Something that most businesses are beginning to understand is that, in today’s hyper connected age, robust cybersecurity is no longer an option, it’s a necessity. In the UK alone, 39% of all businesses have suffered a data breach within the past 12 months, and this figure increases substantially for medium (65%) and large enterprises (64%). So, this Computer Security Day, what should organisations be doing to better protect their most valuable assets from cyber threats?
Preparing for worst-case scenarios
In the world of cybersecurity, the worst-case scenario for any IT team is a large-scale data breach. Unfortunately, these are all too common, but there is much that can be done in terms of prevention and recovery. Speaking on the rise of ransomware attacks, Andy Fernandez, Senior Manager, Product Marketing at Zerto, a Hewlett Packard Enterprise company said, “this year the NCSC warned that ‘ransomware now presents the most immediate danger’ to UK businesses. In fact, the UK has been ranked number 10 on the list of countries worst affected by ransomware in a new report commissioned by Google. Yet, despite the increasing volume of attacks, many organisations have no incident response plans in place and rarely test their cyber defences. Today’s hyperconnected world means being targeted by cybercriminals is no longer a question of if but when – and from web experiences to employee tools, time is money and reducing unplanned downtime is critical”.
Gregg Mearing, CTO at Node4 expands on this, pointing out that, “computer security is not just about preventing ransomware attacks but being able to recover your data should it be lost. MSPs can also provide advice on a backup and recovery plan that matches the risks of each specific business and identifies the most effective backup location for each data tier. Having a complete security solution that takes a proactive approach to cybersecurity will provide the best protection of your data but having strong data recovery solutions enables business operations to continue should the worst happen”.
Hugh Scantlebury, Founder and CEO, Aqilla adds, “if you’re using cloud-based accounting and financial software — indeed, any cloud-based solution — we’d recommend you check that your solution operates from a secure and well-managed data centre. Ask your provider if they store your data in accordance with the National Cyber Security Centre’s 14 Cloud Security Principles.
Finally, check whether disaster recovery and automated backup are taking place (and with what frequency) within your SaaS environments. That way, if the worst does happen and you’re stung with a DDoS or other malware attacks, you can quickly recover your data. This is essential as a quick recovery means you’ll get back to regular business without impacting customer service or breaching any data protection regulations”.
Encouraging good cyber hygiene
Of course, businesses should not get too caught up in the big picture of large-scale ransomware attacks and forget that the majority of cybersecurity concerns stem from poor cyber practices amongst employees. “Cyber-attacks nowadays often don’t come from ingenious hackers in dark rooms”, highlights Adam Burns, Director of Cybersecurity at Digital Guardian. “More often than not it’s a case of poor cyber hygiene, and a lack of understanding or education: employees reusing the same password, weak credentials or the aftermath from a disgruntled ex-employee, to name a few. Sooner rather than later, organisations need to start implementing good cybersecurity practices, such as regularly reviewing system settings and disabling unnecessary services that may leave them open to attack”.
Bryson Medlock, Manager of ConnectWise’s Cyber Research Unit expands on this, stating, “Data from Microsoft estimates that a third of account compromises are due to password spraying, a practice that sees cyber criminals take a list of common passwords and try them for a large number of users until they have success. So ensuring that you have long and complicated passwords is crucial. Password reuse is another huge problem – it doesn’t matter how secure a system is if you’ve used the same password for a forum somewhere on the internet with very lax security. I recommend using a password manager to generate and keep track of your passwords – this will make it easy to have a unique password for every site. Just remember to do your research and choose a password manager that is safe and up to date”.
Enforcing good cyber hygiene has become more of a task since the introduction of remote working. Dottie Schindlinger, Executive Director at Diligent Institute explains, “open communication tools – like Slack, texting and personal email – are great for informal communication, but they don’t often provide the level of security or access privileges needed for sensitive communications between executives, the board, legal, HR, risk and compliance teams… Organisations need secure environments and workflows that allow them to communicate highly sensitive information safely, without worrying that it might accidentally be misrouted, forwarded, leaked or even stolen. And, the system must be intuitive and convenient, so executives remain within its workflows and processes without straying to other systems and creating security gaps”.
Equipping people with the right skills
As employees have moved away from the watchful eye of office environments, it’s even more crucial for businesses to make sure that they are equipping their employees with suitable security training.
Neil Jones, Cybersecurity Evangelist at Egnyte emphasises, “unfortunately, many organisational stakeholders are unaware of how to properly protect their companies’ valuable data, so it’s up to the company to educate them on best practices. As an IT leader, you should consistently update your cyberattack prevention strategies and implement measures that protect you from falling victim to potential attacks”.
“Organisations need to find new and creative ways of incorporating security training into employees day-to-day workflows”, adds Don Mowbray, EMEA Lead, Technology & Development, Skillsoft. “Gamifying learning, for example, and allowing staff to put their skills to the test via real-life scenarios and friendly competitions can be hugely impactful as it gives them a practical way to assess their learning in real time.
In doing so, it’s important to incorporate a variety of learning styles and content delivery methods. This will ensure training appeals to every type of learner. It’s also worth considering introducing short modules for certain subjects. Bite-sized learning on the risks of opening unknown links, for example, is a quick and effective way to ensure that your staff won’t fall victim to a phishing attack that leads to a breach”.
Scott Boyle, Head of Information Security at Totalmobile concludes: “Ensure that you have specific policies in place around the handling, storage, access, visibility, and transmission of personal data, so that staff know exactly when and how they can interact with this. Alongside this, Security Awareness training is vital. Initial GDPR training would have occurred over three and a half years ago, so regular refreshers are key to keeping teams secure and this should be incorporated into Security Awareness programmes. With measures such as these in place, organisations – even those with workers on the move – will be much better placed to prevent any of their sensitive data from falling into the wrong hands”.