IT Risk Survival Guide
Taken from MyITrisk.com
Your primary risk protections should include the following:
Multi-factor Authentication (Cost: included with most platforms)
-
This works by text message, phone call to a mobile device, or an app to generate a code that your programs require to gain access
-
Provides an additional layer of security to protect you from hackers
Benefits: This can prevent access to your accounts even if the password is compromised
Email Safety and Protection
-
Artificial Intelligence for spear email phishing detection
-
Connects with office 365 and both blocks phishing attempts, and reports to a dashboard that MyITRisk monitors on your behalf
Benefits: This reduces the risk of breach via email, which is still the most often used method to breach your systems
Endpoint Management Software
-
Antivirus that reports problems to central dashboard viewable by IT
-
Patch management – keeps software up to date on security patches
-
Asset tracking – Hardware and software management
-
Secure IT access
Benefits: Plugs known vulnerability holes and protects from known threats
Data Protection
-
All user files stored in cloud (i.e. Dropbox, G-suite or Office365)
-
Server disk level backup off site, point in time recovery, ransomware protection
-
Regular password changes, strong passwords, secure password managment
-
Benefits: Recover from device failure, disaster and data breaches
Web Filtering
-
Firewall Content Blocking
-
Device based comprehensive filter and reporting system
-
Benefits: Block known bad sites, enforce acceptable internet use
User Education (Cost: see below)
-
Training - ($30 year/user)
-
Benefits: Increase employee resistance to phishing email attacks
Once these fundamental risk protections are in place you are ready for customized risk management:
Planning -
-
Inventory all your devices and computers
-
Review your landscape
-
Recommend needed Risk projects
-
Identify your industry security profile
-
Review Compromised employee accounts
IT Risk Project Road Map -
-
Conduct an in depth audit
-
Identify acceptable risk
-
Develop your IT Risk Plan
-
Decide how much to do on your own
-
Finance: Insurance, upgrades, budget, vendor negotiation
-
Acceptable Practices: acceptable device use, data retention, financial controls
-
Access management: Password, privileges, 2 factor authentication
-
User Behavior Education: phishing training, phishing testing, user risk assessment
-
Network and System Vulnerabilities: vulnerability risk assessment, 3rd party providers
-
Disaster Recovery: backup restore process, cryptolock recovery, breach response
-
IT Management: Service requests, documentation, access controls, remote access
-
Vendor Management: Roles and responsibilities defined, contacts, access, SLA, risks
-
Security Partner Recommendations: - Intrusion detection solutions, limiting impact of attacks, partners, detection, penetration tests, introduction meeting. We can recommend a conversation with one of our cybersecurity partners who can provide this highest protection.