1. Assign roles and responsibilities for cyber security, both within the executive ranks and at the operational level.
  2. Maintain up-to-date inventories of applications, data and hardware—an organization has to know what assets it has in order to secure them.
  3. Demand strong access controls; use two-factor authentication for remote access (e.g., password and biometric authentication or fob code).
    1. Do not allow shared user accounts.
    2. Require strong passwords or biometric authentication.
    3. Change all default passwords, even on printers, copiers, scanners and digital cameras.
    4. Limit access to only the data and systems needed for job performance.
    5. Privileged access for system administrator functions should be controlled and monitored. Only system administrators can install software or add hardware.
  4. Install anti-malware software, automatically update it and run scans frequently. Use next-generation firewalls.
  5. Use only equipment and software that is within vendor support (check Microsoft products by referring to this site: bit.ly/2aS8mHe).
  6. Get rid of legacy applications that require out-of-support software or operating systems (no matter how much the business users love them).
  7. Update all software and apply patches within one month of notification—sooner if serious vulnerabilities have been identified.
  8. Allow local admin rights on workstations or laptops only where absolutely necessary.
  9. Use full-disk encryption for laptops and encrypt sensitive data at rest.
  10. Use network segmentation to restrict users and applications to defined areas of the network.
  11. Develop an incident response plan capable of managing all types of incidents and test it involving all stakeholders.
  12. Regularly back up systems and data, store backups offsite, and develop and test recovery plans.
  13. Restrict the use of removable media (thumb drives, CDs, external hard drives).
  14. Develop and implement cyber-security policies and procedures in alignment with best practices and standards.
  15. Perform regular risk assessments of the cyber-security program, including reviews of cyber insurance.