All businesses with an online presence are today very concerned about cyber security. They see lurid media reports about the latest data theft or hacking exploit and immediately call the head of IT to ask about IT Security.
However, Cyber Security is more than just using software and appliances to protect the major systems and data and implementing an anti-virus package on every desktop.
Here are two simple, and cheap, IT Security tips about how to protect your business from cyber threats.
Most data losses aren’t as a result of malicious attacks or data theft. They are caused by user error. Some are accidental, some malicious. One industry guru put it succinctly that the biggest cyber security threat lies between the keyboard and the back of the chair. The first step is to alert users to potential threats and to give them guidance as to what to do if they suspect something is up.
Induction and Reinforcement
Make cyber security awareness a part of the induction process to the company. Make users aware of how threats are presented, what not to do and what to do if they suspect that they have a problem. Reinforce the message with regular updates and refreshers.
Force users to change their passwords regularly. Most applications and systems have the option to do this, and to ensure that the user chooses a strong password made up of at least 8 characters, a mix of upper and lower case, special characters and numbers.
Make a visual check that they haven`t written them on a Post-It note stuck to their computer monitor.
Make sure that all desktops have an active anti-malware installation and current software and signature files. If possible, make it a forced regular update from a central site, and one the user cannot prevent.
Many bits of malware find their way onto company networks by users bringing them in on media from home, usually flash disks but sometimes DVDs or portable hard drives.
If possible disable desktop USB ports, or at the very least make sure that something attached to a USB port is scanned for malware before being allowed to connect to the network.
If your company has secure or confidential data, then disabling USB ports is essential to prevent sensitive information leaving the company on flash drives.
Disable employee access to systems and data as soon as they hand in their resignation. This is especially important if they are being dismissed. Without wishing to suggest that an employee who is leaving voluntarily has malicious intent, accidents do happen.
Data Loss Prevention and Recovery
The only secure company is one that hasn’t been hacked yet. At some point an organisation is going to have an incident, the severity of which will depend on the preventative measures taken. At worst it could be a total loss of systems and data. A prudent IT head will plan for such an eventuality.
This requires comprehensive and effective data loss prevention and recovery procedures. It is usually comprised of three components:
This is the cyber security software, appliances and user education programme designed to, as far as is possible, stop malware invading your systems;
This is the regular backup procedures for systems and data. Check your backups to make sure that are usable. The objective is to have as complete and up to date copies of systems software and data as possible. Critical transaction data may need special treatment.
This is the set of data backups and procedures for recovering the complete or partial systems and data needed to bring the IT environment back to normal.
The digital copies of software and data are supplemented by policies and procedures to ensure that resources are available to carry out any data backup and recovery procedures.
No matter how hard you try, and how secure you think your defences are, there will come the day that you have a cyber incident. Whether you are a hero or a goat depends on how well you have prepared for it. Data Loss Prevention and Recovery planning is key.