Tips on How to Reduce Risk in Your A&E Firm:

1. SEGMENT YOUR NETWORK

There are many different ways that your organization uses your network, whether it be servers, business systems or laptops. One way to keep the network safe is to break up those uses into separate sections within your business so any threats can be isolated and contained. This limits the ability for malicious actors and viruses to move freely throughout your core business systems. You do not want a single, infected laptop to threaten or disrupt your whole network.

2. IMPLEMENT MULTIFACTOR AUTHENTICATION 

Multi-factor Authentication (MFA) requires more than one credential to access your data. For instance, implementing MFA would require a user to provide both a password and a “token” such as a one-time passcode (OTP) that would be delivered to a trusted mobile device. Implement multifactor authentication wherever you can. Make sure it’s not just at one place, but required for every system that you log into, every time, in every network and area to make sure that if there is a lost password, it doesn’t end up completely compromising the system. If you follow this practice, you can make sure that if there’s a breach with a third-party system, it doesn’t negatively impact your organization.

3. REDUCE RISK WITH USER TRAINING

It’s often said that employees are an organization’s weakest link, because they are the greatest source of risk when it comes to cyber attacks. Employees spend a lot of time communicating via emails, so there’s a strong probability they might make mistakes such as clicking on a malicious link. Mistakes include visiting malicious websites or downloading a dangerous file attachment. It’s a constant battle, especially as the bad actors are getting better and more effective every day. As a best practice, continued training of your end users, your employees and vendors is really important. There needs to be constant reminders to question every communication and report suspected phishing emails, and to constantly think about security in the office, at home, and when they travel.

4. ENSURE LAYERS OF BACKUPS & REDUNDANCY

Ransomware is a type of malware that threatens to publish the victim’s data or permanently block access to it unless a ransom (monetary fee) is paid. It is very disruptive because your organization’s data is unavailable and you have to pay to get it back. Sometimes, even when you pay, you still don’t get the data back. Having regular backups can help you recover data lost from a ransomware attack, however some malicious actors know this and wait long enough to activate their attack to ensure that the malware becomes part of previous data backups. It is highly recommended to have those (clean) backups offsite, to limit the impact in any network breach or loss of service.

5. DOCUMENT PROCESSES & PROCEDURES

When creating documentation to detail best practices or to comply with government contracting requirements around your processes and procedures, it’s critical to illustrate how systems are supported and run as well as who is responsible for each procedure. If a key resource is no longer available, or even if you just want to improve a process, it becomes much harder to replicate that knowledge and capability when there is none or limited documentation. For cybersecurity compliance, business continuity and disaster recovery documentation is essential.

6. LOG & MONITOR

Practice proactive monitoring to ensure there are no anomalies within your system. With an effective logging and monitoring solution you will have the data you need to identify any active attacks but also the ability to determine how a cyber breach occurred, which is a critical part of the assessment process of an audit. A security information and event management (SIEM) solution provides breadcrumbs so that you can track the exact steps if your system is ever breached. The information provided helps to debug and aid in recovering from the attack.

7. UNDERSTAND YOUR DATA & WHERE IT IS STORED

Chris recommends that organizations understand what data they have and where it is in the organization, especially since some may have different protection requirements. Understanding how to protect data based on requirements is key. It allows the ability build up a control set, either based off of industry standards or a firm’s own best practices to make sure that there are a set of ground rules about standard behavior and best practices for certain types of data.

8. UNDERSTAND REGULATORY PROTECTION REQUIREMENTS

Organizations need to assess their business on a regular basis to ensure cybersecurity requirements or compliance requirements are met. Chris says, “There is a large shift to cloud across industries, as they lean on service providers that are already set up to meet security requirements. This allows companies to reduce their footprint so the company can focus on the core business and not worry about securing ERP system hardware, scaling servers and applying patches.”

9. ASSESS & UNDERSTAND YOUR CAPABILITIES

Keeping up with changing requirements, fast-moving threats and best practices requires the right resources and technology. Consider if your firm has the time and ability to continue to meet these challenges.

Chris says, “One of the things I see that organizations fall flat on most often is really being honest with themselves about their capabilities. Assessing your capabilities is key with cybersecurity because, it’s not a one and done. It’s a lifestyle.”

Most organizations need to invest in these capabilities continuously and sometimes find they need help, regardless of size or complexity. Often, they want other organizations to come in and take a look and provide their third-party opinion, or to help them solve a particular problem. There are managed service providers (MSPs) that can help and provide guidance to help them achieve their goals.

10. ENGAGE PROVIDERS THAT CAN HELP YOU MEET REQUIREMENTS

When hosting your business systems on-premises, the company is responsible for the network and hardware, and for upgrades to keep current. In addition, installing the operating systems and the applications with it, as well as patching and routine maintenance. It is a major challenge for organizations to effectively keep up with the necessary steps to proactively protect their business.