5 Cybersecurity Best Practices for Businesses of All Sizes

Share on linkedin
Share on facebook
Share on twitter

Table of Contents

In today’s technological world, businesses cannot function without technology, putting them at risk of cyberattacks every day. While organizations are steadily increasing their budgets for cybersecurity, the number of incidents have only increased in frequency and in severity over the years.

Today’s hackers evolve as quickly as technologies do, which forces businesses to be proactive in the way they manage their cybersecurity.

Here are five cybersecurity best practices for companies of all sizes:

1. Create backup copies

This point, while incredibly important, is often overlooked by a lot of organizations no matter their size. It is essential that they create backup copies of everything they consider important for their usual operations, whether it’s virtual machines, databases, internal servers, etc.

Not only should they create backup copies, but they should host their backups using external services to avoid catastrophic events similar to what happened to VFEmail, who had their entire company wiped out in a matter of hours due to a destructive attack. All of their critical data, cloud infrastructure and backups were formatted before they could do anything about it.

Companies should also insist on using “unlimited copies” services, which creates backup copies any time a modification is done to a file, rather than creating backup copies following a set schedule. Should an organization be hit with a ransomware attack, they will be able to revert to the exact state they were in at the moment they were attacked.

2. Establish and enforce password policies

Password policies are one of the easiest ways to secure your company out of these 5 cybersecurity best practices.

Not only should employees have strong passwords used exclusively at work, but a password should never be re-used across the organization. For example, your network administrators should never use the same password across all the technologies they manage. When a hacker is able to compromise one password – whether it was poorly encrypted within the system or found elsewhere – they will attempt to use it everywhere to authenticate within the system, sometimes allowing them to gain access to very critical components for your company.

When a database is breached by a hacker, similar to the LinkedIn Breach, passwords are sold online on the dark web, which is usually the first thing a hacker will look out for when trying to hack a company. If an employee uses the same password for their work as they do in their personal life, it’s very likely that this password has already been leaked online and that it will be used by hackers to attempt signing into various technologies used by the company.

Hackers also use advanced tools that leverage a combination of dictionaries, common password lists, and common password patterns (For instance: word + numbers + symbol) to create a password-cracking algorithm that attempts millions of password combinations within minutes. Having a strong password policy helps discourage attackers from using these tools. A good way to enforce strong passwords is by requiring the use of randomly generated passwords with the help of password managers, such as Lastpass. As these passwords are nearly impossible to crack with advanced tools.

This password policy should also require multi-factor authentication wherever possible. Examples of MFA include:

  • Magnetic card strips
  • Security card codes
  • Passcodes (such as a PIN) sent on their mobile devices
  • Biometrics (such as fingerprints or facial recognition)
  • Challenge/Response (User answers question usually involving personal information only they would know)

MFA provides an extra layer of protection in the event that a password is leaked or found within your system. If these password best practices are respected and that all passwords are changed on a regular basis, you will mitigate a large portion of the cybersecurity risks within your organization.

3. Train employees on cybersecurity best practices

Employees who regularly process emails should be thoroughly trained on cybersecurity best practices. Human error was the cause 90% of cyberattacks last year, most of which happened because of phishing. (The act of sending a coercive email to infect a system and sometimes even gain access to their system)

Phishing attacks have led to some of the biggest cybersecurity incidents in history, such as the NHS ransomware attack which interrupted patient care for a week across various medical centers in the UK. These attacks require the least amount of effort for hackers to perform and can have dramatic consequences.

We regularly perform phishing tests with our clients to determine the level of awareness of their employees towards the risks of phishing, and we have noticed alarming trends that reveal most companies fail to provide proper training for cybersecurity risks associated with phishing.

Employers should provide their employees with examples of phishing attacks and explain the likelihood that they are also affected by them. When uncertain of their employee’s awareness, they should look into performing phishing simulations to provide evidence to their employees of the risks that it could represent for their company.

4. Update your software as soon as updates are available

Most people are annoyed by the prospect of updating their OS and software, but they should never take it lightly. The majority of patches are released for security purposes which is why they should never be neglected.

For instance, Microsoft recently released an emergency update for Internet Explorer to patch a vulnerability that could have allowed hackers to gain full admin access to the user’s computer.

Hackers are always on the lookout for these vulnerabilities, and they are part of their toolkit which they will attempt to leverage every time the opportunity arises.

5. Beware of user privileges

Recent data breaches (such as the Desjardins data breach) proves that no chances should be taken when it comes to user privilege.

A malicious employee with more privileges than they should have could easily access sensitive data, make copies and sell them to malicious actors on the dark web. This leak of information could result in hefty fines in privacy law breaches, important reputational damage that is hard to recover from and the exposition of trade secrets – even technical information – that could later be used by hackers to gain access to your critical systems or sold to your competitors.

Companies should regularly audit their internal systems to ensure that the user privileges are properly respected by their infrastructure. While user privilege is often well determined and users are usually given the least amount of privilege possible within their ecosystem, it can often be very easy for those users to escalate their privileges or to exploit their way out of their limited privileges.

In conclusion

These 5 cybersecurity best practices, while easy to apply, are often overlooked and left aside which leaves organizations open to various kinds of cybersecurity incidents that can be hard to recover from.

Need to test the awareness of your employees, audit your user privileges, or verify that these best practices are being respected within your company? Contact our experts to find out the strength of your cybersecurity in the face of modern hackers.

A penetration test is a simulated hacking attempt that identifies opportunities for real hackers to break through your defences and perform various malicious acts. It generally leverages tools used by hackers and various professional methodologies to replicate the steps that modern hackers would take to intrude into your IT systems.

A pentest attempts to exploit your vulnerabilities to determine their potential impact, should they be used in a real hacking scenario. They provide a list of vulnerabilities with their respective level of severity, as well as technical recommendations to help your team apply corrective measures and focus on the most critical vulnerabilities.

These services allow your organization to answer the following questions, among several others:

  • Can a hacker gain access to any sensitive information?
  • Can a hacker hijack my technologies for any malicious acts?
  • Could a malware infection spread through the network?
  • Can an attacker escalate access to an administrative user?

Learn more about penetration testing →

There are many contexts in which a penetration test should be performed.

Here are some common use cases for a pentest:

  • As part of the development cycle of an application. (To test the security of a new feature/app)
  • To comply with security requirements. (3rd-parties, PCI, ISO27001, etc.)
  • To secure sensitive data from exfiltration.
  • To prevent infections by malware. (Ransomware, spyware, etc.)
  • To prevent disruptive cyberattacks. (Such as denial of service)
  • As part of a cybersecurity risk management strategy.

All businesses are advised to conduct a penetration test at least once a year, as well as after any significant upgrades or modifications to the company network. Given the rapid rate at which new exploits are discovered, we generally recommend that quarterly tests are performed.

Various steps are taken over the course of the project to prevent the potential impact of our tests on the stability of your technological environment and the continuity of your business operations.

For this reason, a communication plan will be put in place at the beginning of the project to prevent and mitigate any potential impact. A representative of your organization will be identified to act as the main point of contact to ensure rapid communication in the event of a situation directly impacting the conduct of your daily operations, or if any critical vulnerabilities are identified, for which  corrective measures need to be implemented quickly.

While we use a simple 4 levels risk rating approach (Critical, High, Moderate, Low), our risk assessment is actually based on the Common Vulnerability Scoring System (CVSS) standard. Two main criteria are considered when  assessing the risk level of each vulnerability:

  • Potential impact: The potential impact of an attack based on a vulnerability, combined with its  potential effect on the availability of the system, as well as the confidentiality and integrity of  the data.
  • Exploitability: The potential exploitability of a vulnerability; a vulnerability that is easier to  exploit increases the number of potential attackers and thus the likelihood of an attack.  Different factors are considered when evaluating the exploitability potential of a vulnerability  (e.g.: access vector, authentication, operational complexity, etc.)

Related Vumetric Blog Posts

Cyberattack impact

How Cyberattacks Impact Your Organization

A cyberattack is a malicious assault by cybercriminals aiming to damage a computer network or …

Read The Article
penetration test vs bug bounty

Penetration Testing vs Bug Bounty

Due to the recent spate of ransomware incidents, organizations and nervous IT administrators are wondering …

Read The Article
How Wordpress Gets Hacked and How to Prevent

How WordPress Sites Get Hacked And Fixes to Prevent it

WordPress sites get hacked on a regular basis, as it is by far the most …

Read The Article


We've Earned Internationally-Recognized Certifications

Contact a Certified Expert

Talk with a real expert. No engagement. We answer within 24h.
penetration testing provider

Want to Know if Your Cybersecurity is Good Enough?

or give us a call directly at: