you in case the worst happens.
Yet, it can be so easy to put off improving cybersecurity. Why? Often, it’s difficult to know where you should begin.
As a way to start building a plan, use this cybersecurity checklist to rate your organization. It will take you through foundational items, advanced items, and long-term cybersecurity strategies—and explain why each is important.
Rank each item:
- Yes (I am confident my organization has addressed this item.)
- No (My organization needs to address this item.)
- Don’t Know (I am not sure if my organization has addressed this item.)
Obviously, you want more items in the “yes” category than in the “no” or “don’t know” categories! The important thing is that you identify cybersecurity gaps so that you have a list of items to remedy by level of importance.
- Data backup and disaster recovery
To ensure you can recover data after a successful cyberattack, your data backup and disaster recovery need an onsite component (for quick recovery in case of a server failure or similar incident), an offsite component (in case of a severe cyberattack such as ransomware), and a testing component (to ensure that you can actually recover your data after an incident).
Antivirus software is one of the most basic tools of a cybersecurity defense. It’s likely you have some sort of antivirus software, but it’s important you use an enterprise-grade rather than a consumer-grade version.
- Antispam / email filtering
Basic antispam and email filtering tools make sure that most junk email—including many potential phishing email messages that could trick employees into downloading a virus or giving away sensitive and confidential information—never gets to your employee’s inbox.
- Software patching
Many devastating cyberattacks have been successful simply because organizations do not patch software vulnerabilities. Operating system and application vendors regularly provide software patches that shore up security vulnerabilities. Applying these patches is an essential part of a cybersecurity strategy.
Appropriately configured firewalls block most malicious website traffic.
- Monitoring and alerting
It’s important that experienced IT professionals monitor your systems and provide you security notifications when something seems wrong. This way, you start to proactively get ahead of security issues.
- Password policy
Organizations need to create a policy that enforces the use of strong passwords or passphrases and the use of Two-Factor Authentication (2FA), as many cyberattacks succeed when criminals hack weak passwords.
Encryption of backup data, emails, files, and other important information ensures that unauthorized users cannot read this data if they steal or hack into it.
- Secure connection for remote employees
If someone remotely accesses your organization’s data, you need a VPN or secure browser to make sure the connection does not expose you to cyberattacks. This is especially important when employees use a poorly secured wi-fi connection (such as public wi-fi) or a home network that’s not secured properly.
- Secured wi-fi access points
Many cyberattackers take advantage of an organization’s unsecured wi-fi access points to enter your network. Wireless routers need proper setup and configuration to ensure they are secure.
- Secured website
Whether cybercriminals deface websites or hack into them as a way into your network, they are an easy target. It’s important to use a trusted hosting provider and secure services (such as online payments).
- Physical security
Often overlooked in a cybersecurity strategy, physical security is important—including everything from properly escorting guests to locking rooms containing servers and computers.
- Employee training
Despite the best cybersecurity defenses, an employee tricked by a phishing email or malicious website can allow a virus into your network. Periodic employee training helps teach them how to detect and avoid common cyber threats.
- IT asset inventory
An IT asset inventory is important to cybersecurity. If you don’t know how many servers and computers you have, and where they are, then how do you know they are secure and out of unauthorized hands?
Once your security foundation is established, the following items begin to enhance your strategy.
- Intrusion detection and prevention
As a more advanced form of basic monitoring and alerting, intrusion detection and prevention tools work with your firewall to detect and prevent attacks related to specific vulnerabilities—often automatically stopping such attacks.
- Security scanning
Regular security scans of your systems help identify vulnerabilities and holes that you can then fix.
- Enterprise-grade email
Enterprise-grade email offers much better security than consumer-grade email, which is not recommended for organizations. IT professionals can also better manage and secure your enterprise-grade email.
- Malware and content filtering
Special tools can detect and filter out malware while also placing restrictions on what internet content employees can access. This helps prevent them from downloading malicious files and software.
- Dark Web monitoring
The Dark Web allows for anonymous browsing with specialized software. Many use the Dark Web for illicit and illegal activity. IT professionals can monitor the Dark Web in case account credentials (such as administrative passwords) or stolen customer information appears on the black market.
Setting information security policies will help you enforce cybersecurity across your organization. Policies include:
- General controls: Your organization needs policies for contract / vendor management, network security, wireless network security, physical access security, logical access security (which includes user authentication), and disaster recovery / business continuity.
- Application controls: These policies help you with data processing along with security, configuration, and contingency planning related to applications.
- Decommissioning and disposing of data and equipment: Deleting data sometimes doesn’t mean it’s really deleted, and equipment thrown away may still have data on it. You need policies that detail how you decommission and dispose of your equipment and the data on it.
- Employee screening and background checks: This policy may seem unrelated to cybersecurity, but strong employee screening and background checks lessen the chance of hiring a criminal or disgruntled employee who will attack your organization from the inside.
- Social media: A social media platform offers cyberattackers administrative credentials and the potential to embarrass your organization, similar to defacing your website. Creating a social media policy around access and use will help lessen this type of cyberattack.
Once your foundation and advanced strategy are in place, there are several steps you can take to make sure that your cybersecurity remains strong into the future.
- Modernized and upgraded software
Newer software is more secure than aging software, which vendors sometimes no longer support. It’s important to keep your operating systems and applications modern and upgraded.
- Modernized and upgraded hardware
The same reasoning applies to hardware—keep it modern and upgraded. Old, aging hardware contains more security vulnerabilities than newer hardware.
- Incident response planning
Developing a plan detailing how you respond to a cyberattack will help you react to an incident with “muscle memory”—rather like a fire drill. Your team will know exactly what to do.
- Network segmentation
You may decide to segment and separate certain parts of your network from other parts. This way, for example, if ransomware were to infect one department’s servers, the virus would not be able to infect another department.
- Mobile strategy
Many employees may access your organization’s data through their smartphones, tablets, and laptops. If so, you need a mobile security strategy—whether it’s issuing work-only devices to employees or providing secure access to sensitive and confidential data if they use a personal device.
- Compliance strategy
Depending on the laws and regulations you must follow, security and compliance often go hand in hand. Developing a compliance strategy will require you to stay on top of security measures related to data breach notification, data privacy, and other important areas.
- Cyber liability insurance
Improving your security foundation will help you lower cyber liability insurance premiums. If you don’t have cyber liability insurance, it’s a good idea to acquire some—as it will help offset the expensive costs of a cyberattack’s aftermath.
- Periodic security assessments
Security and technology change rapidly. Assessing your organization’s security periodically (such as annually) will uncover new gaps and vulnerabilities, allowing you to stay ahead of a cyberattack.
About Joe Howland
Joe has been in the IT industry for over 20 years and has extensive IT management experience that spans multiple industries. A UCLA grad with a degree in Mathematics Computation with a Computer Specialization, he worked with Computer Sciences Corporation for 10 years supporting defense and financial sector contracts. Joe joined VC3 in 2009 and during his time with VC3, Joe has performed in the role of Virtual CIO for some of VC3’s largest government customers. Joe is currently VC3’s Chief Information Security Officer and is responsible for VC3’s IT security as well as advising on security for VC3’s customers.
VC3 is a leading managed services provider focused on municipal government. Founded in 1994 with offices across the east coast, VC3 forms partnerships with municipalities to achieve their technology goals and harness their data. In addition to providing comprehensive managed IT solutions, VC3 offers cybersecurity, website design, custom application development, and business intelligence services. Visit www.vc3.com to learn more.