As National Cyber Security Awareness Month (NCSAM) moves into week two, Johnson Controls, through the Cyber Protection Program for security products, turns from last week’s post on staying safe online to this week’s theme, focusing on cybersecurity in the workplace.
Wherever you are in the hierarchy, and no matter the size of your organization, you have an important role to play in keeping your business cyber-safe.
How can you protect yourself and your workplace, and strengthen your cyber resilience? It’s a matter of simple vigilance, and good cyber hygiene. Start with these four principles:
- Keep your software and operating systems up-to-date. System and software version updates are there for a reason. Beyond giving you access to additional functionality, keeping your operating system and software applications up-to-date is an effective way to fix known vulnerabilities so hackers can’t take advantage of them. If you can’t always keep the software up-to-date because of dependencies, consider putting in other controls to mitigate the vulnerabilities that were discovered and fixed in the updated versions.
- Backup everything, and do a test restore. Yes, you’ve heard this a hundred times. But it is that important! There are so many ways data can be lost, including malware, viruses, theft, computer malfunctions and accidental deletion. That’s why you should always make electronic and physical copies of all your important work and system data, and make sure there is a copy stored in a safe place. For critical business data, backups should be stored at a separate location. If you store your backup data online, make sure it is not normally accessible from your current network, so that ransomware or other malware can’t get to it.
- Disable any protocols for remote connectivity, unless constantly required for day-to-day operations. This includes protocols such as Telnet, SSH, FTP, SFTP, RDP/XRDP, ONVIF, UPnP, and VNC. Even if the protocols are used for occasional remote support or troubleshooting, it’s better to keep them disabled and only activate them when needed.
- Periodically review accounts and privileges, and update them accordingly. Each system user’s privileges or roles should be defined as what they need to get their job done, no more. It’s not uncommon for there to be “privilege creep” for accounts, where additional privileges are granted for a specific one-time task and then never removed. Similarly, accounts for users who no longer need access should be dealt with according to your company’s policy.
In a nutshell: Cybersecurity at work is a shared responsibility to help reduce susceptibility to threats and attacks.
In next week’s post we will move on to smart use of smart devices. Until then, make sure to visit the Cyber Protection Program for security products website for product advisories and resources on matters related to your cybersecurity.