In recent years, I’ve seen companies fall victim to a severe cyber-attack or put themselves at risk of one with poor cyber-security practices.
And despite the increasing awareness of the consequences, it’s becoming more and more of an issue. One out of every five Australian businesses has been hit by a cyber-attack.
In my previous blog I talked about the current state of cyber-attacks in Australia and what it means for businesses. It’s important to protect your business, but many people say they can’t spend a lot of time thinking about it when they’ve got a company to run and employees to manage.
Time and time again I see companies with little to no form of robust cyber-security, and this attitude needs to change. Here are five steps to take to reduce your risk of a cyber-attack:
1. Create cyber security awareness amongst your staff
IT security systems can only go so far. You also need to be able to rely on your employees practising safe internet and network usage to achieve greater protection from hackers. Over 90% of cyber-attacks use information stolen from employees who unwittingly give it away.
This is where company-wide cyber-security education needs to be implemented and, as a starting point, it needs to cover six key elements:
- Guidelines around acceptable use of supplied technology, both in and out of the office
- Protocol to ensure personal and business data/information is always secure
- Procedures on how disaster recovery will roll out in the event of a security breach
- Password security practices
- Information on how employees are to use the network and what level of access they are provided with
- How to recognise ‘suspect’ emails or posts (including on social media)
2. Invest in security and backup
I can’t stress enough that every business needs to invest in multi-layered security, robust backup, and recovery systems to mitigate risk from cyber-attacks.
This is about being proactive and reducing the consequences of an attack – which, of course, is better than finding out your systems are deficient and having to suffer excessive downtime, or paying a ‘ransom’ for critical data to be decrypted or returned.
3. Stay up-to-date with all your security systems
There’s no point having a security system in place and then not keeping it up-to-date, but this is something we see all the time. The capability of attackers is increasing regularly and scams continue to evolve, which means you need to always have the latest release of definitions or software to stay protected.
This goes for all your company-owned mobile devices too, not just the technology in the office. While your employees have responsibility for using their equipment in a safe manner (e.g., deleting suspicious emails), it is still important to do your due diligence and ensure devices are regularly updated. If the mobile devices are staff owned, then BYOD guidelines for accessing the company network need to recognise security risks and implications.
4. Don’t settle for easy-to-remember passwords
Most people see passwords as an annoying part of using technology, but they are there for a reason. However, in day-to-day business operations, they are often misused.
A lot of companies make the mistake of issuing all staff default (and easily guessed) passwords and not encouraging or forcing people to regularly change them. Just google ‘top 10 passwords 2016’ and you’ll see how easy it might be to break into a network without robust password controls. A study of 10 million users in 2017 showed 17% used ‘123456’ as their password!
Place more emphasis on creating strong, unique passwords for all business-related software, hardware and devices. Ensure they are changed on a regular basis too (this can be automated). Strong passwords should be more than 10 characters long and contain a mix of upper and lower case letters, as well as numbers and other symbols.
5. Test your backups and security systems regularly
There would be nothing worse than thinking you have all the right backups and systems in place, only to discover after a cyber-attack that something wasn’t working as it should. Regular testing should be built into your IT policy to ensure that you are never left vulnerable to an attack. An untested DR or recovery plan is not a plan.
How prepared are you for a cyber-attack? Are you more like Bear Grylls with the right knowledge and tools for any scenario? Or do you only react when you need to? Check out our infographic.