Digitalization has increased both opportunity and risk for all businesses. Small, medium and large companies can all compete in today's market. But their interconnectedness increases cyber risk. To combat cybercrime and hackers, they must build a strong defense by implementing best practices in cybersecurity.
Cybercrime has risen in tandem with the spread of the pandemic. Remote work is becoming more common, and so are cyber threats. According to the FBI's Internet Crime Report, 800 thousand companies reported over $4.2 billion of loss in 2020 due to “fraudulent investments, romance scams, and email compromises.”
Organizations can save millions of dollars by implementing strong cybersecurity policies and procedures. According to the Cyber Security Survey by Campus Technology, “the public sector’s level of concern over ransomware (66%), malware (65%), and phishing (63%) has increased the most over the last year”. The ability to detect and remediate threats has increased, leaving public-sector organizations vulnerable.
If someone attacks your company, good security hygiene can save you. However, the severity and scale of cyberattacks are increasing daily, and the threat is approaching. As a result, protecting against such threats is critical.
Table of contents:
What is cyber security? Definition
According to a survey conducted by the U.S. Small Business Administration (SBA), "88% of small business owners believe their company is vulnerable to a cyber-attack". It is believed that smaller businesses may be more appealing targets for digital attacks because they lack the cybersecurity infrastructure, especially when compared to enterprises with more comprehensive cybersecurity policies. Many businesses, however, are unable to afford professional IT solutions, have limited time to devote to cybersecurity, or are unsure where to begin.
On the other hand, massive amounts of data are collected and stored on devices by government agencies and corporations. The majority of records contain sensitive information, such as intellectual, property, financial, or personal information. To protect them adequately, businesses must employ the set of processes, technologies, and practices designed to protect data, devices, programs, and networks from damage or unauthorized access – which is referred to as cybersecurity.
Putting it another way, cyber security is the discipline dedicated to protecting sensitive data and the systems that process or store it. According to top intelligence officials, cyber-attacks and digital spying are the most severe threat to national security, surpassing terrorism.
11 cyber security best practices
In terms of cyber security threats, the ever-changing nature is the most difficult to deal with. Luckily, management can defend against emerging cyber threats by following a set of best practices in cybersecurity.
IMPROVE YOUR COMPANY'S ARCHITECTURE & PROTOCOLS:
1) Create a hierarchical cybersecurity policy
A written and well-communicated cybersecurity policy is non-negotiable for cyber-savvy firms. The NCSA recommends starting with assessing the most valuable data to protect, identifying threats and risks related to that data, and estimating the damage your organization would suffer if it were lost or improperly exposed.
However, the level of cybersecurity risk and management varies by department and unit. You can create a general organizational policy with a hierarchical approach and then tailor it to specific departments or roles. Reviewing existing applications and network access levels is strongly advised. Keep in mind that the CEO / company owner is often one of the hackers' main targets. Therefore, giving him administrator privileges to crucial software such as CRMs and ERPs may be fatal.
2) Manage your organization's inventory
Because devices and employees/users come and go, they must be managed efficiently. Regular inventory assessments (end-user, network, non-computing/IoT, and server devices) should be the foundation of any organization's cyber security program.
In other words, all assets should be easily searchable and accessible via real-time dashboards. It is recommended to include automatic and continuous compliance supervisors as well, which will detect rogue assets and unauthorized use.
3) Update your software / focus on patching
Plan regular software updates and hardware security maintenance. Patching helps protect your environment's assets from attackers; when a bug is discovered after a piece of software has been released, a patch can be used to fix it. They are commonly required for operating systems, applications, and embedded systems (i.e., network equipment).
Unfortunately, many organizations have developed a bad habit of putting patching last. If you're among them, learn more about the 2017 Equifax data breach (affected ca.145 mln people) and 2012 Nationwide Mutual Insurance's data breach (resulted in a $5.5 million fine), which both originated from unpatched apps. To avoid instances of human error, patching should be automated whenever possible.
4) Secure the network
Virtual private networks (VPNs) are a favorite entry point for threat actors into a network. Usually, they use encryption to connect devices, so an attacker cannot monitor traffic from outside the VPN. They can quickly steal it, as many employees have the habit of accessing corporate networks while traveling on business trips via unsecured public Wi-Fi networks. And if an employee connects to a company's VPN to access a company database stored on a server, a threat actor can monitor all data that passes through.
That's why employees must be provided with a virtual private network (VPN) to access the company network remotely securely. Never connect to an unknown WiFi network, especially those requiring no password to connect. Hackers often set up fake access points (naming them in a friendly way such as “city free hotspot”), setting a man-in-the-middle device that filters all of the traffic coming through – your passwords, your photos, your messages.
5) Back up data
Regular data backups are critical to preventing ransomware and ensuring business continuity. According to IBM, the average cost of a data breach increased from USD 3.86 million (in 2019) to USD 4.24 million, the highest average total cost in the report's 17-year history.
A successful backup and data recovery process requires a clear backup strategy with defined data protection goals. Backups should be performed automatically to a hard drive that is not accessible online (or to the cloud). This policy should specify what data and systems will be backed up and restored in case of a data breach. It's also critical to test your backups regularly to ensure they're working correctly. Consider different intervals for different backups as some ransomware can activate after being previously transferred to a backup device.
6) Control physical access (and over-privileged users)
Keep in mind that the more rights an individual has, the greater the risk of a compromised privileged account. Optimally, you should grant people only the access they need to do their jobs. Businesses should review permissions regularly, implement a temporary or rotating credentials system, or create a system for auditing privileged accesses. Internal employees and third-party contractors must be trained to follow your cybersecurity policies.
Moreover, a top priority should be to prevent unauthorized use of stolen or misplaced desktops, laptops, and mobile devices. Verify that such devices are set to lock when left unattended and that such hardware has only limited administrative capabilities. Bear in mind that the CEO does not need access to the server room (and should not have such).
7) Allow for (ethical) hacking
Phishing attacks are among the most common types of cyber threats experienced by businesses worldwide as of 2021. And, as the APWG study warns, their number has doubled from early 2020. Raising cybersecurity awareness, such as through simulated phishing attacks or breakages into premises, helps employees in understanding the far-reaching consequences of such incidents. The simulation provides a safe environment for employees to learn new skills and test their knowledge
8) Put employee privacy first
Concerns about data privacy and digital data sensitivity are at an all-time high, with GRPR legislation being introduced to regulate it better. Prioritizing employee privacy requires anonymizing their data and implementing preventative measures to safeguard them against threats. Educate employees on various cybersecurity policies and local laws, emphasizing the impact on their privacy.
TRAIN YOUR EMPLOYEES:
9) Use strong password protection and authentication
Repetitive or weak passwords are still widespread among multinational corporation employees today. At the most fundamental level, it is critical to require all users to set long (at least 16 characters), difficult-to-guess passwords for their accounts, store them safely and change them frequently.
Consider using multi-factor authentication (MFA), which requires a second token of identifying code to gain access to computers, ensuring security even if a password is stolen or leaked. Make yourself familiar with SSO authentication. If necessary, use a password manager – Lastpass and Password Safe are both excellent options. And never use the same password twice, especially when combined with your company credentials; the same mistake cost Colonial Pipeline $4.4 million in ransom.
Never reuse passwords from other websites as usually, it is a matter of minutes for a hacker to find the connection and – having hacked one of your accounts – will have easy access to the others.
10) Think before you click
Viruses, Trojan horses, spyware, and ransomware attack computers via dangerous pop-ups containing links, spoofed emails (pretending to be an actual internal email), and downloads from unknown sources as well as more sophisticated ways such as photos with malicious code embedded into them that executes once the photo is opened.
In 2021, 74% of organizations reported malware activity that spread from employee to employee – which is the highest value noted since the SOES survey began in 2016.
Maintaining virus and spam detection software is important, but users should also be aware of the risks of clicking on pop-ups, suspicious links, or downloading form emails. Turn on firewall protection both at work and home: If the network firewall is bypassed, host-based firewalls installed on wireless devices add an extra layer of security.
11) Any unknown device should raise suspicion
Many of the devices at hackers' disposal are built to resemble everyday objects such as charging cables, cable connectors, and switches. Those potent tools allow hackers to remotely access any devices connected to them. Hackers who gain physical access to the office space often leave them in bright daylight – even marking them with post-its saying "do not remove"! If you spot any device you have not seen before, it should trigger some questions to your IT department.
Cyber security – summary
When it comes to preventing cybercrime, the first line of defense is always people. In fact, a UK Information Commissioner’s Office (ICO) study has discovered that human mistake is at blame for over 90% of all security breaches. Employees should be trained on how to avoid dangerous applications, identify phishing emails, create and maintain strong passwords to ensure that valuable information does not leave the company in the event of an external attack.
No matter how many security measures a company implements to combat rising cybercrime, businesses should have a security incident response plan in place in case they are attacked. This planning will enable management to limit the impact of a security breach and effectively remediate the situation. And it's best to test its efficiency via a series of pen tests, conducted by qualified IT professionals.
While cybersecurity risks continue to grow, so do the solutions available to organizations to reduce their impact or prevent them from occurring. A comprehensive cybersecurity program will protect businesses from long-term financial consequences as well as reputational harm. It is critical to plan ahead of time to avoid incidents and attacks, and it is the key to the survival of modern-day businesses.