In the first half of 2021, according to Risk Based Security’s mid-year data breach report, data breaches exposed 18.8 billion records. Cyber security attacks are a risk to everyone, and it’s everyone’s responsibility to defend against them. Implementing security and resiliency best practices will help you stay safe and secure, and – should it be necessary – recover more quickly, whether at work or at home, as a business owner or an employee.

So what’s the difference between cyber security and resiliency? Cyber security focuses on protection from a cyber attack while resiliency focuses on the ability to continue to deliver services regardless of the cause being cyber or some other issue. Resiliency is a broader concept that focuses on services that never go down or are always available.

October marks Cybersecurity Awareness Month, an international effort to make our digital world safer for everyone. But cyber awareness should be a focus throughout the year. Whether you are managing a business or protecting your personal information, these practical tips from cyber professionals can help you be more secure and resilient.

Best practices at work

Build upon established security best practices and leading industry standards to create a robust program

Implement a reputable cyber security framework, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, for consistent assessment and review of cyber security best practices.

Follow advances in automation and encourage innovation in technology and thought

Encourage a forward thinking cyber mindset in your organization, focusing on staying ahead vs. chasing the threat of the day. Collaboration is key when it comes to fostering an innovative environment. Bring together individuals who have diversity of thought and experience to encourage out of the box thinking. Different perspectives invite creative solutions and help solve real world cyber problems.

Implement multi-layered controls that help you stay proactive vs. reactive while protecting your clients, customers and data

Stay a step ahead of an attack by establishing multilayered controls with employees serving as the first line of defense, strategic processes to proactively prevent and respond to potential threats, and security technology that is automated and integrated.

Leverage sector organizations for cyber best practices and information sharing

Information Sharing and Analysis Centers (ISACs) and Information and Sharing and Analysis Organizations (ISAOs) facilitate proactive collaboration between organizations, which can enhance overall cyber preparedness. Partnering only with open sources and third parties can limit your information and perspective. Adding a layer of collaboration with other cyber professionals improves collective awareness of possible vulnerabilities and issues, allowing for a proactive response to a potential threat. It’s through this level of partnership that the value proposition for both the individual organization and the broader community can be clearly defined and better understood.

Talk to your suppliers about their cyber security best practices

Suppliers are key partners for managing business operations, but can unintentionally introduce cyber threats. Understand which suppliers have access to your most critical data and systems, and confirm data is destroyed when no longer needed. Regularly review your supplier’s cyber security best practices to make sure they align with your company standards by assessing their program and security controls. These security measures can become requirements by adding them to your master services agreement.

Implement an information security policy that protects and educates employees

Security policy and awareness education instills company best practices and reduces risky behavior. Employees need to understand how they contribute to protecting the company and the responsibility they have to identify and report suspicious emails or activity. Teams that are trained and educated regularly to reinforce security requirements are more effective and hold a higher level of personal responsibility.

Prepare for an effective cyber response

Create a playbook that outlines cyber incident scenarios and the responsibilities of key stakeholders to your organization. Implement alternative communication protocols and alert systems in case normal communication channels are compromised. Make sure your response plan includes contact information for the supplier services who can help reinstate your operations.

Best practices at home

Take ownership of how you connect online and use the highest security settings all the time

Don’t rely on default settings – make sure you’re using the highest security and privacy settings. Remember, this advice applies to all the ways you connect online – your phone, your social media accounts and your home network.

Update all operating systems, apps and security software

Hackers love security flaws. When updates are recommended for any device (mobile, tablet, computer), complete them as quickly as possible to maintain the highest level of protection.

Use strong passwords and multifactor authentication

Information security relies on effective password management practices and authentication controls. A user name and password, and – increasingly – a secondary authentication method, keep your devices and accounts secure. Strong passwords are long, include a mix of characters, are not easily guessed and are not repeated across different sites. Reduce the need to remember a lot of complicated passwords with a password manager – a software program that stores your passwords in a single, secure location accessible via a master password.

Remember not to reply to emails or texts from unknown senders, or answer phone calls from unknown phone numbers

Avoid opening attachments or links via email (phishing) or text (smishing) – always delete them. It doesn’t take a sophisticated criminal organization to create these messages. Don’t answer calls from unknown numbers, which can be vishing attempts. Even a lone scammer with malicious intent can use simple, innocuous messages to trick you into providing non-public, personal information.

Avoid websites that aren’t secure

Web browsing on secure pages means that you have an encrypted connection. Look at the URL of the website and if it begins with https or has a lock, that indicates it’s using a secure certificate.

Teach your family and friends what you know, provide trusted sources for them to learn more

When someone like you shares their knowledge with others, it can have a strong and positive effect. Examples of trusted resources include but are not limited to:

www.BetterMoneyHabits.com and www.bofaml.com/en-us/content/cyber-security-solutions.html Learn more about keeping your information safe and enhance your financial know-how.
www.StaySafeOnline.org Expand your knowledge and get tips for talking with your family and friends about their cyber security behaviors.
www.AnnualCreditReport.com Monitor your credit ratings and investigate unusual or incorrect information.
www.OnGuardOnline.gov Protect yourself from fraud and be an informed consumer on issues related to spyware, scams and more.
www.DoNotCall.gov Register your phone number to stop solicitation calls except from political and charitable organizations.
https://haveibeenpwned.com Check if your email or phone has appeared in a data breach.

About the Author, Craig Froelich

Craig Froelich is chief information security officer for Bank of America, responsible for the bank’s information security strategy. He leads a team of experts across 16 countries dedicated to protecting the company’s information systems, safeguarding client and employee data, and ensuring overall cyber resilience.

Bank of America’s information security team defends against current and future threats to the company, partnering closely with industry and government associations to ensure security of the sector as a whole. Froelich is an advocate for diversity in tech, including narrowing the hiring gap for women and neurodivergent individuals.

Before joining the bank in 2001, Froelich held executive management roles at consulting firms and security service organizations. He has 10+ years’ experience in product management and application development for software and hardware companies and technology service providers.

Froelich has received industry awards for leadership, including appearing on the Top 100 Global CISO list. He serves as chair of the Analysis and Risk Committee for Systemic Risk. He is a former chair and current board member of the Financial Services Information Sharing and Analysis Center, and former chair and current member of the Executive Committee of Financial Services Sector Coordinating Council. Froelich serves on the board of Sheltered Harbor and the executive committee of BITS, the technology policy division of the Bank Policy Institute. He served as a U.S. representative to the G7 Cyber Experts Group, is a member of the World Economic Forum Center for Cybersecurity and FinCyber Advisor for the Carnegie Endowment for International Peace.