NCSS Insights to Improved Cybersecurity
The National Cybersecurity Society (NCSS) is a 501(3)(c) non-profit organization committed to improving the on-line safety and security of the small business community through education, awareness and advocacy. Our goal is to enable and empower small businesses to obtain cybersecurity services, assist them in understanding their cyber risk and educate them on the type of protection they need.
The NCSS Insights Report is a tailored product we offer to our members who have recently completed the NCSS CARES assessment. This tool is intended to be used in concert with our other products and services in order to develop a roadmap for improved cybersecurity for your company.
See our website for a checklist on the type of protections needed for your company. Use this checklist before you sit down with your broker and select a policy that will protect your company.
SSL encryption. Ensure your website is hosted with a hosting service that provides SSL encryption. Your website or ones you visit should start with https://
Conduct a data inventory to determine where you have your sensitive data stored and move it to a secure storage location and ensure your provider encrypts the data at rest. See our toolkit for recommended providers.
Employee Training and Accountability
Your employees are often your first line of defense in determining if you have been hacked as well as protecting your company from a phishing scam. See our website for training aids, attend a webinar we host, or use the security training aids found in our toolkit. Use our policy documents to establish policies for your company, educate your employees on the policy and have them sign the document.
Virus and Spam Protections
See our toolkit for specific vendor recommendations. Update your virus and spam software on all your endpoints and update your operating systems as required. Most protections for viruses and spam are through system updates – so keep your software up to date!
Our revovery plan is in place and routinely tested – See our website for a template on developing an IT disaster recovery plan. Build the plan, keep it up to date, and routinely test your workforce so they know what to do.
Critical and Sensitive Data
Identified and measures in place to protect – Conduct a data inventory to determine where you have your sensitive data stored and move it to a secure storage location. Educate your employees on what is PII (personally identifiable information). Develop a record schedule that lists all the data you hold, how long you retain it and when to schedule it for deletion.
DMARC and DNS Security
A secure DNS is critical in the delivery of valid content about your business on the Internet. DNS Security is an extension – an added feature you should add to your website hosting services to ensure your website visitors are provided valid and securecontent about your business.
DMARC – or email authentication. Email authentication is a technical solution to prevent your emails from being forged or spoofed. It provides a way to verify that an email comes from the entity who claims it to be from. It is used to block harmful or fraudulent uses of email – such as phishing and spam. Use G-suite or O-365 implementations that have DMARC embedded.
Incident Plan (knowing what to do when an incident occurs).
Develop an incident plan and a crisis communication plan. We have policy templates for both. Communicate with your team on how to handle an incident. See our resources on data breach notifications, as well.
Most credit card processors are requiring their merchants to be PCI-DSS Compliant. See our NCSS toolkit for providers who can conduct an assessment for your company.
Pen Testing and Vulnerability Testing
Probably one of the most important steps to take is to have a professional assess your company’s IT infrastructure to assess your weaknesses. See our toolkit for providers. Once complete the provider will give you a list of critical and high vulnerabilities. Work with your IT team to develop a prioritized list of corrective activities from the vulnerability list provided.
Data Protection Officer/Privacy Officer
If you are a HIPPA regulated entity you will need to identify a Privacy Officer. If you sell products or services to EU citizens, you will need to identify a Data Protection Officer. The duties are similar, but different. See our policy templates for position descriptions of both.
Given a high percentage of breaches occur due to poor password management, use a password manager for all of your employees. Additionally, you should enable two factor authentication (2FA) on all your business applications – such as payroll, HR and finance.
Cybersecurity Policies and Leadership Commitment
Write a cybersecurity policy for your company and obtain leadership commitment to change your company to be cyber safe. Have your CEO sign the document and share with your company employees. See our policy templates for draft policies you can edit.