McLane Middleton’s Cameron Schilling gives 15 tips to safeguard businesses
When New Hampshire companies look for ways to bring their budgets in line, one area they cannot afford to diminish is cybersecurity. If anything, they often have to increase their ability to safeguard their most important digital infrastructure as well as protect their clients’ data. New Hampshire Business Review reached out to McLane Middleton in Manchester to glean some of their expertise in this arena.
Cameron G. Shilling, Director, Litigation Department & Chair of Cybersecurity and Privacy Group, McLane Middleton P.A., mclane.com
• Q: What are the best practices a company can adopt to keep its remote and hybrid workers secure and connected to the company?
A: One primary risk presented by employees working remotely is the devices they use to do so. With respect to laptops and desktops, the following are critical safeguards: encrypt the hard drives; do not permit workers to have ad ministrator privileges; deploy advanced threat detection and prevention not just ordinary anti-virus; enable local firewalls; and ensure that the devices automatically link to a virtual private network (VPN) as soon as they receive an internet connection. With respect to mobile devices, deploying a mobile device management (MDM) application is critical to ensure that the device can be accessed only using a passcode or biometric; the device and the data in the MDM is encrypted; and the device can be located and decredentialed if lost or stolen.
Another primary risk of employees working remotely is the points of access they have to company information.
Strong and unique passwords coupled with multi-factor authentication (MFA) for access to all computers, networks and clouds is a necessity. Additionally, limiting the access to those systems only to company-owned devices is another critical safeguard.
• Q: What are the most important aspects a company should focus on in regards to maintaining its cybersecurity?
A: Truly effective cybersecurity requires a comprehensive approach — there are no magic bullets. The first and most important step is to conduct a full risk assessment to identify vulnerabilities and areas of non-compliance, and then create a strategy to mitigate or eliminate them through solutions that fit the budget, culture, and IT and physical infrastructures of the business. Through this comprehensive risk assessment process, an organization can design a cybersecurity program that both best mitigates risk and fits its needs.
While each organization’s technological safeguards can differ, the following is a list of the 15 controls that every business should implement to mitigate risk:
1. MFA and unique complex passwords to access all computers, networks and clouds.
2. Advanced threat detection and prevention on all networks and computers.
3. An automatic VPN.
4. MDM for all mobile devices with access to company email or other data.
5. A sandbox for launching links and attachments in incoming email, and scanning of outgoing email for certain types of information.
6. Users not permitted to have administrator privileges.
7. Data encrypted at rest on all laptops and mobile devices, and certain sensitive data encrypted on servers and in clouds.
8. Properly configured network firewalls, and local firewalls deployed on all laptops.
9. Automatic mandatory pushing of patches and updates.
10. Appropriate employee access limitations managed through IT and human resources processes.
11. Real-time monitoring of and response to security alerts through a security operations center (SOC) and/or security information event management (SIEM) application.
12. Offline backups and cloud-based failover redundancy.
13. Access and activity logging configured robustly.
14. Vendor management through appropriate due diligence and contracts.
15. Cyber liability insurance in an appropriate amount and with full coverage.