Barely a day goes by without hearing of a cyber attack, which might cause some organisations to despair. If major companies such as Merck and Pizza Hut can’t prevent cyber attacks, what chance does everyone else have?
This is, of course, the wrong attitude. Although larger organisations have more resources to prevent attacks, many breaches are the result of simple cyber security failings that are inexpensive to resolve. We’ve compiled seven simple things that all organisations should do to mitigate the risk of cyber attacks.
1. Create strong passwords
Many breaches are instigated by brute-force attacks that guess an employee’s password. Strong passwords will almost certainly stop these methods from being successful.
The received wisdom about passwords is that they should have at least eight characters and mix letters, numbers and special characters. But this tends to lead to ridiculously complicated passwords that are hard to remember and, ironically, comparatively easy for computers to crack.
But there’s another problem: even though complex passwords are theoretically hard to crack, you’d do well to not have to write them down somewhere, which immediately compromises their integrity.
A simpler and more secure technique is to create a mnemonic or cipher, such as taking the first character and punctuation from each word of a sentence.
2. Don’t reuse or share your passwords
No matter how secure your password is, if you write it down or share it, you invite ways for people to gain access to your account.
Using the same password for multiple accounts compounds that risk. Once hackers have your login credentials for one site, they’ll inevitably try it on other accounts – so a data breach at your email provider could soon turn into a breach of your online bank account or your company’s systems. Password managers such as LastPass and 1Password help you generate and keep track of unique passwords.
3. Back up important files
Backing up data isn’t just a cyber security issue; it’s common sense. Data can go missing in a number of ways, and it’s important to have a plan in place if that happens.
WannaCry, NotPetya and other ransomware have shown just how crucial it is to have backups. Data should be routinely transferred to an external hard drive that isn’t connected to the Internet.
4. Watch out for phishing attacks
Broadly speaking, phishing is any attempt to pose as a trustworthy source in order to get people to hand over personal information.
These attacks are usually delivered by email and are characterised by poor grammar and claims that you need to address something that’s gone wrong. For example, such messages might claim that your account has been hacked, you need to confirm a card payment or your bank account has been frozen.
If you fall for one of these schemes, you’ll inadvertently expose your entire organisation to a potentially massive cyber attack or data breach. Technology can help filter out phishing emails, but Mimecast’s third quarterly Email Security Risk Assessment claims that 24% of all malicious emails pass through spam filters. So, as well as technological defences, organisations need to invest in staff awareness training.
5. Apply patches
Companies create patches for a reason: to fix bugs and vulnerabilities in their software that would otherwise allow criminals to conduct an attack. Once a patch has been announced, the vulnerability is made public. Every day that passes without applying that patch is a day that you leave yourself open to an attack.
Patches are common, with security company Bromium reporting that organisations have to issue an emergency patch five times a month on average. In order to make sure no application is overlooked, organisations should have a patch management policy in place.
6. Protect your physical assets
Many organisations overlook the importance of keeping their physical assets secure. Just as you want to stop malicious actors from breaking into your online systems, you should stop them from breaking into your offices.
This includes stopping unauthorised personnel from entering parts of your premises that house sensitive information and stopping your own employees from leaving the office with documents, USB sticks or laptops that they shouldn’t have.
7. Conduct regular staff training courses
All the issues listed above should be covered in an organisation’s staff awareness training programme, but employees can’t be expected to hear the advice once and then remember it forever. Training should be provided to all staff during their induction, and it should then be repeated at least annually or when there is a security incident.
Regular staff training will help employees remember the lessons you’re trying to teach.
More information on staying secure
You can find more advice on staying secure by reading Insider Threat – A guide to understanding, detecting, and defending against the enemy from within.
Written by Dr Julie E. Mehan, this book goes beyond perimeter protection tools and details how you can build a defence programme using security controls from ISO 27001, the international standard that describes best practice for an information security management system (ISMS).
An ISMS is a system of processes, documents, technology and people that helps you manage, monitor, audit and improve your organisation’s information security. It helps you manage all your security practices in one place, consistently and cost-effectively.
