We have some bad news. It’s not easy to share, but it will make you and your company better in the long run.
Approximately half of your staff have no idea about how to do their jobs with a mind towards effective cybersecurity. One more piece of bad news – if a security incident were to occur, as a data breach, for example, there’s a better than 60% chance it was performed by, or facilitated (knowingly or not) by an employee.
Not very reassuring, is it? Luckily, we’re optimists at Continuous, so for all the doom and gloom at the beginning of this article we’re going to give you some reasons to be optimistic about cybersecurity for your business.
Who is at risk?
Certain industries are more vulnerable than others when it comes to cybercrime, but nobody is completely insulated these days. Healthcare, manufacturing and financial services can be considered the “Big Three” when it comes to industries routinely implicated in data breaches and cybercrime.
But the common denominator is always going to be the fact that we’re human and human error is a significant factor when it comes to sensitive data breaches. So what is a company to do? Some enterprise businesses have attempted to implement a “zero trust” environment.
A zero-trust environment is mostly a set of extremely restrictive policies when it comes to who has access to valuable data, when they have access, and for how long. While this may in theory work, the most prominent problem facing zero trust environments is the small issue of reality.
Employees want to be able to trust each other, management needs to be able to trust employees. These overbearing security policies often hurt productivity and innovation – not to mention the incalculable damage it may have to company morale.
Back To Basics
With that in mind, companies large and small can always benefit from continuing education. It’s amazing what a company-sponsored lunch with some simple reminders about cyber security can do. With that in mind, we wanted to run through some of our favorite common sense and maybe lesser-known cyber security tips.
This one is a slam dunk. Without naming names, it’s fair to assume at least 10%-20% of your staff are using ‘password’ as their actual password to access work computers. In fact, a derivative of ‘password’ is the third-most commonly used password, behind only 123456, and 11111.
While these credentials are easy to remember, it’s also going to be low-hanging fruit for malicious actors who might swipe a computer at a coffee shop, in a car, or on public transportation. One solution to this can be allowing the IT department to implement passwords for employees. At the very least, this can help minimize situations where ‘password’ is the actual password.
- Bonus tip: While password management software can be used to create strong passwords – use them with caution. This software also stores all passwords, so if a hacker gains access to the password manager database, you’ve got a real can of worms to deal with.
Strategically Use Data Backup
There’s a saying around some technology circles, and it goes like this:
“If you’ve already backed it up, back it up again. After that’s done, back it up.”
Alright, so that’s one we made up, but the mantra is more accurate than ever. Not having data backup protocols in place is irresponsible at a minimum and potentially illegal depending on the industry. To tighten up security for off-site data storage, make sure that extra sensitive data is both encrypted and password-protected before being sent off-site for data redundancy.
Educate About Social Engineering
We tend to create an image of a “hacker” in our imagination. This technologically savvy rogue possesses some skill with computers unimaginable to the common man. In many cases, a hacker is just a smooth-talking individual with the ability to manipulate.
While as an employee you want to be able to trust that an email with company letter-head, establishing guidelines for what information can never be shared (or asked for) over company communication channels can safeguard against social engineering.
Ensuring that all employees understand that they will never be asked to reveal company passwords, Social Security numbers, or other pieces of vital information during onboarding is worthwhile.
- Bonus tip: Install an “emergency” point of contact, such as an IT manager, if an employee receives a suspicious request and wants to confirm the validity.
Update Software Early and Often
Software companies release updates periodically for a reason. When a vulnerability is discovered that could potentially allow a restricted user access software companies will patch the software and release an update.
Unfortunately, for many employees, these notifications can just be tiny annoyances living in their work computer’s toolbar. If you recall the WannaCry attack earlier this year, this is an example of the potential implications of ignoring software updates.
Next Level Security Tips
So you’ve got your team trained up on the basics of cybersecurity around the office?
Still, there is always more to learn. Technology does not stop innovating, and unfortunately, neither do hackers when it comes to developing tactics for gaining entry to sensitive data.
New Devices are Not Immune
Ever seen those “unboxing” videos for new technology like smartphones or laptops? While these are satisfying to watch, it’s important to remember that just because a device is new does not mean the device is completely safe.
A security vulnerability is just the same, regardless of the age of the device. The same rules for updating software and operating systems still apply.
Why S in HTTPS Means Safety
Have you noticed certain websites use the HTTPS abbreviation instead of the more common HTTP? While the ‘S’ at the end does not stand for “safe,” it does mean a website or application is less prone to experiencing a security vulnerability.
Websites that process consumer credit card information are required to deploy their websites with HTTPS – but even ones that don’t would be smart to make the switch ASAP. Peter Eckersley, from The Electronic Frontier Foundation, explains why:
Another serious misconception is website operators, such as newspapers or advertising networks, thinking “because we don’t process credit card payments, our site doesn’t need to be HTTPS, or our app doesn’t need to use HTTPS”. All sites on the Web need to be HTTPS, because without HTTPS it’s easy for hackers, eavesdroppers, or government surveillance programs to see exactly what people are reading on your site; what data your app is processing; or even to modify or alter that data in malicious ways.
- Bonus Tip: HTTPS stands for Hypertext Transfer Protocol Secure
Update Your Operating System
Don’t think that updating your software is where the need for updating stops. Many companies still have computers with outdated operating systems installed which is like an “Open For Business” sign for hackers.
The longer an operating system has been around, the longer hackers have had to research potential vulnerabilities and exploit them in cases where they are still being used.
No matter what the preferred operating system, don’t wait to switch when a new version is available.
If you’re interested in seeing how Continuous approaches network security for clients, we should talk!