Your company’s information flows are less secure than they appear.

You know this. The question is: what are you going to do about it in 2020 and beyond?

Keeping sensitive corporate and employee data out of the wrong hands is an ongoing project. It’s not something to be done on a whim — no one wakes up in the morning and says, “I’m going to harden my company’s security posture today and never think about digital security again.”

That’s not how any of this works. Effective information security requires long-term commitment, and ideally in-house resources devoted to anticipating and countering digital threats. If you don’t yet have an internal cybersecurity team (or formal IT department at all), then perhaps your first order of business is to create one. That means hiring a chief information security officer and tasking him or her with standing up a team big and bold enough to keep everyone else safe.

The process also demands incremental steps. Some of what follows will be the responsibility of your IT security team, if you choose to create one. Other aspects shouldn’t wait until all the pieces are in place. They’re within the capabilities of non-experts — which means you and your team.

  1. Invest in a Leading Cloud Backup Solution

 Begin with a step for which you certainly need no prior IT security experience: selecting a leading cloud backup to reduce the risk of data loss and corruption due to malware attack, insider theft, or natural disasters.

Your cloud backup solution must be as resolute and flexible as your own organization. It should also be scalable, able to grow along with your business. This is no time for half-measures.

  1. Optimize Your Cloud Backup Solution for Your Corporate Needs

 Once you’ve selected a cloud backup solution, optimize it for your company’s needs — keeping in mind that what your company needs today won’t always be what it needs tomorrow.

Effective optimization is easier when you choose a solution with a variety of packages to fit your digital environment. For example, you might find it useful to equip individual employees with personal cloud backup solutions for any “BYODs” — personal devices used for work purposes. At the same time, you’ll certainly need a corporate backup solution for business-only elements that live permanently within your corporate security perimeter.

 3.Develop a Strategy to Defeat Ransomware & Limit Its Impact

 Ransomware is an emergent digital threat that’s as easy to understand as it is difficult to defend. The most effective ransomware defense, unfortunately, is mitigation: a solution to ensure that mission-critical data isn’t irretrievably lost or corrupted in an attack.

Your cloud backup solution is an essential piece of that mitigation effort. So is a comprehensive, secure external storage program.

Preventing ransomware is a more difficult proposition. For more, let’s turn to the next thing you should do to strengthen your company’s IT security posture today.

 4.Use an Industry-Leading Anti-Malware Package

 Choose an anti-malware package designed for the most discerning corporate users. Hint: It won’t be a cheap, off-the-shelf consumer product. That’s an open invitation to attackers and threat vectors. Make sure your anti-malware solution is installed on all company devices and any BYODs with access to your corporate perimeter.

 5.Defend Your Corporate Perimeter With a Virtual Private Network

 Any device with access to your corporate perimeter should have a trusted virtual private network (VPN) solution installed on its hard drive. VPNs are designed to encrypt and mask the origin of sensitive data transmitted over the Internet, preventing man-in-the-middle attackers and others from intercepting and interpreting it. VPNs also help users evade geofencing, which is important for corporate users in international markets.

 6.Assign Work Devices for Mission-Critical Data

 Company-owned devices aren’t inherently more secure than personal devices, but they do facilitate greater employer control over data use and abuse. And devices that can be remotely wiped or locked by authorized IT security personnel are more secure than personal devices without that capability — if the device is lost or suspected to have fallen into the wrong hands, any sensitive data stored on it can be rendered unusable in a matter of moments.

Assigning company-owned devices to employees does present some logistical challenges and may complicate your HR picture. Ensure employees are bound by fair but strict policies around company device use — this sample “acceptable use policy” is a good example of a policy you’ll definitely want to have.

 7.Ensure Work Devices Are Useless in the Wrong Hands

 Let’s say it again for those in the back. If you do choose to distribute company-owned devices, you must be absolutely sure that they are useless in the wrong hands. That is easy enough for desktop devices that live within your corporate perimeter, but less so for laptops and mobile devices that travel with your employees. Remote wiping capabilities are essential (as is employee consent for the same).

 8.Institute Clear Personal Device Policies

 No matter how hard you try, it is unlikely that you can entirely restrict personal devices within your corporate perimeter. Overlap between personal and corporate technology will always exist. Reducing the risk of such overlap is paramount.

An important step in reducing this risk is to develop clear, strict personal device policies. “Acceptable use” is just the start; your object is to hold employees to strict standards of conduct and data protection on both sides of the corporate perimeter.

 9.Educate Your Team on the Importance of Physical Device Security

 Another step in this risk-reduction strategy is education, specifically around physical device security. When it comes to keeping devices out of the wrong hands and safe from corruption or damage, it’s vital that everyone be on the same page. Draw up an easy, jargon-free list of device “do’s” and “don’ts,” distribute it to all hands, and enforce it.

 10.Harden Your Onsite Servers and Data Storage

 Physical security is not important only for digital devices used by employees. It is also crucial for the IT infrastructure upon which your company relies every day. If your organization operates servers within its corporate perimeter, whether for intranet purposes or public Internet access, treat them with the utmost care. Restrict direct access to a small number of authorized users and institute multi-step access procedures involving biometrics.

 11.Use Encrypted Email for Sensitive Communications

 Email security is not absolute. Reduce the risk of sensitive information falling into the wrong hands by using an encrypted email product for very sensitive communications around corporate policies, strategy, trade secrets, and other topics you wouldn’t want competitors or criminals to know about. Unencrypted email is suitable for everyday, non-sensitive communications, provided appropriate security measures are in place.

 12.Never Transmit Credentials or Account Information Over Email

 This includes encrypted email, since there’s always the risk that an unauthorized user could gain access to an employee account. Transmit extremely sensitive data verbally (in person or by phone) or on paper (using interoffice mail or direct delivery).

 13.Have the Most Important Conversations in Person, With Encrypted or Secure Memorialization

 This is the logical endpoint of the preceding tips. While the risk is real that a malicious insider could record private conversations or otherwise surveil seemingly secure corporate environments, conducting frank or sensitive conversations in person is far preferable to any electronic means. If the conversation is to be memorialized, use an encrypted program to do so, and ensure that any means of storage follows the same exacting standards as the rest of your corporate IT environment.

 14.Strengthen Your Employee NDAs

 “Loose lips sink ships,” as the old saying goes. Enforce the discretion and confidentiality that you expect from your team with legally binding non-disclosure agreements. If that means tearing up your current company NDA and starting fresh, with compliance a condition of continued employment, so be it.

 15.Learn to Recognize the Hallmarks of a Phishing Scam

 Could you recognize a phishing attack if one were staring you in the face? While some are plain as day, others are cleverly disguised. AI-assisted spearphishing is especially difficult to detect.

Fortunately, help is out there. Start by requiring your employees to review this FTC guide on how to recognize and avoid phishing scams. Write phishing detection and mitigation into your corporate email policies, as well, by requiring employees to report suspicious emails to your IT security team.

 16.Require Two-Factor Authentication for All Employee Accounts

 If you bank online, you already use two-factor authentication in your personal life. Your company’s finance team already uses it in their day-to-day as well. Instituting it across the board is neither difficult nor particularly time-consuming. Do it and watch the number of unauthorized attempts at access plummet.

 17.Deploy Pervasive Monitoring Throughout Your Organization (And Be Transparent About It)

 If you set employees’ expectations properly, they’ll have no problem with your IT security team constantly monitoring their activities. This is a necessary trade-off for organizational and personal security. However, it’s vital that your monitoring program be non-discriminatory — that is, the people in charge of it can’t get a pass, as they represent the greatest potential insider threat.

 18.Require Unique Passwords for All Accounts

 Forbid employees from reusing passwords and require them to change their credentials frequently, as often as once per month. This change might draw some grumbles, but it’s one of the most important steps you can take to improve your organization’s IT security. When you announce your “unique password” policy, soften the blow by including tips on creating (and remembering) strong passwords.

 19.Prohibit Unauthorized USBs and External Storage Devices

 External storage devices, such as thumb drives, are common threat vectors. You have no way of knowing where such devices have been and no way of controlling their movements outside your corporate perimeter. The best defense, unfortunately, is to altogether forbid personal USBs and external hard drives within your protected environment. Because it’s impractical to forbid external storage devices entirely, you must also ensure that any authorized devices remain within your corporate perimeter at all times.

 20.Restrict Third-Party Application Access and Permissions on Corporate Devices and BYODs

 Like external storage media, third-party apps are common threat vectors as well. Keep their access to corporate devices and BYODs to a minimum, enabling permissions only as necessary to perform critical corporate functions. Apps with permission to change or read information stored on devices could devastate your organization in the wrong hands.

 What’s Keeping Your Team Awake at Night?

 Once you begin to see digital threats to your company’s data perimeter, you see them everywhere. And there’s no way to un-see them.

The sheer volume of threats is overwhelming. So are the extent of their potential consequences. When the threat landscape is bad enough to keep hardened security professionals up at night, what hope exists for non-expert decision-makers who barely understand what they’re up against?

Non-experts can begin to make sense of the threat landscape, and to take real measures to harden their companies’ security postures, by characterizing threats according to type. One popular way to do this involves a four-type framework that far predates the digital age:

  •  Known knowns
  • Unknown knowns
  • Known unknowns
  • Unknown unknowns

“Known knowns” are known, extant threats that you might already have plants to anticipate, deter, and mitigate.

“Unknown knowns” are threats that you might recognize from personal experience, but lack context or evidence to effectively predict and deter. Unknown knowns demand close study, preferably using historical data (rather than on the fly, in a live situation).

“Known unknowns” are possible threats that you know, or have reason to believe, might come into play. You know little to nothing about their genesis and can’t accurately predict their progression, but you at least have reason to expect they’ll occur (and, it follows, the ability to plan accordingly).

“Unknown unknowns” are the most dangerous type of threat. You might suspect they exist, but this is purely a hunch — they’re largely unforeseeable, and until you experience them directly, you can’t do very much to deter them.

If this all sounds daunting, it should be. This isn’t child’s play; it’s your company’s future. On the bright side, you should realize by now that you’re not helpless. We’ve gone over 20 things you can do this year to improve your company’s security posture and barely scratched the surface. You have more control in this battle than you realize, if only you’re willing to claim it.