7 Steps to Secure your Business
For business practitioners outside the industry, these two words tend to invoke emotions of anxiety and images of an otherworldly figure in a dark room wearing a hoodie and “hacking” their way into our lives uninvited stealing our most critical data, even possibly our identity. The realm of cyber security can be daunting. It is also a published fact that during times of distress, cyber-attacks increase relative to the nature of the event/catastrophe as the threat actors take advantage of our weaknesses and insecurities. If it seems that more attacks are occurring and being reported of since the start of the pandemic, well, you are correct.
In the business world, we have many factors to navigate in our respective professions. I completely understand the frustration and empathise. Prior to my entry into cyber, I was a business owner in a completely different industry and was hacked by an employee. It was a horrible experience which changed the course of my life. I now hold a MSc in Information Security with an expertise in human factors and internal threat management. Interesting how life unfolds…
A few years ago, Inc. Magazine reported that 60% of small businesses will go out of business after an internal hack. Unfortunately, I became one of those statistics. Sometimes, ignorance can be bliss, but not when it comes to securing your business and personal information assets.
So, what do we do about this? How do we continue running our businesses, manage our families and learn how to protect ourselves in cyber without losing our minds?
In my experience, we always need to start at home, personalise cyber to give ownership / understanding and accountability. Then, we apply to our business environment, thus helping staff recognize their impact on the organisation relative to cyber security.
For the purposes of this post, let’s start with a basic checklist for your business.
- Password Management and Strong Passwords
This one can be tricky. There is a data that states every individual can have 150 passwords required to conduct life operations at present. That is a lot of passwords. And passwords stress people out. This can lead to work arounds and inappropriate password management such as using the same password across applications, writing down on a post-it note or using easy to guess combinations. My recommendation is to use a password manager and use pass phrases that include a capital letter, number and sign (*&^?). Never, ever use words that are easy to find for a hacker/social engineer, i.e., your anniversary, birthday, dogs name, year of graduation, etc.
- Multi-factor Authentication (MFA)
Also called two-factor authentication, this service adds additional layers of security to the password online identification. During a technology seminar with Microsoft, their team told us that implementing MFA on all devices within an organisation can increase protection by 99%. So, on every device that your company uses to access the internet, when possible, turn on this feature. This includes any mobile device.
- Keep your Software updated
One of the most important cyber security tips to mitigate ransomware is patching outdated software, both operating system, and applications. This helps remove critical vulnerabilities that hackers use to access your devices. Here are a few quick tips to get you started:
- Turn on automatic system updates for your device
- Make sure your desktop web browser uses automatic security updates
- Keep your web browser plugins like Java, etc. updated
- Deploy Anti-Virus Protection and Firewall
Anti-virus (AV) protection software has been the most prevalent solution to fight malicious attacks. AV software blocks malware and other malicious viruses from entering your device and compromising your data. Use anti-virus software from trusted vendors and only run one AV tool on your device.
Using a firewall is also important when defending your data against malicious attacks. A firewall helps screen out hackers, viruses, and other malicious activity that occurs over the Internet and determines what traffic is allowed to enter your device. Windows and Mac OS X comes with their respective firewalls, aptly named Windows Firewall and Mac Firewall. Your router should also have a firewall built in to prevent attacks on your network.
Cyber security training doesn’t have to be boring or expensive. As a matter of fact, there are a couple of companies such as The Cybermaniacs and Wizer Training that incorporate methods such as humour, gamification and micro learning which keeps the viewer engaged for a better learning experience.
It is critical to stay up-to-date on cyber attack methods such as phishing scams and other mechanisms ‘the bad guys’ can use to access your organisation so you can be proactive in prevention.
- Create Information Security Policies
For information security we need to lay down the expectations for both the organisation as a whole and the users who make up the organisation. Your policies, once defined, should almost seem like common sense. But it’s the act of writing them down and adopting them that makes them official (and oh so important). The more simply and clearly you communicate your policies, the easier it will be for your reader to understand. Here is an example policy around Clean Desk:
- Computer workstations must be locked when workspace is unoccupied.
- Sensitive information must be removed from the desk and locked in a drawer when the desk is unoccupied and at the end of the workday.
- Know Who has Access and Administration Rights
DO NOT take this lightly. An administrator account for your business should be owned by one person, preferably senior management. That person should only log into the account for critical software downloads, etc. This account should never be used for day-to-day activity, for email access or web access as this could introduce malware throughout the organisation which could lead to loss of data, financial losses, reputational damage, ransomware, etc. An individual should only have the minimum access privileges necessary to perform a specific job. This is called “The Principle of Least Privilege”.
The National Cyber Security Centre (NCSC) has a helpful infographic on their 10 steps to Cyber Security which is an extremely helpful checklist. For a modest fee, you can also go through their Cyber Essentials certification to verify your organization’s technical security.
Hopefully, this information is helpful in your quest to better understand cyber security and initial steps necessary to increase the security level within your business and personal life.
ABOUT THE AUTHOR:
Robin Bylenga is an Information Security professional in the United Kingdom with an expertise in Human Factors and Internal Threat Management. With dual master’s degrees in Human Resource Development and Information Security, Robin works to “demystify” cyber security and liaison the C-Suite with the Information Technology departments. Her research adapting the Human Factors Analysis and Classification System to Cyber Security was ground-breaking and provides a proactive element to a cyber risk assessment through problem management as well as a tool to investigate an internal cyber breach.