Most organisations will suffer a data breach in the next year, whether it’s caused by a malicious actor or a careless employee.
There are no defences you can put in place to eradicate breaches, but there are steps you can take to mitigate the risk of an attack and the damage that they can cause. Software company ObserveIT sets out the best practices for organisations, and we’ve highlighted the most important.
1. Implement a formal information security governance approach
A framework that makes sure information security strategies are aligned with and support the business are more important than “every shiny tool in your security stack”, according to ObserveIT. “When selecting one of these methods, ensure your program provides the ability to employ a risk-based approach and enables your teams to detect incidents, investigate effectively, and respond quickly.”
2. Reduce data loss
Employees are often organisations’ biggest security vulnerability. Insiders can be tempted to steal or compromise data for a number of reasons, including financial gain or revenge, but even those who don’t intend to breach information are susceptible. Anyone can accidentally lose or disclose data.
ObserveIT says that it’s more important than ever to control access and monitor employees, vendors and contractors for suspicious or negligent behaviour.
3. Update software and systems
Cyber criminals are constantly finding new ways to exploit organisations, so even if your software and systems appear to be secure, they won’t remain so for long. Software companies frequently patch vulnerabilities, and once the update is released, the vulnerability is made public. Every day that passes without applying that patch is a day you leave yourself open to an attack.
Security company Bromium reports that organisations have to issue an emergency patch five times a month on average. In order to make sure no application is overlooked, organisations should have a patch management policy in place.
4. Conduct regular staff awareness training
Staff awareness training can help employees understand a wide variety of security responsibilities. Organisations should regularly enrol their employees on courses covering information security, phishing and security standards that the organisation has implemented or laws it is subject to.
ObserveIT writes: “In these sessions, it may feel like you are putting […] people to sleep or it might be going in one ear and out the other, but training [them] on proper cyber security hygiene is critically important. Finding creative ways to make the training stick will go a long way.”
If you’re interested in enrolling your employees on a staff awareness course, IT Governance has you covered. We offer e-learning courses on:
- Phishing and ransomware;
- Information security;
- ISO 27001;
- The Payment Card Industry Data Security Standard;
- Phishing; and
- The EU General Data Protection Regulation.
Each course provides an introduction to the topic and covers essentials. The courses also include interactive elements to engage your staff and a multiple-choice test to assess how much of the information they have retained.