Last fall, the Department of Defense rolled out the requirements for Cybersecurity Maturity Model Certification (CMMC). Soon, all DoD contractors will need to follow the cybersecurity practices of this standard.
But cybersecurity isn’t just for DoD contractors. To stay competitive in today’s environment, every small business needs to think about basic cyber hygiene.
CMMC exists to protect government information, but it lays out security practices that can help any business stay safe. If you are a DoD contractor, this is a great place to start implementing the necessary practices for CMMC. But these principles can help any business get a handle on cybersecurity. Here are four basic principles of cyber hygiene according to CMMC. Watch a full Core CMMC webinar on YouTube.
Four Basic Principals of Cyber Hygiene According to NIST / CMMC:
1. Network Protection
We all use networks. Today, even micro-businesses can’t compete without internet capabilities. But even though most business have a network, few businesses properly protect it. For basic cyber hygiene, your network, itself, must be secured.
Network protection begins with your firewall.
A good firewall keeps the bad things out. It helps you guard your network from anyone or anything that shouldn’t have access. But your firewall can also keep things in, blocking internal users from unauthorized and potentially harmful locations.
Tip #1: A firewall is only as good as its latest update. Many businesses install a basic firewall but forget to manage it, leaving themselves vulnerable to the ever-evolving landscape of cyber threats. If you want to stay secure, keep your firewall updated.
Another essential piece of network protection is user authentication. You can accomplish this with a directory of people or devices. Maybe you don’t want certain devices on your network, even if you trust the people using them.
Lastly, you can protect your network through monitoring.
Do you know what’s happening on your network? Your routers, firewalls, servers, and switches do. Each of these devices keeps a log, and with the right system, you can listen to what they’re saying. Most importantly, these logs can show you indicators of compromise (IOC). With the ability to spot those indicators, you can catch threats and intrusions before they become a major problem.
2. People Protection
Cybersecurity isn’t just an IT issue. It’s an everybody issue. People play a major part in keeping your systems secure.
Most likely, your people won’t compromise security on purpose. But a simple lack of cybersecurity knowledge can lead to unintended breaches. Accidents happen. One click on a malicious email can bring down a network.
That’s why awareness and training are essential first steps toward people protection.
Without properly-trained users, even a well-protected network becomes vulnerable. Make sure your people know how to identify phishing emails and other security threats. Inform them of your security policies. Tell them how to properly report incidents.
But people protection covers more than just your own employees. You also need to think about visitors. When outside vendors or contractors arrive, do you let them navigate your facility on their own, or do you escort them? Every company policy will look different, but to stay secure, you should have a plan for handling visitors.
Finally, people protection also covers the public posting of information. We’re all on social media. But what info is okay to share? Does your company have a clear policy about work-related information in public forums? Without such a policy, social media becomes a security risk.
Tip #2: The potential threats of social media aren’t always obvious. Imagine that an employee takes a selfie at work. This probably doesn’t seem like a security risk. But what’s in the background of that selfie? Can you see essential company equipment? Can you make out legible information on a computer screen or whiteboard? That employee doesn’t think they’re sharing anything important, but now company info has leaked. Be aware of the backgrounds of photos and videos.
3. Endpoint Protection
You’ve protected your network. But what about the individual devices that use that network, or that simply handle company information?
Those devices—laptops, tablets, phones—are your endpoints. For basic cyber hygiene, they too must be protected.
The first step: authenticate and identify devices. It’s impossible to protect your endpoints if you don’t know what endpoints you have. What devices can access company information? What devices can access your network?
Your endpoints need their own up-to-date antivirus software. Just like your network firewall, this software must be updated frequently to stay effective. Network protection can only do so much when individual devices remain vulnerable.
Tip #3: Your antivirus isn’t the only software to keep updated. To stay secure, stay on top of upgrades and patches for your operating system and for third party products like Java and Adobe. Out-of-date software can leave openings for viruses, ransomware, and other cyber-attacks.
Lastly, what happens when your endpoints reach their end point? How do you sanitize or destroy media before disposing of it? If you’re passing an old device to another user, how do you wipe it of information before the transition?
If not properly sanitized or destroyed, old devices become a major security risk. Have a clear plan of action for the disposal of unused endpoints.
4. Facility Protection
Finally, basic cyber hygiene means protecting your physical workspace. Threats don’t always come from distant hackers across the internet; some threats come from inside your own facility.
Control physical access to your facility. Who is supposed to be there, and when? You should know who’s accessing your workspace, just like you know who’s accessing your network.
Again, consider your visitor policy. When visitors arrive, can they go wherever they please? Or do you restrict them to certain areas?
Think about access points like computer terminals and network jacks. Could a visitor breach your security by accessing an open workstation or plugging into an unused network jack? Such unguarded access points quickly lead to security compromises. Consider implementing a closed computer policy and disabling unused network jacks.
Tip #4: Since the COVID-19 pandemic, many jobs have gone remote. Facility protection becomes much more challenging when it involves the home office. What are your security policies for people who work from home?
Cyber hygiene is a multifaceted pursuit. Each of these realms pose unique threats and require unique protections. That’s why CMMC Level 1 contains such a variety of practices, with higher levels containing even more.
If you’re a small business, cybersecurity might seem like a daunting task. You might not have your own IT personnel, and if you do, they likely don’t specialize in security.
At Core Business Solutions, we specialize in helping American small businesses achieve cybersecurity. We’re real people with a story like yours, and we have a team of InfoSec consultants ready to help. Whether you’re seeking CMMC, or you’re just a small business trying to stay secure, we can help you implement industry standards for cybersecurity.