By George Ralph, RFA – We all know that cyber-attacks are not only more prevalent but they are increasing in ferocity, becoming ever more ambitious and overt. The latest culprits, Petya and WannaCry both used phishing attacks to spread malware through networks, and Petya rendered the user’s computer inoperable and gave hackers full access to the usernames and passwords stolen from the computer.
Here is a set of top tips to prevent your firm being an easy target for cybercriminals:
1) Get your paperwork in order
Documented policies and procedures safeguard business data, systems and networks and allow you to meet regulatory compliance mandates.
2) Plan for the inevitable
A cyber incident response plan identifies the key processes and personnel that you will need to involve after an incident, and documents how you will go about preparing for an incident, detecting an incident, containing an incident, recovering from an incident and analysing the incident in the aftermath.
3) Take systems into account
The business continuity plan outlines the critical business processes and IT systems, and the recovery procedures and timescales, including the recovery time and point objectives.
4) Mitigate against risks
Outline details of the user training you will provide, the physical security measures you will put in place, how internal audits will happen, how risks will be identified and classified and how the supply chain will be de-risked.
5) Get all the right tools in all the right places
Getting the technology right, the hardware, software and systems, that protect every layer of data, is more complex than it seems. It is not enough for you to protect your network, and end points. A robust cybersecurity strategy should be multi-layered, and include email, mobile devices and other endpoints, web traffic and the network. You should also take into account data governance, data should be encrypted, the physical environment should be secure, access should be managed closely, and you should run regular penetration testing and vulnerability scanning across the technology estate.
6) Education is critical
Educating employees about cybersecurity, and providing effective training to help them identify malicious behaviour and to act accordingly to avoid or mitigate the risks is crucial. If training is regular and relevant, it stands a greater chance of actually embedding new behaviours into employee culture.
7) Test the waters
One way of embedding training into users’ psyche is by regularly and without warning testing users with simulated email, voice and SMS phishing attacks, personalised landing pages, attachments and spoof domains in order to highlight risks and employee weaknesses. When employees fall victim to these attacks they can be given immediate feedback and a refresher on spotting the red flags. This type of training has been shown to reduce user error dramatically.
With the threat of cyber-attack increasing, it’s simply not enough to leave any of this to chance.