1 Develop an incident response plan
A plan will enable you to react quickly in the event of an incident, restore essential data and systems, and minimize service interruptions and data loss. It should include strategies for backing up your data.
2 Use strong authentication
Establish user authentication policies that meet both usability and security needs. Make sure devices authenticate users before giving them access to systems. Whenever possible, use two-factor authentication or multi-factor authentication.
3 Activate security software
Enable firewalls and install anti-virus and anti-malware on your devices that block malicious attacks and protect against malware. Be sure to download the software in question from a reputable vendor. Install a Domain Name System (DNS) filter on your mobile devices to block malicious websites and filter out dangerous content.
4 Apply patches to applications and operating systems
As soon as a problem or vulnerability is detected in software, the manufacturer releases a patch that fixes bugs, patches known vulnerabilities, and improves usability and performance. If possible, enable automatic patching and updates for all software and hardware to prevent threat actors from exploiting weaknesses or vulnerabilities.
5 Back up and encrypt data
Copy your essential information and applications to at least one other secure location, such as the cloud or an external hard drive. In the event of a computer security incident or natural disaster, these copies will help you continue your business and prevent data loss. Your data can be backed up online or offline in three ways: full backup, differential backup and incremental backup. Test your backups.
6 Train employees
Adapt your training programs to your cybersecurity protocols, policies and procedures. A well-trained workforce can reduce the risk of a computer security incident.
7 Securing cloud services
Familiarize yourself with a supplier before engaging their services. Make sure they have taken steps to meet your security requirements and needs. Find out where the provider’s data centers are located. Privacy Acts and data protection requirements vary from country to country.
8 Securing Mobile Devices
Adopt a mobile device deployment model. Will your company provide work devices to employees or allow employees to use their personal devices for work?
9 Establish a basic perimeter defense
Protect your networks from cyber threats. For example, install a firewall to protect your networks from intrusions by monitoring incoming and outgoing traffic and filtering out malicious sources. Use a virtual private network (VPN) when employees work remotely to secure the connection and protect sensitive information.
10 Secure removable media
Portable media, such as USB drives, are a convenient and inexpensive way to store and transfer data, but it is possible to lose them or have them stolen. Keep a record of all your assets. Use encrypted portable media, if possible, and clean them regularly.
11 Securing websites
Protect your website and the sensitive information it collects. Encrypt sensitive data, ensure certificates are up-to-date, use strong passwords or passphrases in the background, and use HTTPS.
12 Implement access controls
Apply the principle of least privilege to prevent unauthorized access and data compromise. Ensure employees have access to only the information they need to perform their jobs. Each user must have their own credentials, and administrators must have two separate accounts.
13 Configure Devices
Review the default settings and make any necessary changes. At the very least, we recommend changing default passwords (especially administrative passwords) and disabling geolocation and unnecessary features.
This content is taken from The Best Steps to Strengthen Cybersecurity for Small and Medium-Sized Businesses published by the Canadian Center for Cyber Security.