Cyber Security: An IT Strategy Guide

  • June 23, 2022
  • Elisa Silverglade
  • 7 min read

Cyber security is a hot subject for organizations to discuss. Challenges regarding cyber security are growing, not fading. That means that you need an IT strategy that will go the distance to keep you in business.

The National Cybersecurity Institute reports that half of SMBs are victims of cyberattacks. Of those businesses that are attacked, 60% go out of business.

Unfortunately, breaches are tremendously harmful not only to your company’s data but to your bottom line too. The global economy incurs damages of $445 billion each year because of cybercrime, with over $160 billion because of theft of intellectual property.

If cybercriminals keep you up at night, worrying that they will compromise your company, what you need is a proactive IT strategy to protect your business and its data. Here is a guide to help.

Cyber Security Programs

First, you need a superior cyber security program for your IT strategy. This will document your company’s information security policies, guidelines, procedures, and standards. It is a roadmap to ensure you have effective cybersecurity management practices and controls.

At Techromatic, we created CyberShield to help you achieve your goals with a turn-key cyber security program.  Other services, such as vulnerability scans and penetration tests may be required for data compliance, depending on the regulatory requirements of your industry.

In fact, PCI-DSS, or the Payment Card Industry Data Security Standard, requires vulnerability scanning and penetration testing.

What is a Vulnerability Scan?

This will look for vulnerabilities that are known in your system. It will report potential exposure. A vulnerability scan is usually automated.

A vulnerability scan will identify chinks in your armor.  For example, many companies don’t change the default credentials of computing devices inside (and sometimes outside!) their network.  This could lead to a hacker who gets inside your network easily gaining access to critical devices and information.

Another common worst-practice is when companies don’t regularly patch and update their machines, including servers and workstations.  (It’s one of the reasons we like to outsource to cloud providers, since that is hopefully taken care of for us!).   Unpatched systems can lead to the same kinds of data breaches.   And if you’ve ever heard of zero-day attacks, then you know it can happen as soon as a vulnerability is detected, almost before you blink.

A vulnerabilty scan is a test we run against your infrastructure to identify these kinds (and other kinds) of vulnterabilities in an environment, so that they can be corrected.   

What is a Penetration Test?

A penetration test is a simulated attack on your network infrastructure.   Typically white-hat hackers and cybersecurity engineers will expliot vulnerabilities and use specialized tools to try and get past a system’s defenses.   

Some of these tools use finesse and great technical knowlege to wield, and others are easier to use.   Good engineers will use a variety of tools to find a way into the network.

Usually, this is a manual test that is performed by a cyber security professional.

All penetrations tests should be closely coordinated with the customer and are often done outside of business hours so as to minimize disruption to the firm.

Data Compliance

Data compliance is not only important to your business but also to your customers. The most challenging part for the business is keeping personal data safe as waves of cybercriminals continue to attack and steal data.

That is why you find so many laws and regulations now to ensure that companies are handling data responsibly. The most notable laws and regulations include PCI-DSS (as we have already mentioned), HIPAA, and GDPR.

What is HIPAA?

HIPAA is the acronym for the “Health Insurance Portability and Accountability Act of 1996.” This is a federal law.

It requires the creation of national standards aimed at protecting a patient’s sensitive health information. You cannot disclose a patient’s information unless the patient gives consent.

Further, there is the HIPAA Security Rule. This covers organizations requiring protection of ePHI, or electronically protected health information. It ensures that the company has the protection that can defend against an administrative, physical, or technical breach.

What is GDPR?

In April 2016, the European Parliament adopted GDPR. GDPR is a regulation protecting citizens of the European Union.

To adhere to GDPR, businesses must protect individuals’ privacy and personal data. Also, it demands exported data to be monitored when outside of the European Union. Violators of GDPR will receive a fine accordingly.

Cyber Security Training for Staff

The way to minimize risk is a good line of defense. This means educating your staff about external threats and arming them with cybersecurity awareness basics. Here is how to get started.

First, you want to make an explicit statement to your employees about the importance of cybersecurity. Say it in a way that they can relate to so that they can better understand how important it is.

Next, instruct your staff to take care of their company’s devices. According to a survey by Forrester, 15% of company breaches happen because of lost devices.

You also want to teach employees the basics about how to recognize suspicious activity. Instruct them on signs like a device that slows down, strange pop-ups when they start up, new apps suddenly appearing, not being able to control a mouse or keyboard, etc. If your employees find suspicious signs or activities on their devices, they must report them immediately to your IT department.

Then, teach employees the importance of unique passwords. Tell them to change their passwords periodically. Plus, let them know universal passwords are dangerous.

Finally, cybersecurity basics are a great start, but you want ongoing training and awareness. Cybersecurity training for your entire staff should always, always be a part of your priority list. All it takes is one person’s lack of understanding to cause a major data breach.

Encrypted Email

Last, for your IT strategy, you want to investigate the use of encrypted email and how it can benefit your business. Email encryption leverages an authentication process. It prevents a message from being read by an individual that they did not intend it for or a person who is unauthorized to read it.

An encrypted email will scramble the original message that is sent. It converts it to a format that is undecipherable and illegible. This is critical when you are sharing information that is sensitive via email (PII or ePHI).

Existing email data can include so much confidential data like:

  • Contract information
  • Latest sales reports
  • Private financial statements
  • Sensitive negotiations
  • Credit card numbers
  • Bank accounts
  • Intellectual property

Email encryption is mandatory for some industries and governance frameworks. Regardless of if it is required, it is an excellent piece to include in cyber security programs. Without it, a stranger, even a competitor, can access details that are contained in your email.

You can nullify message replays with email encryption. Someone could change a message and re-send it later. When this happens, the genuine message comes first, and then a fake message is sent that appears to be official.

A recipient cannot tell if a message differs from the original. Not with email encryption, though. Encryption services will use timestamps, expiration times, ransom session keys, and passwords for one-time use.

Build Your IT Strategy with Techromatic

With Techromatic, we have a better way to do IT. We help you drive productivity and revenue with your business, all while protecting you from threats. We work with (or AS) your IT department so that your staff will absolutely love their IT.  And you’ll love it because they’ll get more done.

Let’s create an IT strategy together to keep your business secure and operating smoothly. Reach out to us today!