In the current environment, a cyber-attack or compromise is not just highly likely – it’s inevitable. According to the Mandiant 2017 Threat Report, attacks have evolved from an opportunistic “smash and grab” approach to more sophisticated, persistent and resilient attacks – but defensive capabilities have been slow to evolve and respond.
The vast majority of organisations lack fundamental security controls and capabilities to prevent and minimize the damage of attacks. Even now, email remains the primary modis operandi for attackers and the ways they are using it to breach security systems continues to change at an alarming pace. This means the primary line of defense in any organisation remains individual employees and the devices they’re working on.
Cyber security needs to become a fundamental part of your company culture and adhering to security standards should be business as usual for everyone in your team to reduce your risk. But where do you even start?
1. Know what your risk is
In many businesses there is a serious disconnect between business concerns and cyber security concerns. In the digital age, these are not mutually exclusive – and cyber security is not optional. Cybercrime affects 32% of organisations globally and is the second most reported economic crime. Cyber risk deserves attention at the boardroom table with all stakeholders, not just in the IT department.
An essential exercise for any business is to conduct a cyber risk assessment where you seek to fully understand your vulnerabilities and identify weaknesses. It’s also key to identify your business-critical data and ensure you implement robust strategies to protect it – wherever it’s stored, used or shared.
2. Protect from within
The first thing your risk assessment will likely show you is that as hackers use emails, apps and pop-ups as vehicles for malware, every employee’s workstation is a major risk. Ensuring your first line of defense is as tight as possible involves two elements. Firstly, you must have internal policies and procedures in place and adhered to by your staff. That includes basic training and cyber security education.
Secondly, you must ensure the protection software you have is consistently updated in line with the latest technology and emerging threats. Something as simple as outdated malware detection software on a single device in your network could cause a severe security breach if your network security isn’t good enough.
3. Process makes perfect
Failure to implement and monitor security systems and processes in your organisation is asking for trouble. Regularly checking the correct configuration of these systems through penetration and security assessments is an essential part of a robust cyber security strategy and should be a standard business process.
4. Segregate and authenticate
There’s always room for human error so you need to be prepared. Ensure your data network is segmented with different levels of access and multifactor authentication. In the worst case scenario, you don’t want a single account breach to result in hackers gaining access to your entire network. By keeping it segmented, you can limit potential compromises.
The bottom line is that your employees and their everyday actions can potentially put your business at huge risk if you don’t have protections and systems in place. Unfortunately, there is no once-off solution for this.
It requires a shift in mindset and organisational culture, together with the consistent maintenance of security software and systems. Start by interrogating your risk profile and work with all stakeholders to ensure your business-critical data is as protected as it can be, at all times.