If there’s one thing that makes IT leaders shudder, it is the thought of a cyber-attack breaching the defences. Breaches are costly, with an average cost of US$ 3.86 million. They can damage a reputation, break the trust of trading partners, and cause chaos for staff. And for many organisations, it is already happening without their knowledge: the average time to detection is a staggering 196 days. Keeping your organisation safer from cyber-crime isn’t easy, so we asked our security experts how businesses can stay safer and reduce IT risk.
1. Invest in a very good firewall
Gone are the days that a single piece of hardware can keep everyone safe, but it is still a highly important element of your defence. With today’s fast internet, hackers can send more attacks at once, writing scripts to try to get into your environment before you can respond. Because the nature of threats has changed in this way, only the new generation of firewalls stand a chance of performing adequately. It may be time to retire older equipment.
2. Employ a strong password policy
We won’t apologise for repeating this often, because it is one of the common ways the welcome mat is laid out for digital intruders. Education is key here; ensure staff know to avoid easily guessed passwords, because those will be detected the fastest. Using a pass-phrase is better than a single word. And we still see employees in many workplaces sharing passwords, using Post-It notes as a reminder. Every business should run frequent cyber-safety awareness campaigns and include it as a topic in induction training.
3. Use Two-Factor Authentication (2FA)
As recently as two years ago, most organisations would have baulked at the cost of implementing 2FA on email and other key applications, but today this extra security measure is included free in Office 365. When a user logs in, they can either receive a security code by SMS or approve a request via Microsoft Authenticator app. The two factors – something the user knows (a password) and something they have (the nominated smartphone) is far harder for the hacker to overcome.
4. Restrict access
Staff come and go, situations change, and users require short-term access to an app or piece of hardware for perfectly valid reasons – but then that access is not terminated or adjusted. As a rule of thumb, nobody should have access to anything that is not necessary to perform their job. Processes must be created to ensure that access is restricted on a needs basis.
5. Share intelligence about phishing
Scams are getting better and more convincing. Until recently, unsafe emails were relatively easy to spot – poorly punctuated, with spelling mistakes and low-res logos, and laughable suggestions of millions sitting in overseas bank accounts. Cyber-criminals are now far more professional – they are, in fact, multi-billion dollar criminal organisations and well-resourced foreign government initiatives. Phishing emails look like they really come from the ATO, the bank, or Netflix, and they typically demand urgent action. Once one account is compromised, they have access to documents and emails, maybe even social media, making it easier to lure in other employees by posing as a known contact.
6. Create a supportive security culture
Mistakes are made – we have even met IT specialists who were taken in by a well-designed phishing email. The worst thing a user can do is bury their head in the sand, afraid to admit that they may have clicked the wrong link or shared a password. Making it easy to immediately contact the IT department or IT partner means that damage can be minimised. If users know who to call, and a planned response is already defined, huge amounts of time, money and effort can be saved.
7. Perform a security audit
As IT changes fast, and cloud applications proliferate, gaps can easily emerge – and growing complexity makes visibility a problem. As a part of performing independent security audits, we do a phishing attack test, and often have a success rate of 30%, with 10% of those putting in their user name and password. Security audits also try other attack methods and search for points of entry via many means, with a report produced that identifies vulnerabilities and makes recommendations to address them. An audit is a wise investment after major changes, when significant personnel change, or where there are specific concerns.
8. Use expertise as needed
IT security is far more complex than it used to be, and security specialists are in short supply. There is plenty of help available, ranging from managed services to occasional consulting, and businesses can define their own service needs. Some measures can be easily managed in-house, but there is no need to struggle alone when dealing with the more specialised elements of IT security. With plenty of choice available, you’re sure to find an IT partner that fits well with your organisation’s culture.
9. Know your obligations
Australia recently introduced mandatory data breach notification laws that require businesses to handle data breaches in certain ways. Similar laws have been implemented in key trading partners, notably the European Union’s GDPR laws that affect anyone doing business or storing data relating to the EU’s citizens. Our IT security team finds that discussions around these laws can be a solid starting point for planning a board-level response to data breaches, and can help focus on the impact to customers. If you’re not sure how the laws affect you, it is vital to check – our team is always happy to point you in the right direction.
IT security is something of a game of cat and mouse between legitimate organisations and their illicit counterparts. While there are no guarantees, presenting a layered defence supported by educated staff makes you a tougher target. No matter what your industry or how large or small your organisation, it is vital that you minimise risk and protect your people and customers.