How to Engage with Cybersecurity Practices

Nov. 23, 2022

With the number of national cyberattacks on the rise this year, many systems have been left vulnerable. The average cost of a data breach worldwide is now $4.35 million, meaning that ramping up cybersecurity across the board is not optional to keep systems and data in check. Small companies like residential water dealers are not exempt from this threat. Companies of all sizes and industries can get their employees and systems on the right track to protect assets, including customer data, by implementing simple yet effective cybersecurity practices

Cybersecurity Tools 

Unsurprisingly, the threat of cyberattacks is high for smaller companies; there are 85% as many attacks on small businesses compared to large ones. Many think that if they have few resources to allocate to information security that they should not even bother. However, companies do not necessarily need expensive or time-consuming efforts to protect the business. Focusing on cybersecurity fundamentals will help put the company on the right track to defend its systems. 

  • Passwords: Strong passwords are not optional anymore. A combination of upper and lowercase letters, numbers, and special symbols must be required throughout the organization. Additionally, different passwords for each login need to be required in case one login is cracked by a hacker, so they will not be able to access all the user’s accounts quickly.  
  • Multi-Factor Authentication (MFA): MFA is a second layer of defense for company systems. When combined with strong passwords, the system’s security will increase significantly. 
  • Public Networks: Connecting to public Wi-Fi may seem harmless. However, connecting to an open network is risky if a company has data it needs to protect. Anyone connected to the network can easily hack into systems also connected and view their data. Instead, employees should opt for using a private and secure hotspot from their phone’s data plan if they are in public and need internet access. 
  • Patching Assets: Unpatched systems are a popular way for hackers to get into databases and wreak havoc on a company’s information. These types of systems can be poorly built firewalls, unsecured Wi-Fi connections, no data encryption, etc. Security teams need to make sure that all vulnerabilities are patched or “fixed” so that they do not create an easy entry for malicious attackers.  
  • Legacy Infrastructure: Outdated software puts companies at a higher risk for data breaches because the software cannot keep up with the updates required to install the latest cybersecurity protection. While updating old systems can be costly upfront, it is the cheaper option when compared to a ransom deal made by a hacker that has breached the system. 

Employees’ Role in Data Protection 

A common tool that many companies overlook is the power of their people. Employees are one of the first and most important lines of defense organizations have regarding cybersecurity. Do not ignore them. Be sure to continually train them on current cybersecurity practices and remind them of their importance in keeping the company’s data safe. Employee training will help increase their essential buy-in for data protection. Businesses can also implement cybersecurity practice runs like test phishing emails. Using the Phish Report add-in on Outlook can help organizations understand their employee’s ability to spot data threats during a test like this. Cybersecurity training is a group effort to help workers understand the risk of cyber threats like phishing and malware and how their simple cooperation goes a long way. 

In addition to keeping data secure virtually, be sure to also train employees in physical security as well. Hackers may try to get into a company’s system through “tailgating” or gaining physical access to an office by following an employee with a badge into the building. Furthermore, employees at all levels need to lock their computers when they step away from their desks, even if it is just for a quick bathroom break. Traditional security practices like not writing down passwords on paper will help add an additional layer of physical protection. As you can see, educating employees on best practices for security can help ramp up security in numerous ways. 

Cybersecurity Certification 

While there are many initial cybersecurity practices businesses, particularly small ones, can implement on their own, some may feel they want further support in their data protection. Third-party certifiers like NSF-ISR have experienced lead auditors that work with companies of all sizes to help ramp up their security. These auditors are cybersecurity experts and can help companies identify threatening business risks, conduct probability and impact assessments, build awareness of information security programs, provide a comprehensive international set of controls, and align information security with overall business objectives. NSF also has a basic information security assessment that companies can use to get started.  

Companies can also go a step further by earning certification to ISO/IEC 27001. ISO/IEC 27001 certification verifies that a company meets international, world-class standards for data security. It also exemplifies that a company is dedicated to continuous information security best practices through establishing, implementing, and maintaining its information security management system. This helps keep its data safe and exemplifies to its customers that proper controls are in place to help keep its data safe. In an environment where cyber-attacks are at an all-time high, this helps give customers peace of mind that their data is not easily accessible and that protection is a high priority. 

When in doubt, get started. It is vital that companies get moving, considering hackers are not resting. The tools listed above are great places to start for companies looking to ramp up their data security.  

About the Author

Tony Giles | Director of Information Security

Tony Giles is director of information security at NSF-ISR. Giles can be reached at [email protected].

About the Author

Rick Andrew

Rick Andrew is director of Global Business Development for Water Systems at NSF. Andrew can be reached at [email protected] or 734.913.5757.