How safe is your data?
Make it harder for hackers to attack
No matter how well protected you think your business is, you should never become complacent about cyber security.
Just last month British Airways were forced to issue an apology after hackers breached the firm’s security systems, compromising the personal and financial details of customers making or changing bookings on its website.
With the National Cyber Security Centre’s (NCSC) annual review claiming that it’s currently defeating around 10 cyber-attacks every week, it’s more important than ever to be cyber aware and know what actions could lead to serious financial and reputational consequences for your business.
The ‘H Factor' – the human element – can often be the weakest link, making cyber-attacks and data breaches possible, sometimes even more so than hackers exploiting system vulnerabilities or employing new malware.
Small businesses can be particularly vulnerable to cyber-attacks as many simply don’t have the resources to ensure that all their information is secure.
Spending time with your employees to talk about cyber security and how to improve it is vital, so they have a better understanding of the security measures that your business takes and why those measures need to be taken.
‘Accidents’ can include inadvertently sending sensitive information to the wrong email recipient or clicking on a malicious link and unintentionally downloading malware into the organisation.
Most employees who fall prey to social engineering and click on a malicious link do so out of ignorance or because they were victims of phishing (the fraudulent practice of sending emails purporting to be from reputable companies).
As an increasing amount of sensitive data is now stored and communicated online, employees should be reminded to change their passwords on a regular basis and have limited access to important and sensitive business information where possible. When sending sensitive information via email, the use of encryption is essential. Known as ‘cipher text’, encrypted data can only be decrypted with a ‘key’ or password. Although it can’t protect against all cyber attacks, encryption does make data theft harder for hackers. Even if they do ‘get’ the data, if it’s encrypted, it’s content will be meaningless to them.
All businesses, regardless of size, should take regular back-ups of their important data, and make sure that these back-ups are recent and can be restored. By doing this, your business will still be able to function following the impact of flood, fire, physical damage, theft and most cyber attacks. If you have back-ups of your data which you can quickly recover, you can’t easily be blackmailed by a ransomware attack (cyber-blackmail: beware-of-ransomware).
Here are the NCSC’s top tips of what every business should have implemented:
- Start with boundary firewalls and internet gateways - establish network perimeter defences, particularly web proxy, web filtering, content checking and firewall policies to detect and block executable downloads
- Block access to known malicious domains and prevent users’ computers from communicating directly with the Internet
- Malware protection - establish and maintain malware defences to detect and respond to known attack code
- Patch management - patch known vulnerabilities with the latest version of the software, to prevent attacks which exploit software bugs
- Whitelisting and execution control - prevent unknown software from being able to run or install itself, including AutoRun on USB and CD drives
- Secure configuration - restrict the functionality of every device, operating system and application to the minimum needed for the business to function
- Password policy - ensure that an appropriate password policy is in place and followed
- User access control - include limiting normal users’ execution permissions and enforcing the principle of least privilege.
Additional security controls to identify any unexpected or suspicious activity include:
- User training education and awareness - staff should understand their role in keeping your organisation secure and report any unusual activity
- Security incident management - put plans in place to deal with an attack as an effective response will reduce the impact on your business.
Remember: Doing nothing is no longer an option. Protect your organisation and your reputation by establishing and maintaining cyber defences.
Find out how Amethyst can help your company (whatever its size) and staff by contacting us today: firstname.lastname@example.org