Cybersecurity Best Practices 

Every 39 seconds there is a new cybersecurity attack somewhere on the web. Given its prevalence, the odds are not in your favor. Microsoft customers reported 600 million attacks daily in the company’s 2024 Digital Defense Report. Over a billion data breach notices were sent to individuals in 2024. Following cybersecurity best practices doesn’t mean you have to be bulletproof to protect your organization, but you can take the following precautions.  

Fostering awareness is one of the fundamental cybersecurity best practices:

• Cyber threats are ubiquitous so talk about the problems your organization faces.  

• Share statistics, stories, and personal examples to improve awareness and lessen the stigma, especially as scams get increasingly complex and realistic. 

• Encourage discussion so people share their own experiences and so as threats evolve people stay alert on all platforms (work, home, social). 

• Leaders need to lead. Have the executive team talk and present findings to underscore its importance.  

• You’re only as safe as your weakest link. Understand your vendor policies. Make sure your vendor is also enforcing and has a similar mindset. 

Shore up expectations 

• Develop organizational (not IT) policies to protect the organization, staff, customers, vendors, clients, and members. These act as guardrails and level set expectations (e.g. lock your device when you step away, change passwords every 30 days). Outline everyone’s part and responsibility to keep cyber threats at bay. 

• Ensure staff know and understand policies (e.g. require yearly sign-off so they refresh their understanding) 

• Define process to control release of sensitive information and funds. One tip: Include 2-factor authentication for more than just passwords (e.g., check requests, gift card authorizations, any time funds are moving). 

• Regularly highlight a policy in staff meetings. 

• Re-examine policies to make sure they are keeping pace with change (e.g. are staff working remotely? Traveling more?) 

• Create an incident response plan, cheat sheet, or check list (see below) to make those who give you their data more comfortable. Bonus, it lessens confusion and delay about next steps so you can act immediately. 

• Secure the workplace (wherever that may be). You wouldn’t leave your credit card out on your desk at the office, but are you as vigilant everywhere you work (home, coffee shop, airport, hotel lobby, etc.)? Verify everyone knows the rules and ways to protect information wherever they work.  

Determine your baseline: 

• Understand the different types of cyber threats and how they interplay: smishing, vishing, phishing, ransomware, malware.  

• Test to get a baseline and measure where people are at and show improvement over time. Consider phone testing, phishing testing, and even the physical office. Better to fail tests than the real thing!  

Cybersecurity best practices help establish and improve instincts:

• Establish and improve instincts through continuous training so staff’s understanding evolves alongside the threat landscape (e.g. customized URLs that mask bad actor).  

• Regularly remind staff that bad actors are always looking for information everywhere they can find it (e.g. scrape your website or LinkedIn for old emails/contacts so they can find any target).  

• Safeguard infrastructure and verify that IT or managed services push out up-to-date patches/versions to your equipment regularly.  

• Offer dedicated organizational equipment rather than allow personal devices. 

• Manage your assets. Account for who has what piece of equipment. Record serial numbers. Share tips to manage assets (e.g. lock your computer, don’t leave it in the car). 

• Never share passwords (especially over email). Explore password management tools for your organization as a secure mechanism to share passwords and maintain strong passwords. 

• Back up work product to the cloud (e.g. SharePoint, Dropbox, Citrix Files, etc.). Don’t leave finished final work product saved only to your computer—once it’s gone, it’s gone. 

• Don’t connect to public/free Wi-Fi. Connect to a secure Wi-Fi connection (e.g. turn your phone into a hotspot). 

• Maintain a close relationship with your vendors so you can ask how they are protecting your organizational data.  

Cement a plan: 

• Define the severity of the incident based on number of people affected.  

• Determine the stakeholders that need to be notified of the incident based on severity. 

• Outline the communication plan based on the severity of the incident.  

• Share the incident response plan with your board, so they understand why they are being notified in the event of an incident. 

• For easy reference, have vendors name, your account numbers, support phone numbers handy and printed for IT department at home because you may not be able to access information on computers/laptops.  

Make sure cybersecurity best practices are not out of sight, out of mind, or only a once-a-year thing. You’ll never be done protecting your organization because threats continuously evolve, but you can prepare staff, vendors, clients to work with you to maintain the highest levels of security.