- Make sure that the backing up solutions for the company's information systems are existing and operational. Backup copies that are separated from the network are of great help both in case data gets erased and if you become subject to a ransomware attack.
- Make sure that the company has a working crisis plan in case a potential cyber incident takes place. Consider what happens if an e-service (e.g. e-mails, inventory management software) is not working for a while, the home page is down etc, and how to mitigate that effect.
- Ensure that data protection teams have sufficient resources to be able to quickly patch up known security weaknesses and new security weaknesses that crop up. The software and solutions used at the company have to be updated to the last official version.
- Remind the necessity of good cyber hygiene practices to your employees:
- strong passwords
- multi-factor authentication (i.e. in addition to the user name and password, a thir or a fouth way of authenticating is used when logging in on a new device, e.g. an SMS with a PIN code is sent to the phone)
- recognizing phishing letters
- not opening suspicious links etc.
- an obligation to notify information security with possible suspicions.
- Create an overview of the level of cyber security of the company's external IT service providers and agree upon (if it has not been provided contractually) how they are notifying their customers of cyber incidents.
- Get acquainted with previous cyber incidents at the company: has it been possible to compromise the company's in the past and have the risks been sufficiently mitigated subsequently.
More technical recommendations of the Information System Authority to the chief information security officers can be read from www.ria.ee.
Last updated: 18.02.2022 11:49
Did this response answer your question?