- Enable Multi-Factor Authentication (MFA) on all business accounts, including email, cloud, banking, and remote access/VPN.
- Keep software and systems updated with automatic patching whenever possible. Regularly patch applications and update firewalls and routers
- Train employees to recognize phishing emails and other cyber threats. Verify payment requests via phone, use strong passwords, and report suspicious activity to management.
- Use strong passwords and a password manager.
- Regularly back up critical data using the 3-2-1 principle and test recovery procedures.
- Limit access to sensitive systems and data based on job responsibilities. Limit access to only what is necessary for the employee to do their job, and separate administrator accounts from daily-use accounts.
- Deploy endpoint protection (antivirus, firewalls, and device encryption).
- Develop an incident response plan for responding to cyberattacks and data breaches. Know who to contact when there is a cyber incident, steps for isolating systems, and the recovery process.
- Purchase a cyber insurance policy to help mitigate the financial impact of cyber incidents. The FTC recommends considering cyber insurance as part of a broader cybersecurity program.
Priority: MFA → Updates → Backups → Employee Training → Endpoint Protection → Incident Response Plan → Cyber Insurance.