Cyberattacks have been on the rise in recent years, with the latest Verizon report stating that since 2015, web application breaches are now 13 times more likely to occur.
Couple that with some of the staggering fines arising from the new GDPR regulations and it’s safe to say that cyber security has become more important than ever.
Trying to figure out what you need to be doing and where to start can be a daunting task. That’s why we’ve put together 5 of our top tips to help you get your IT security plan in place and help prevent breaches.
Review your current situation
Firstly, you need to figure out where you currently stand in regards to IT Security. You might surprise yourself with how much you are currently already doing (whether in a good or a bad way) but unless you take stock, it’s hard to know where to begin and what needs doing.
Questions you can ask might include:
- What processes do you currently have in place?
- Who is in charge of IT policies?
- Exactly what you are trying to protect?
- Are you protecting sensitive data?
- Who has access to systems and devices?
- Are devices taken off-site?
- Do you store any customer data?
Understand where attacks may come from. Even if you are a smaller business, you can still be a target.
Hackers may target your business directly (ask yourself what assets you might have to become a target), or you may be targeted randomly by an automated vulnerability making its way around the web, or a vulnerability sat within a well-known website. You may even become victim to a cyberattack through your own staff, either by a disgruntled employee or plain old human error.
Once you have your list it’s time to set some policies.
Set some IT Security Policies
So now you have established what is at risk, you can put measures in place to protect these assets.
Below are some examples of rules you can put in place, but these will vary business to business:
- Nominate a data security officer who can enforce the below and answer any questions,
- Password security – using different passwords for different accounts and making sure these are strong and changed regularly,
- Password protect sensitive data and limit access if necessary,
- Be mindful about off-site devices using public Wi-Fi,
- Can devices be wiped clean if necessary? (not with a cloth…),
- Keep personal activity to personal devices,
- Only visit and download from trusted websites,
- Create a separate guest Wi-Fi for visitors,
- Turn off your devices when you leave the office,
- Make sure to back-up your data frequently,
- Be wary of any suspicious emails.
If you want to be really secure you can also look at remote workers using a VPN (Virtual Private Network) and using 2-step verification for employees. Don’t be afraid to block certain websites or put measures in place like requiring an admin password for downloads – as long as you are explaining why you are doing this and the possible consequences, I’m sure your staff will understand.
Now your policies are set you need to make sure everyone is aware of these changes.
Making sure your staff are educated is paramount to staying safe. It can only take one wrong click to expose your company data to hackers.
Consider hosting a Data Security workshop for all staff and come up with these policies together. This way, staff will feel included and on-board from the start, and once you compile your list of existing policies with any new ones created during the workshop you should have a fairly robust policy.
Email this new policy out and ask staff to confirm they have read, making sure to keep a log.
If you have good graphic skills, consider making posters to host around the building (and if you don’t, some simple notices reminding staff to turn off computers or make sure they are locked when they are away from their workstations should suffice).
Don’t just make staff aware, share these policies with any third parties you may be working with too. Make sure they are aware of your data policy and enforce these rules where possible.
Keep up to date (patch)
If a company becomes aware of a potential vulnerability within its software or service, it will often put out a ‘patch’ to fix this vulnerability and label this as a software update. It is not always stated that this is to fix a vulnerability so it’s worth installing even if it looks like a minor update. If your systems or software is out of date, you could be leaving yourself vulnerable to attack.
While nobody likes it when their computer asks to be restarted and production updates need to be planned, it’s better than the alternative. The best way to ensure you are up-to-date can be to turn on automatic updates.
Also, make sure to uninstall software you are no longer using as it’s easy to lose track of keeping these up-to-date.
With the Verizon 2019 Data Breach report stating that 56% of breaches take months or longer to discover, it’s certainly worth conducting regular checks of your weak spots.
Ensure regular testing of your websites, applications and infrastructure – whether this is through a manual penetration test or through an automated tool, or ideally both. Be aware of how hackers could exploit your business and stay one step ahead by fixing the issue before it can be exploited.
Cantarus are proudly partnered with AppCheck, a leading vulnerability scanner, to offer a FREE vulnerability scan to check how secure you are – this would be a great start to your IT security journey.
AppCheck scans for hundreds of vulnerabilities, including the OWASP Top 10, and can run in the background on a set schedule, whether that be once a week or constantly scanning for vulnerabilities.
If you’d like a free demo of what AppCheck can do, please get in touch.
So, what happens if my business is hacked?
Once the hack has occurred make sure to tell the relevant bodies. There have been many recent examples of large fines for companies that did not deal with the fall out of an attack correctly.
If necessary, warn your customers if you think they might be at risk. Change all passwords if you believe this is how the breach occurred. If you are using an automated scanning tool, run a security scan to look for similar vulnerabilities and make sure to fix these as soon as possible.
Most importantly, try to establish how this occurred so you can prevent immediate future attacks.
The main thing to do is to learn from your mistakes and try to ensure this doesn’t happen again. After all, we’re only human.
If you would like any more information on anything we’ve discussed above, please get in contact.
Chris Gray is Infrastructure Services Manager at Cantarus