Blog | MetroStar

11 Cybersecurity Best Practices You Should Apply in 2021

Written by MetroStar Systems | 02/21/2020

This blog was updated on Oct. 4, 2021

When we think of the start of the new year, we usually think of goals, but instead of focusing on just personal goals, we can also shift our focus to workplace goals. Having a list of goals written down makes you 10 times more likely to accomplish said goals. So, we’ve put together a list of goals you should have for maintaining "Cybersecurity Best Practices". These steps will help keep your organization safe from cyber attacks. 

1. Access Controls and Account Management

How strong are your passwords really? Rigid password policies help to ensure your work and your data are safe from the bad guys. Passwords that hold their stock usually consist of twelve to sixteen characters, mixed symbols, letters, and numbers. Lock up your sh*t, folks! You’ll thank us later. Promise.

Multi-Factor Authentication: MFA supplements your password requirements, offering multiple layers of identity verification. An example of MFA is requiring a device you hold, such as a smartphone or hardware token, to receive a one-time code in addition to something you know such as your login credentials.

Enforce “least privilege” and “separation of duties” concepts to prevent collusion, and limiting authorized access as necessary to get the job done.

Privileged accounts should be reviewed on an ongoing basis. This will ensure only active and authorized users have access to systems that require that level of access. That’s right, with great power, comes great responsibility.

2. Encryption 

Is your organization protected? When we refer to encryption, we’re talking about the security method where information is encoded and can only be accessed or decrypted with the correct encryption key. You should ensure encryption is part of your corporate policy. Ensuring company-owned laptops have pre-boot encryption installed will help you sleep easier if laptops are lost or stolen

  • Buy hard drives and USB drives with encryption built-in.
  • Use strong encryption on your wireless network (consider WPA2 or WPA3 with AES encryption).
  • Protect your data from eavesdroppers by encrypting wireless communication using a VPN (Virtual Private Network).
  • Ensure web applications are utilizing the latest version of TLS to protect data in transit.
  • Confirm data is encrypted while at rest for critical or sensitive information stored in a database, backups, and storage systems.

3. Disaster Preparedness 

Are you ready for a disaster? Sounds ominous, we know, but these are real things to consider. Your organization should have a recovery plan and testing in place. If your application goes down what do you do? With certain procedures in place, it’s easier to swarm a problem in order to find a resolution. Performing tabletop exercises, simulations, and live fail-over tests is key to ensure your organization is ready to tackle a disaster when it happens. 

4. Education and Training 

It can't be denied that humans are the weakest link, particularly in matters of information security. Training and workshops should be a regular feature, especially on subjects like detecting phishing emails, creating and maintaining strong passwords, avoiding potentially dangerous applications, insider threats, and ensuring that valuable data doesn't leave the company. Educating employees and users about cybersecurity best practices is extremely important. It heightens awareness within the organization, which enables strong, reliable, cybersecurity. This also includes annual security awareness training that everyone must take. So, don’t ignore it, and take it with pride. 

5. Incident Response Management 

How do you handle a breach of security? In order to know what to do in a time of crisis, a plan should be in place so that your team isn’t grasping at straws. Plan for the worst but hope for the best. An Incident Response Plan (IRP) is a document intended to guide you in the event of an emergency. Make one—like today!

6. Manage IoT Security

The IoT (Internet of Things) is a big world of devices, but how do you enforce policies on mobile devices, such as laptops, phones, cameras, etc.? Start with creating a Bring-Your-Own-Device policy. Many companies have avoided the topic, but it’s a trend that continues to push forward. Don’t avoid the elephant in the room! It all comes back to educating the user.

  • Consider allowing only guest access (internet only) for employee-owned devices.
  • Enforce password locks on user-owned devices.
  • Access sensitive information only through encrypted VPN.
  • Don’t allow storage of sensitive information on personal devices (such as customer contacts or credit card information).
  • Have a plan if an employee loses their device.

7. Security Compliance 

It’s important...get the NIST? We mean JIST, get the jist? To achieve a strong security posture one must follow industry standards to ensure best practices, frameworks, and repeatable processes are established. And since achieving compliance is not a one-done deal, this should be incorporated into your continuous monitoring efforts to maintain compliance. Examples of these compliance standards may consist of NIST, FedRAMP, ISO27001, CMMC, PCI, and HIPAA. When these standards are met, #cyberbliss is achievable.

8. Patches and Updates

With hackers constantly coming up with innovative techniques, searching for new weaknesses and vulnerabilities, it would be a wise decision to keep your systems and software optimized. In order to keep the network secured, make sure that your hardware and software are in good health with the latest security updates and protection features. Having a strong vulnerability management program will aid in addressing the most critical vulnerabilities and ensure software patches and updates are applied continuously.

9. Risk-Based Approach

Ready to take a risk? Try threat modeling to identify potential threats to your organization. Prioritizing these assets and what is most important to the business is of critical importance. When planned and implemented properly, threat modeling will ensure that each nook and cranny you’re your infrastructure and to your applications remains protected now and as new threats emerge. Trust us, you don’t want to risk it for the biscuit.

10. Security Policies 

Create effective security policies to ensure all of your assets are well protected. Without these policies specifying behavior and security controls, we’re relying on our users to ‘make the right choice’; this can be a risky proposition. These documents become critical in the event of a security audit or even a Request for Proposal (RFP) response to win new business in government. It’s worth finding an expert who can help you if you don’t have someone on staff to build the proper set of policies.

11. EndPoint Security

Saving the best for last, anti-virus and malware protection is a pivotal piece of the puzzle that keeps data safe and secure.  Make sure your mobile devices, as well as your systems, are up-to-date on their protection or they may get sick. 

Work with us to adopt the best cybersecurity practices