6 basic cybersecurity tips your business needs right now
- Posted on December 15, 2020
- Estimated reading time 4 minutes
Unless you work in the IT security industry, there’s something you may not be aware of. You might not realise just how vulnerable your computer security really is. We all need to shake off a few misconceptions to help every business stay safer.
First, we need to get rid of the analogy between cybersecurity and physical security. Images of locks, bolts, keys, and bank vault metal doors – they’re all meaningless when it comes cybersecurity. You can lock a door and be 100% certain no one could break-in. But you can’t be 100% sure with cybersecurity. It’s just not possible. All you can do is reduce the risk.
Second, we need to remind ourselves that security basics are essential. It’s not always immediately about complex security systems. Start with the basics and keep it simple. To reduce the risk of your devices, network and data being compromised, you need basic standards of cybersecurity hygiene, in much the same way we need to wash our hands and wear face masks to combat infectious diseases like COVID-19. It’s the same principle.
1.Keep your software up to date
Put rigid procedures and steps in place to ensure your software is up to date. Don’t postpone, don’t wait, don’t hesitate. Some organisations are still running Windows XP, which stopped receiving security updates in April 2014. Windows 7 is no better: it too is no longer receiving security updates. One of our jobs here at Avanade is to help companies around the world get to Windows 10 as quickly as possible and make sure that your computers, servers and applications are brought up to date – and then kept up to date.
2.Go beyond basic email security
Most attacks still come via email, and COVID-19 has only made things worse: spearfishing attacks have increased during lockdown.
3.Make sure your users are aware of potential threats and are fully trained
Because of COVID-19 and lockdown, security professionals are more stressed and overworked than ever before. To support them, it’s vital that everyone in your organisation is fully trained in cybersecurity basics. They need the ability to distinguish between a genuine email and a phishing email.
These basics are so important, and it’s shocking to see how many organisations get them wrong or don’t do them at all. It’s a constant fight, it’s never ‘complete’ – always changing, always moving forward.
Let’s take a look at some not-so-basic tips:
4.Get grip on your data and what is being shared
Data leaks don’t always happen on purpose — they can be accidental. It’s all too easy to share a slide containing sensitive data not intended for outside use. Understand the value of your data: who shares data? What do employees want to share and with who? What tools are used to share? And which tools are safe? In other words, you need data security governance.
5.Protect and monitor your data and user identities
Working from home has disrupted the traditional IT security perimeter. With endpoints dispersed across geographies and networks, your organisation’s data and the digital identities of all your employees are your most important digital assets. Make sure you put tools in place to determine what can be done with your organisation’s data, by who, and when.
6.Embrace the security challenges of a fully remote workforce
The unique challenges of working from home and protecting your data are discussed in more detail in an article I’ve co-authored with my Avanade colleagues Bart-Jan Bosch and Rhesa Baar – ‘Secure remote working: From short-term fix to long-term value’. I think it’s well worth reading.
7.Get your threat or disaster response ready
Put runbooks in place for when the worst happens. Everyone in your organisation needs to know what they need to do, the steps they need to take, and the people you need to speak to.
Some tools are a waste of time…
Don’t need an expensive security tool to see that you have vulnerabilities. Instead, invest in tools that protect your endpoints, monitor end user behaviour, and add encryption to keep data safe. Monitor the security behaviour of your end users to detect abnormal behaviour, so that your experienced IT teams can investigate and take appropriate action.
One recent story is a lesson to us all. The organisation’s software wasn’t patched and lacked the latest updates. Sounds sloppy, right? Well they had a good excuse; the business postponed the updates to avoid downtime. But this left a known vulnerability wide open to hackers, who soon began an email phishing campaign. It didn’t take long for an employee to take the bait and click on a malicious attachment. The hacker’s fateful payload did nothing more than make the PC run slower, but this meant a call to the IT helpdesk was needed… and IT logged on to the affected computer using credentials with full access privileges to other computers and servers. The hacker was in.
The CISO’s dilemma
The eternal dilemma for IT leaders is where to set the security control dial? Too tight a grip over data and software leads to disgruntled users who simply start using their own tools outside of the company’s control. Too little control and you’ll end up with data leaks and hacks all over the place. There is a third way: understand what your users need the most and make it happen for them in the way they want. Don’t work against them – work with them.
Hackers usually take the path of least resistance. They target the organisations that are least secure. But when they do get into your network or infiltrate a computer (after all, you’re not going to stop every attack), you need to make their life very difficult.