It doesn’t matter who you are, how aware are you are or how careful you’re being – you will at some point get hacked.
How can I make such a broad sweeping statement? Let me explain…
If you use the internet, email, or any online services which requires you to enter an email and a password (shopping, travel, news sites), chances are you will at some point have your details compromised. If you use your business email to sign-up for things then they already where you work and they already have the password you use. They can then attempt on your business email and network.
The reality is the modern cyber world is a dangerous place. Criminal activity online is rife and will continue to grow daily. A malicious program written 5 years ago by a criminal already apprehended and behind bars is probably still active in carrying out the authors bad intentions. Recently a security researcher setup a honey trap in order to try and understand, log and study activity on the internet and found that his network was maliciously attacked up to 4 million times per day!
If you need more convincing, you can try this website to check if your details have already been compromised: https://haveibeenpwned.com/ (clicking this link will take you to an external website).
So what can you do? Good questions. We need to keep fighting back, and unfortunately one way or another the cyber criminals are costing us money. This cost comes in the form of security or loss (in the form of lost money, lost productivity, lost time, etc).
Just the same as your car alarm/immobilizer, your home alarm or CCTV, we’ll need to part with some money in exchange for a level of security. In the cyber world there are many things you “must have” and things that would be “nice to have”. The “must have” things are compared to a lock on your front door or car. They are the basic security features you will be expected to have as a bare minimum.
A list of these things include:
These are the basics, at the very least you should have all of the above, and have them setup correctly.
The next category of security, which you could argue are the “nice to have” options (some people may say they are also must-haves, but that’s a debate for another day. Business will have varying setups and budgets which will dictate this). These are somewhat broader and in-depth depending on how your business is run and what you do online. But I’ll highlight a few below:
Web Filter. This one you could argue is a “must have” but I’ve put it under this category because smaller businesses could monitor the employee internet usage if they are all sat within close proximity (people are less likely to abuse the internet if their boss can see their screen). A good web filter not only keeps you safe by blocking any unsavory and dangerous websites, it can also boost productivity by blocking or monitoring access to “time wasting” and social media sites.
Password managers. These are becoming more and more popular. They have been around on a personal use basis for many years, but businesses are now picking up the trend to dissuade employees using poor passwords for work related logins. Mainly because using the same password for multiple sites is a BIG no-no and who can possibly remember a different password for every service we use?! Plus employees simply don’t care as much about their work security as they do their personal security. So Password managers are an affordable way to have a good, secure and varying password for each site without having to remember them all. The password manager keeps all your employees passwords encrypted and all they need to do is remember one password to access it. It also saves time by automatically going to the website and filling in the details. Simple.
2 form factor authentication. If you have the option to enable this, then do so. It might be a little annoying to wait for a text message or confirm via an app, but that annoyance is nothing compared to the annoyance of being hacked and having to change all your logins and cancel your cards – or even worse loose thousands of pounds.
Security training/testing. A great way to keep your business systems secure which is so commonly overlooked. We all think that everybody else knows what we know and care as much as we do. The reality is they don’t on both counts. Security training is a way of making your employees aware of the dangers as well as encourage them to reach out if in doubt. Following the training there will usually be a series of tests. It might be a phishing email, or attempts to access sites using known passwords. But employees will be more vigilant if they “know” they will be tested (it’s like driving in-front of a police car, you’ll be much more aware of how you are driving)… and regular tests retains that vigilance resulting in a safer business.
Intrusion detection. This is more for businesses holding sensitive data on their systems. Be it a website or internal server. If you have sensitive data you should have some kind of intrusion detection which will detects and alert of potential breaches. It monitors usual activity across the systems and flags anything unusual. This is not only for external threats, this can work well for internal threats – such as disgruntled employees bulk downloading data onto a memory stick.
These are just some of the options available to keep your business and its data safe. There is no magic button that covers everything off, and security is always cat and mouse between the hackers and the security developers – it never stands still and neither should you.