1. Expect to be Attacked
Email is often the easiest way for a cyber criminal to attack your network. They know that users will eventually fall for phishing emails. Implement DMARC (Domain-based Message Authentication, Reporting and Conformance), DKIM (DomainKeys Identified Mail), and SPF (Sending Policy Framework) to help reduce the risk of spoofed emails. and medium-sized businesses an average of $2,235,000 meaning that cyber security should be a number one priority in your organisation. Not only will your business be a primary target, criminals may also look to compromise one of your customers or suppliers. Being ready for an attack is vital.
2. Staff Awareness
Your network is only as strong as the least well-trained member of staff. To keep your organisation secure, every staff member at all levels of the organisation must understand cyber security, the associated risks of their actions and what to do if there’s an incident. Users are your last line of defence, make sure they understand how important their role is in the overall cyber security of the organisation.
3. Create an Incident Response Strategy
When the fire alarm sounds in your organisation, you know that you have to leave the building immediately – but what do you do if there’s a cyber security incident? Creating an incident response strategy can save your organisation a lot of time, money and stress. Create your incident response strategy now in preparation for an attack – document what needs to be done and by whom. Testing your strategy is also a vital step, hold table top exercises to see how robust the plan is and what needs to be altered before it is too late.
Creating a backup is a vital tip that every organisation should take on board as part of an overall incident response and cyber security strategy. Your organisation must ensure that regular, multiple backups of your systems are being conducted. Keeping one backup on site and one off-site ensures an extra level of protection. You must also make sure that you test your back-ups to ensure that all relevant data is successfully being copied.
5. Conduct Risk Assessments
Conducting risk assessments is a vital step to ensure your organisation is actively thinking about cyber security. Your organisation should test its networks, see what vulnerabilities exist and how much of a risk they are. Curious Frank can help your organisation identify potential vulnerabilities in your businesses’ systems and networks with our range of services.
6. Control Admin Access
Controlling admin access is a vital step that your organisation must take to ensure effective cyber security. Only a select few individuals need administrative access on their accounts. Making sure that users only access what they need to do their job properly reduces risks of sensitive data being accessed by unauthorised viewers.
7. Secure your email
Email is often the easiest way for a cyber criminal to attack your network. They know that users will eventually fall for phishing emails. Implement DMARC (Domain-based Message Authentication, Reporting and Conformance), DKIM (DomainKeys Indentified Mail), and SPF (Sending Policy Framework) to help reduce the risk of spoofed emails.
To ensure an effective cyber security strategy, your organisation must actively update software. Have a robust patch policy in place to make sure things are not missed. Not only should you update computer software, but all devices connected to your organisations network, such as printers and CCTV should also be updated. If the software is no longer supported and doesn’t receive updates, your organisations should consider replacing it.
9. Change Default Passwords
Not only is it vital to update software but changing default passwords also puts your organisation a step in the right direction. Remember the printer that you installed last year? Did you check the settings and change the default passwords? For cyber criminals, finding default passwords for devices is a simple process which can allow them to easily route into your network.
10. Encrypt Data
Encrypting data in your organisation is essential to protect sensitive information. This includes USB sticks (if you HAVE to use them). With the General Data Protection Regulation now in full force, not encrypting data can be costly – just ask Heathrow Airport who lost an un-encrypted USB device and were fined £120,000 as a result.
11. Stop using USB Sticks
USB sticks pose a real threat to any organisation as you never know what could be on it. Your organisation should ensure that staff don’t use USB sticks OR plug their devices into the USB ports on the network. For example, a staff member may plug their phone into their office computer’s USB port to charge their device, however, this device may be infected.
One way in which your organisation can avoid using USB sticks is moving to cloud storage. However, to ensure that your information on the cloud is safe, two factor authentications should be used.
12. Ensure staff are using pass-phrases and 2FA
A vital step in ensuring your organisations cyber security is through having an effective password policy. Curious Frank recommends that your organisation should try move away from the idea of passwords and think of ‘pass-phrases’ – a sequence of words and texts, similar to a password but generally longer for added security.
Furthermore, your organisation should introduce two factor authentication for increased security. 2FA allows a user to enter their username and password, but instead of immediately gaining access, they will be required to provide another piece of information. To gain access, you may need to provide information such as a personal identification number sent to your mobile device, answers to ‘secret questions’ or even more advanced security measures such as bio-metric pattern of a fingerprint, an iris scan or a voice print.
Chief Ethical Hacker, Gerry Grant
For more information and advice, please email firstname.lastname@example.org