Early in 2020, more than half of organizations reported that they were planning to increase their cybersecurity spending over the coming year. Driven by increasing privacy regulations, mounting threats—including ransomware attacks, which continue to attract a great deal of media attention—and growing dependence on technology, companies placed improving their security posture among their top strategic priorities.
Then the pandemic hit.
Today, nearly every business in every industry is struggling to accomplish more with fewer resources—and the consequences of a breach are just as devastating as they’ve ever been. Regulatory compliance standards haven’t been meaningfully relaxed for the long term, either. Nor are cybercriminals any less plentiful or motivated.
All of this means that having a solid strategy is essential when you’re evaluating your cybersecurity budget. Making wise investments can help, but it’s even more important to make sure you’re taking advantage of the best free or low-cost resources that are available to you.
Here are our top five tips for cybersecurity best practices when you’re on a budget:
#1: Patch and harden your systems.
Whether you’re a Microsoft shop or you’re relying on a suite of solutions from a wide variety of vendors, you’ve probably noticed that new software updates are released at least once a month, if not far more often. These contain feature upgrades and enhancements, of course, but they also include patches that prevent cybercriminals from exploiting recently discovered vulnerabilities.
Installing software patches as soon as possible when they’re made available is one of the most important steps you can take to protect your systems. It sounds simple and boring (compared to a shiny new solution), yet many struggle to keep up with patches. It costs nothing, and the process can be automated using tools available at no cost from Microsoft (for Microsoft solutions) or other software vendors. It requires little time and expertise, and yet will deter attackers who are simply looking for the softest targets.
#2: Educate your users and test them on how well they retain information from their training.
Numerous webinars and videos are available online to teach employees better password habits and cybersecurity best practices. Government agencies (like the Federal Trade Commission, with Cybersecurity for Small Business) and highly reputable organizations (such as the SANS Institute) offer an abundance of high-quality content to the public for free. Even vendor-provided programs of professional quality are relatively inexpensive.
Though no security awareness training program can completely eliminate human error, even the simplest of user education tools can reduce your organization’s overall risks significantly.
#3: Deploy or enable multi-factor authentication (MFA).
MFA takes user identification beyond the simple username/password method of ensuring that people are who they say they are. It’s a security enhancement in which users are asked to present a second (or even third) piece of evidence that verifies their identity before they’re given access to their account. This evidence typically consists of something they have (such as access to a mobile device), something they know (like a PIN number) or something they are (a fingerprint unlocking a mobile banking app, for instance). MFA is fairly simple and inexpensive to implement, but it’s a huge step forward when it comes to reducing the number of attacks that begin with stolen passwords.
#4: Map your data and assets.
Do you know where your most sensitive data resides, and how it flows through your organization? If a single backup storage device was compromised, how serious would the implications be for the business and its customers?
If you can’t answer these questions readily—and many IT leaders in small and mid-sized organizations can’t—it’s a good idea to perform a tabletop exercise in which you account for all your information systems and digital assets, and perform a cybersecurity risk assessment.
In many firms, employees gravitate towards using personal Software-as-a-Service (SaaS) apps because they’re quick and easy to install and meet their needs better than company-provided tools. If this is the case in yours, it’s important to consider strategies for tracking cloud application usage—or providing your people with sanctioned applications that work as well or better to help them get their jobs done.
#5: Use what you’ve got.
Now isn’t the time to purchase new software, unless you’re certain that it has essential capabilities that the tools you already have on hand don’t. This is rare.
In the majority of cases, organizations already have all the software they need, but lack a full understanding of what their already-paid-for-software can do—or the time and talent to make full use of it. Every additional vendor in your software portfolio adds complexity to your environment, and every new tool has the potential to introduce vulnerabilities. Saving money by removing applications that aren’t being used from your solution stack can actually enhance your security.
In tough economic times, only the cybersecurity services that truly make a major difference in your degree of risk exposure are worth considering. Implementing expert security monitoring from a Managed Detection and Response (MDR) provider who maintains a security operations center (SOC) fits the bill. To learn more about our Rapid Advanced Detection and Response (RADAR) service, contact us today.