To make sure you get the most out of these tips we have created a downloadable infographic that you can share with your employees or print to hang up in your offices for additional security awareness.
Please note that these tips are not going to make your organisation impervious to cyber-attack (nothing will, really) but they should provide a useful guide for evaluating your current processes and defences in place and raising awareness for cyber threats with your employees.
1. Expect to be attacked
Don’t ever think you’re “not important enough” to be attacked. It doesn’t matter how small or big your organisation is or how much important information you as an individual think you might have, if you’ve got money or data (passwords, client data, emails, etc.) you are an attractive target. Along with this, recent ransomware outbreaks have shown that you don’t need to be a specific target to become a victim. Know your threats and your assets, perform some threat modelling exercises, and take practical precautions to protect what you can.
2. Go big on password security and 2FA
Use strong passwords and make sure your employees do the same. Make them as long and as random as possible, including upper and lower case letters and special characters. Consider using a password manager and make your employees aware of the dangers linked to reusing or sharing passwords.
Leverage Two-Factor Authentication (2FA) where possible, particularly on internet-facing systems, in order to mitigate the risks of poor password selection and password re-use.
3. Backup your data frequently
Implement a rigorous backup regime to make sure you don’t lose your data in case of an attack, this is particularly pertinent with the rise in ransomware. Backup your data frequently and store it in multiple locations (offline) where infected systems wouldn’t be able to access it. Test regularly that they remain inaccessible for these systems, and most importantly, regularly test that the backups are being done correctly, and that the data restoration procedures actually work.
4. Employ defensive technologies against malware
Have relevant policies in place and establish defences across your organisation that will make it harder to get infected and will block malware from spreading around your networks. Firewalls and email security products can block known malicious senders and strip known malicious attachment files types; ad-blockers and script-blockers in browsers can help too; and new isolation “sandboxing” technologies can prevent the download and execution of ransomware from phishing links, malvertising, web drive-bys and watering hole attacks.
5. Be careful with removable media
Malware can easily be spread through infected flash drives, external hard drives and even smartphones. Have policies in place to control all access to these removable media devices and make sure to scan any device for malware before plugging it into a computer. On particularly sensitive systems consider disabling removable media altogether.
6. Monitor user accounts and limit privileges
Your employees should only be allowed access to the information they need in order to do their job. Limit the number of privileged user accounts and monitor user activity. Have a list of all accounts an employee has access to and remove their permissions when they leave the company.
7. Educate your staff and test their awareness
Make your employees aware of the cyber threats they might face, both at work and at home. Make it clear to them why they are an attractive target for cyber attackers and how they can detect suspicious activity.
Explain which types of information they should not be sharing with third parties or on social media and explain to them the concepts of social engineering and phishing. Illustrate how malware can be spread, why password security is important and why they should steer clear of public wireless networks in hotels, trains or cafés. Perform phishing and other assessments to test your employees’ awareness and validate the education you are providing is effective.
If you’d like to find out more about this, read our previous blog on user awareness training.
8. Ensure that your systems are configured securely and are up to date
It is important to have robust and secure standardised builds for servers, workstations, laptops and other network infrastructure. Insecurely configured environments can allow malicious users to obtain unauthorised access so it is important to ensure the secure configuration of all systems is maintained. Apply security patches regularly and keep your systems and applications up to date at all times.
9. Have mobile management policies in place
If you have employees working on the move or from home, it is important to have policies in place that will protect any sensitive corporate data in case of a mobile device being lost, stolen or compromised. Many corporate mobile devices, such as laptops, phones or tablets not only contain locally saved sensitive data (client contacts, emails, photos, documents) but are also connected to the company’s internal network through VPNs and workspace browsers, providing an attacker with a direct route to the heart of an organisation. Make sure to employ a suitable and robust Enterprise Mobile Management solution and policy, applying your secure baseline and build to all devices.
If you’re interested in finding out more about this, read our previous blog on Enterprise Mobile Management.
10. Monitor and test your networks
Continuously monitor all systems and networks to detect changes or activities that could lead to vulnerabilities. Consider having a Security Operations Centre in place to monitor and analyse events occurring on computer systems and networks. Use penetration tests and/or vulnerability assessments to identify weaknesses within your organisation’s IT infrastructure that would leave it open to exploitation, and use these exercises to tune your SOC’s detection and response capabilities.
Consider using other defensive technologies such as honeypots and honeytokens to increase the likelihood of detecting intrusions or unauthorised behaviour.
11. Have an Incident Response plan in place
It is now accepted that security breaches will happen, so being adequately prepared to deal with them will go a long way towards minimising their impacts. Know what you’re going to do and how you’re going to do it, and make sure that you have the necessary information, materials, skills and capabilities to do it effectively. Test your Incident Response plan on a regular basis, and using a variety of different scenarios, see where improvements can be made.
12. Build strong cyber resilience
Actively learn from your experiences and build a strong resilience towards cyber-attacks. Adapt to risks before they materialise. Invest in a programme of regular testing, exercising, red-teaming and information sharing and grow progressively stronger by reducing threats, vulnerabilities and the impact a potential attack would have. A strongly resilient organisation will suffer fewer security breaches, those breaches that do occur will cause less harm, and it will recover faster.