There seems to be a common thread to business approaches to cyber security. After hearing of the latest exploit in the media, Executives panic and demand impossible improvements in cyber security, then return to a state of “It can’t happen to us” when IT put forward a new cyber security budget.
The bad news is that the FBI have reported a significant increase in the frequency and virulence of cyber-crime over the last two years, ransomware in particular. They say that the only safe site is one that hasn’t been hacked yet.
The increase in cyber-crime has been partially enabled by an increase in remote access to systems, both working from home, and new e-commerce sites. In some cases, limited access to corporate sites has been granted to suppliers and customers. Where these haven’t been properly secured, it significantly increases the attack surface for hackers and exposes systems to hacking and malware exploits.
What Can be Done to Improve Cyber Security?
Before looking at five approaches to improving cyber security and keeping ahead of the hackers, it is important to understand that cyber security is not just an IT issue. It is a company matter, since not all threats are purely IT-related. The FBI has stated that the majority of successful exploits are initiated by users, either intentionally or by mistake, or as they put it, “between the keyboard and chairback”.
Here are five high-level steps you can take to improve cyber security:
Take Cyber Threats Seriously
Stopping before they happen, or mitigating the effects of cyber threats if they do, is the best way to prevent damage to your business. Don’t assume that your business is too small or doesn’t have anything to interest hackers. There have been reports that some home networks have been attacked.
Take cybersecurity seriously. Failing to do so could seriously, and perhaps terminally affect your business. Just imagine the effects on your business if your IT systems are out of action for a week while you recover from a ransomware attack.
General Executive and Staff Education
Users need to be able to recognise a cyber threat when they see one, especially phishing attacks which are the commonest attacks on users. They need to understand what to do, and what not to do, who to report the attack to if they suspect an attack.
The education process starts at induction and is regularly reinforced by email, newsletters or update workshops.
The user process also needs to include the removal of all IT privileges from staff when they resign, particularly if they are dismissed. A disgruntled ex-employee can cause havoc in IT systems or steal sensitive corporate information.
IT Staff Education
The final arm of education is that IT staff from the Head of IT downwards must keep up to date with the new cyber threats and how to counter them. For example, remote working has given rise to a whole new type of threats and counter-measures are still being developed.
BYOD allows users to attach their own devices to the network. This puts them out of direct IT control, and ass a consequence IT are unaware of their security and anti-malware status. Home computers and smart devices generally have lower security and anti-malware protection and can therefore act as a portal for unlawful entry to corporate systems, or deliver malware.
Some organisations have a quarantine process where devices can only fully connect to the network after they have been inspected by IT and declared free of any threats.
A second area is using portable devices like flash drives. If they can be connected directly to your network, they can assist with the theft of Intellectual Property or sensitive corporate data, or simply introduce malware.
One final area is Cloud-based data stores. If users can upload information freely to things like DropBox or OneDrive, they can download it elsewhere at their leisure. Consider blocking their use from the desktop, though this might be problematic for remote BYOD devices.
Don’t be complacent, you will need to restore systems and data at some point. Having access to complete and up-to-date backup copies is essential. It is also essential to check that they are usable. There have been occasions where backups, particularly tape backups, have proved to be incomplete or unusable.
Institute a programme, perhaps automated, of regular backups. In some cases, particularly in the retail e-commerce and financial environments, this could be a hot-standby site.
One consideration is to have more than one backup held on different devices, and perhaps different locations. Cloud backup sites are becoming popular. This mitigates against total loss if one site is unusable for any reason.
Finally, include these backup plans as part of an overall business continuity plan.
Don’t shy away from investing in cyber security hardware, software and training. This includes but isn’t limited to hardware and software for your anti-malware and anti-virus and firewall applications. Keep staff up to date with current threats and counter-measures.
It’s like insurance, a grudge purchase, but one that you are thankful you invested in when you need to use it.