Six things you can do right now to improve your organization’s security
By Carlota Sage, guest columnist
As CIOs, you’re tasked with securing your organization long before you’re given a budget for security tooling and personnel. Following are some things you can do for an incremental or small spend that can have a big impact on securing your organization. Notice I didn’t say free? Even when I recommend something that doesn’t have a license fee, I recognize it takes time and effort to get these things done.
Upgrade your Google Workspace or MS O365 subscription
Estimated Cost: $20-$40/license
While this is likely the most expensive thing I’ll recommend, higher tiers of these subscriptions offer more security options. I suggest small organizations spend the money for the highest tier in either system – it’s a small amount of money compared to the cost of an incident. Leverage Google or Microsoft’s documented best practices to make the most of these.
Bonus recommendation: Even if you go to the highest tier of MS O365, I still recommend the additional layer of protection offered by a service such as Greathorn or Mimecast.
Enable MFA everywhere that it’s available
Estimated Cost: Time and Effort
Multi-factor authentication adds an extra layer of protection to your systems. Last year, 80% of ransomware attacks could have been prevented by good password management and MFA use.
Before you do this, make sure you communicate this change well ahead of making it, adding in a lot of context on WHY this is important. Don’t just turn it on; you’ll create a lot of unnecessary friction with your users.
Turn off legacy authentication systems (IMAP, POP) for email
Estimated Cost: Time and Effort
Legacy authentication systems bypass MFA – but as above, be careful before flipping the switch, as it could be disruptive to some key users. I have found that the C-suite and sales are the ones who most use IMAP and POP for retrieving their email. You’ll need to weigh the cost of turning these off against the benefit of leaving them on for those two groups. Fortunately, in Google Workspace at least, you can leave it on for specific people/groups if you find it very beneficial.
Implement Security Awareness Training
Estimated Cost: ~$2/user/month
Your users – your people – are your cybersecurity front line. You want to train them well! Vendors like Wizer, Curricula, and Ninjio create compelling videos and take the administrative burden off your organization’s team for a few dollars per month per user – even better, you can try some of these for free before you commit. If you buy Mimecast to protect your email system, you get similar training as a part of the package. Either way you go, educating your users is money well spent!
Implement good password practices and a password manager
Estimated Cost: ~$4-10/user/month
We in security know a few truths:
- Longer passwords are stronger.
- Unique passwords reduce the risk of account takeover.
- Saving passwords in your browser is a bad idea.
A good password manager, such as Keeper Security, 1Password or LastPass, will help your users store and use stronger, unique passwords outside of their browser.
From a systems/platform management perspective, we recommend a minimum of 16 characters. You should only force a password reset once a year or as needed in response to a potential security incident. The security industry has figured out that forcing users to change their passwords every 90 days actually encourages the bad habit of password reuse.
Purge and Patch
Estimated Cost: Time and Effort
Turn off systems that aren’t being used, delete old content/data, keep the things you’re using up to date. Simple enough, right? But so few companies do it well until they absolutely have to. This is like brushing your teeth – it should be a daily habit, no matter the size or age of your company.
Bonus for keeping content cleaned up: The less your employees have to sort through to find the right information, the faster they can make decisions and be productive.
If you’re already doing all these things – congratulations! You’ve already reduced your cybersecurity risk significantly. If you haven’t, get started. It’s never a bad time to start implementing the basics and taking advantage of free resources.