Is my business secure? | 6 cybersecurity practices to know

A photo looking over the shoulder of a woman with brown hair. she is looking at a laptop with a VPN loading screen.

We hear about more cyberattacks every day. What was once a rare novelty is now a daily concern. It’s been estimated that if cybercrime revenue were measured as a country, it would be the world’s third-largest economy. Those are some severe losses for businesses.

So, what can you do to ensure your business and client data is secure? How do you know if your cybersecurity practices are working?

WEBIT Services has helped clients reach their IT goals for over 25 years. WEBIT has helped hundreds of clients develop positive cybersecurity practices in that time.

By the end of this article, you will know six cybersecurity practices that will help you evaluate the effectiveness and improve your security program to keep your data safe from exploitation.

6 cybersecurity practices that secure businesses

Below are six practices that help secure businesses. Of course, cybersecurity is a complicated topic. A good start is asking yourself, “Am I following these practices?”

If so, your business has a solid cybersecurity foundation.

If not, it’s time to talk to your IT Provider.

Here are our six practices for a successful cybersecurity system.

1. Follow an IT security framework

Your IT Provider and cybersecurity practices should follow an official IT cybersecurity framework like CIS or NIST for maximum security impact. A collection of IT experts creates these frameworks, and they set the standard for cybersecurity.

All official frameworks follow the steps:

  1. Identify technology in use
  2. Protect the systems through various tools, services, and practices
  3. Detect threats
  4. Respond to detected threats
  5. Recover system functionality and data loss, if possible

Steps 1 and 2 takes a proactive approach to establishing and fortifying protection. Step 3 detects threats, while steps 4 and 5 are reactions that help to minimize the damage from those threats. These five steps encompass the goals and strategies of cybersecurity.

If your IT provider or internal IT department is not following a framework, they are likely missing a key piece of their cybersecurity strategy.

  1. Missing the Identify step means that missed hardware or software does not receive protection, potentially exposing the entire system
  2. Missing the Protect step means that the systems could be exposed and vulnerable to cyberattacks
  3. Missing the Detect step means viruses and malicious activity goes unnoticed.
  4. Missing the Respond step means that viruses and malicious activity are not addressed or removed.
  5. Missing the Recover step means that data and functionality are lost.

While there is flexibility regarding which tools, programs, and strategies can be used within the framework, an official framework must be followed for maximum effectiveness.

If your company is not following an official cybersecurity framework, you are missing critical security elements and are exposed to preventable risks.

2. Use cybersecurity tools

It’s important to find the right cybersecurity tools for your organization. Using poorly matched tools or programs incorrectly can lead to frustration or additional risk.

Both CIS and NIST frameworks recommend tool functions but do not recommend specific tools by name. That decision is left to the user or organization.

Below, we have a chart outlining the different tools and practices recommended by each step within the NIST framework.

A chart from NIST Cybersecurity Framework. In the chart, each of the five steps are labeled, Identify, Protect, Detect, Respond, and Recover. Underneath each step is a list of tools, programs, and strategies that can be used to achieve that framework goal.

As you can see in the chart, cybersecurity tools have also grown beyond just “antivirus” programs. It now includes various tools, ranging from company IT policies to A.I. systems used to locate suspicious activity.

Of course, the tools you can utilize will depend on your budget and needs. For instance, a larger workforce may require a more robust program to cover their numerous devices, while a smaller business might be able to use a less vigorous program or, at least, has fewer devices to protect.

Speak with your IT provider or internal IT department to see what programs they recommend based on your current company setup and future goals.

Once you have selected tools that meet your budget and your cybersecurity goals, the programs will need to be activated and all employees trained in how to use them.

The tools can be properly installed, but they don't do any good if they aren’t turned on and configured properly. Verify with your IT provider or internal IT department that the tools are turned on and being monitored for effectiveness.

If a tool requires employee participation, train employees in how to use that tool or program. For instance, email firewall programs will include a “report phishing” button in your email options. Do your employees know where that button is? Do they know what it does?

For example, perhaps your organization has recently introduced multi-factor or two-factor authentication (2FA) for logins. Do your employees know what 2FA system to use? Do they know what systems are using 2FA?

If a cybersecurity tool is installed but not activated and there’s no training in its use, the door is open to preventable risk.

3. Give appropriate employee access

As employees are added to your company’s IT system, decide which files they should and should not be able to access. Limiting employee access to department files acts as an additional safeguard against cyberattacks.

If all employees have access to every file in the system, and a single employee clicks malicious software, the entire system is now exposed.

If an employee only has access to their department’s files, then cyberattacks through that employee are limited to their files.

If one occurs, an attack should be limited to one area rather than the entire system. If employees have limited access, a cybercriminal must access every department’s drive or file collection to compromise the whole system.

Limiting access also means that the attacked files are the only files that need to be recovered. Recovering files is not instantaneous. It takes time. The larger or more numerous the files, the longer recovery takes. Recovering a single drive will take less time than recovering every company file.

A photo of a mobile device on a wooden table. The device screen shows the word "Security" with an icon and an on/off slider.

Source: BiljaST,

4. Employee cybersecurity training

Unfortunately, cybersecurity training can’t be a one-time thing due to the constantly evolving nature of cybercrime. Employees and leadership should receive regular cybersecurity training to better arm your organization.

Of course, training sessions can occur as frequently as your feel your organization needs. If you’re unsure where to begin, quarterly training sessions are a good starting point.

This way, training can be in direct response to quarterly risk assessments. If the assessment uncovers weaknesses in your cybersecurity practices, address them in the next training session.

Trainings do not have to be day-long endeavors. They can be something as simple as a five-minute video explaining a policy or strategy that will help protect company data. Training can also include tests like artificial phishing emails.

5. Quarterly risk assessments

As previously mentioned, quarterly risk assessments can help uncover cybersecurity strengths and weaknesses.

Again, risk assessments can be performed as regularly as your business needs, but quarterly is a good foundation. Quarterly assessments give you time to see improvements while also factoring in new risks and cyber threats.

Risk assessments will also show you where your cybersecurity system is succeeding.

For instance, one assessment shows that employees are clicking phishing emails. In response, your IT provider gives training on identifying phishing emails and then sends out fake phishing attempts to test employees.

The following risk assessment should show improvement with fewer harmful links clicked in the new quarter.

Risk assessments will also tell you:

  • What hardware and software need updates or are at risk due to age.
  • If employees are following company cybersecurity policy.
  • How many cybersecurity issues are resolved in a timely fashion.
  • The effectiveness of your practices. Good practices mean cybersecurity risks should decrease, while poor practices show increased risk.

However, it’s important to note that risk will never be zero, even with excellent cybersecurity practices. Cybercriminals are constantly developing new programs and threats, which are always considered.

A successful risk assessment shows that your risk remains within your targeted risk level. If your risk assessments are consistently outside your targeted levels, it may be time to examine your tools, policies, and practices.

6. Have a plan

While no one likes to think about system failure, it is necessary to have a worst-case scenario plan.

Ask yourself, leadership, and your IT provider or internal IT department questions like:

  • If a cyberattack compromises our system, what do we do to contain the damage and get systems back up?
  • If a server malfunctions or goes down, what do we need to do to get systems running again? Do we have a backup server? How long will it take to activate?
  • What do we do in the face of a natural disaster? Do we have files on the cloud, or are they physically on hard drives and servers? How do we protect physical systems?
  • What practices or hardware do we have to keep downtime to a minimum?
  • Do we have a plan for a ransomware response?

Your IT provider or internal team will have recommendations to address these questions and others to prepare your organization. Ignoring these questions can lead to prolonged downtime and permanent data loss.

You might not be able to anticipate every possibility, but having a reliable, foundational plan gives you a head start.

Next steps to establish cybersecurity

Cybersecurity is not set in stone. It continues to evolve to address new risks and concerns.

This article outlined six essential practices that help you evaluate and improve your organization’s security practices. They are:

  1. Follow an IT security framework.
  2. Use cybersecurity tools.
  3. Give appropriate employee access.
  4. Have regular cybersecurity training.
  5. Have risk assessments.
  6. Have a plan in case of system failure or compromise.

If you have implemented each of these steps to fit your business, then your security system is working to reduce risk and protect data.

Talk to your IT provider or internal IT department if you are missing steps or feel they could be improved. It’s never too soon to discuss cybersecurity concerns or improvements. The sooner you address risks and security weaknesses, the sooner you can secure company data.

WEBIT Services has helped clients build security practices for over 25 years. In that time, WEBIT has grown passionate about education and cybersecurity.

If you are looking for a new IT Provider or have additional questions, schedule a free 30-minute consultation with WEBIT to see how it can help.

Because cybersecurity is not static, it helps to continually learn about new tools and practices to help businesses reach their security goals. Here are recommended articles on bolstering security: