Home » Articles » Building a Foundation for Cybersecurity Risk Management

Building a Foundation for Cybersecurity Risk Management

Cybersecurity used to be primarily a concern for IT departments at large companies to tackle through technology — but that’s no longer true. Today, even small and midsized companies need to worry about the ramifications and repercussions of cybercrime.

Cybercriminals are increasingly sophisticated, relentless, highly skilled, and well-funded. Their exploits are often targeted, automated, and even sponsored by nation-states with specific goals. And as banks increasingly offload liability for fraudulent bank transfers to their customers and privacy and cybersecurity legislation becomes more stringent, smaller businesses can easily find themselves burdened twice: once by cybercriminals, and again by the need to compensate their customers for the loss or exposure of sensitive data.

Xantrion recommends that its clients take seriously their increased responsibility for protecting themselves against cybersecurity related risk. We recommend the following technical controls as a baseline for cybersecurity risk management:

1. Deploy antivirus software on all endpoints.


Deploy inline web filtering to block users from visiting sites that are known sources of malware (and any other sites you choose to blacklist).


Set a password policy that ensures users choose passwords that meet best practices for length and complexity and forces them to change passwords regularly.
4. Regularly apply updates and patches.
5. Install an e-mail spam filter and monitor its performance.
6. Change logins and passwords from manufacturer’s defaults.


Set up complete, reliable data backups to protect business continuity in case of system failure or social engineering attack.
8. Configure mobile devices to require a PIN and encryption.
9. Set laptops and desktops to lock after a certain period of user inactivity.
10. Implement full disk encryption on all laptops.


Allow access only to the internet from your wireless network – do not allow access to your secure wired internal network.

While these steps go a long way toward minimizing computer network vulnerabilities, technology alone is not enough to protect against data breaches. These additional procedural steps will further harden your cybersecurity stance against classic scams and sophisticated social engineering:



Follow your financial institution’s advice about preventing fund transfer fraud including requirements for “dual controls” and “out of band” verification of significant transfers.


Review vendor agreements about insurance requirements and indemnity to spot and mitigate any areas of potential cybersecurity risk exposure.


Conduct a thorough cybersecurity risk assessment, both to reassure yourself and to provide written proof to your business partners and/or external auditors that you follow best practices.
4. Use this IT risk assessment to benchmark your organization against the NIST Cybersecurity Framework.
5. Consider investing in a specific cyber insurance policy.


Work with cybersecurity professionals and your attorney to create a data breach response plan, and rehearse it so your employees know what to do if and when a cybersecurity breach occurs.