3 Things You Can Do Now to Protect Against the Latest Hacker Attacks
It seems like major hacks are always in the news. Whether it is the vicious WannaCry ransomware that swept across the world or the constant stories about Russian hacks, we are being bombarded by increasingly devastating online threats. If you want to help prevent your organization from becoming the next in a long line of victims, you really need to start paying attention to your cyber security efforts.
A solid defense requires a comprehensive security policy that measures your assets against their risks and adapts as these things change. While an overall plan is important, there are several things you can do right now to bolster your security and help prevent the latest attacks:
1. Stop Being So Complacent
Many organizations get complacent and think that they will never be the victim of a serious attack. These attitudes can make a business extremely vulnerable, because a proper cyber security plan requires vigilance in order to adequately defend against threats.
Your Company Isn’t Too Small to Be a Target
Complacency can happen in a number of ways. Perhaps you run a small company and think that no one will ever bother targeting you because of its size? Wrong! The reality is that small businesses are often targeted because they don’t have the security measures or knowledge to protect themselves in the same way as their enterprise counterparts.
When you add in the rapid growth of ransomware, which can target anyone–multinationals, small businesses or even individuals–assuming that you are safe becomes an incredibly risky attitude.
Don’t Cut Your Security Budget
Executives can also get complacent. Let’s say a company has had a few good years security-wise, with no major breaches. An executive might think, “Why are we putting all of this money into security for no return? If we put it into marketing or expansion, we can make even more profit.”
This is another bad attitude to have, because implementing an effective security plan can actually have a high ROI. Sure, it costs money to have the staff and infrastructure in place, but these things prevent companies from losing significantly more in large-scale breaches. If you are an executive who is thinking about making cutbacks to the security budget, think twice. Those savings may end up costing the company a whole lot more.
Employees May Not Understand the Risks
Employees aren’t immune to complacency either. They may not understand the risks that they face, or why certain security policies are in place. This lack of awareness can lead them to overlook some serious issues.
Let’s say an employee is struggling to get a big project done and they are stressed out. A RAID warning starts popping up, telling them that a drive has failed. If they don’t understand what this means, they might just hit the skip button so that they can get back to their work.
If they are too focused on getting their work done, they might skip it everyday. . . until the other drive fails. If the person had taken just a few minutes to let IT know about the problem, they could have had it fixed and averted catastrophe. Instead, they were complacent and now the data is gone.
These attitudes can lead to breaches as well. Employees that deal with any sensitive or valuable information need to have at least basic knowledge of computer literacy and the risks that they face.
An example of a small error that led to significant damage is the UK’s 56 Dean Street clinic breach. In 2015, an employee was sending out an email to patients with HIV. Instead of entering the email addresses into the blind carbon copy (‘bcc’) field, they put them into the ‘to’ field. This meant that any recipient could see the email addresses of all of the other HIV patients who received the email. Because this was a huge breach of privacy for the patients, the clinic ended up being fined over $200,000.
It can be shocking to see how such a small error can have such huge ramifications for a business. The situation could have easily been avoided if the employee took a little more time to check that everything was okay, or if they had more awareness of standard operating procedures.
2. Train Your Employees About Cyber Threats
One of the biggest weaknesses in cyber security will always be the human element. All of your defenses are useless if someone can trick an employee into giving over their credentials.
Why Do Your Employees Need Security Education?
All it takes is a phone call from a persistent and manipulative hacker, and one of your employees might accidentally give away high-level access to your systems and data. Other forms of social engineering such as phishing are also commonly used to break-in to your network. Employees can easily be tricked by convincing emails if they haven’t had the proper training.
Another growing threat is spear-phishing, where emails are tailored to specific individuals, rather than the more generalized spam of normal phishing. Spear-phishing often involves the hacker doing research on the individual, making their scam seem much more believable. It is often used against those who have administrator privileges or who have significant control of a company’s finances, such as high-level members of accounting.
One recent example is the Sony hacks of 2014, which cost the company an estimated $35 million. The attackers are alleged to have searched LinkedIn for Sony employees who may have had administrator privileges. They then targeted these employees with specialized emails that tricked some into giving over their Apple account credentials. The hackers had assumed that some of the users would be using similar usernames and passwords for their work accounts, which they then used to make their way into the network.
These are just some of the reasons why employee training is so critical for cyber security. Your employees are the weakest link, and they need to have best security practices drilled into them in order to keep your business safe.
This can be particularly challenging, because many companies employ people with a range of technical skills. What is an obvious scam to one person might seem like a very worthwhile click to another–who doesn’t want to win a holiday to the Bahamas for being the one millionth customer?
What Should Your Employee Education Cover?
Security training for employees still needs to go over the basics, such as phishing and other forms of social engineering. Employees need to be aware not to click links or download attachments if they aren’t sure what they are.
Spear-phishing is a growing threat that is very effective because the details make it more convincing. Because of this, employees need to be taught to be more suspicious of any urgent requests, and also to double-check if they have any doubts.
Your employee training should also reiterate that no one should ever insert an unknown USB or hard drive, and to avoid using insecure networks or devices. One of the most critical aspects of the education program is to get workers to contact IT whenever they have any doubts. Sure, the IT department might be a little annoyed if they have to come and check a link from a Nigerian prince, but they will be much angrier if an employee downloads an attachment that contains malware.
Updating Employees on the Latest Risks
Security training isn’t something that you can do once and then leave it. Online threats are constantly changing, so you need to be giving employees updates and further education on the evolving threats. In recent years, ransomware has grown much more popular, so you need to be updating your employees on how they can help keep your company secure, such as by regularly backing up data. It also wouldn’t hurt to send out alerts to your employees about the latest attacks, such as WannaCry or SambaCry.
3. Put Your Security to the Test
Think your company is secure? Have you put it to the test? While it is important to have a range of security measures in place, if you don’t tale the time to evaluate them properly, they could be essentially useless.
If you want to make sure that your security is effective, you need to be conducting vulnerability assessments, penetration testing and doing security audits. These processes are kind of like looking for ways to break-in to a building, attempting to break-in and making sure that the building is up to code, respectively.
Vulnerability assessments involve looking for any potential holes in your security. Much of the time, businesses only scan their systems and networks, but vulnerability assessments can be expanded to evaluate both your employees and your physical security measures as well.
Standard vulnerability tests use a range of scanning tools to find potential exploits. These can then be assessed to see if they pose any risk to a company or its assets. Once the vulnerabilities have been discovered, action can be taken to reduce the risks that the company faces.
Penetration testing is where white hat hackers get their hands dirty. They look for vulnerabilities and then try to exploit them in the same way that a cyber criminal would. Penetration testing is a great way to test the real-world security of your defenses, and it can also be an excellent way to convince upper-management that action needs to be taken. Telling the CEO that you know their password is a great way to convince them that their login credentials are weak.
A security audit is an assessment that is done by a third party. Essentially, a certified auditing company comes to your business to see whether you are compliant with your security policy and regulations. They will visit your workplace and talk to your employees to check if everything is up to scratch.
Each of these processes allows you to evaluate your company’s security in a different way. Together, they are important measures for figuring out whether your company’s defenses are effective or not.
Don’t Be the Next Victim
If you aren’t paying attention to your company’s information security, you may as well be inviting hackers to attack you. With such a significant proportion of business processes conducted online, you really need to have a comprehensive security plan in place to protect your business.
You should also make sure that you get rid of any complacent attitudes that leave your company open to attack. Employee education is a key part of any security plan, as is testing your defenses to make sure that there aren’t any cracks for attackers to sneak into. These three aspects are crucial for any security policy. Without them, you might find that your business gets targeted sooner rather than later.
- Can You Save Money by Spending on Security?
- Security Simplified: The Base+Suffix Method for Memorable Strong Passwords
- Why Should You Bother with Information Security? Isn’t Everything Hackable Anyway?
- HIPAA Compliance Checklist: What You Need To Do
- WordPress for HIPAA and ePHI? Is that a good idea?