This month we are celebrating National Cyber Security Awareness Month or (NCSAM) with the National Cyber Security Alliance. We plan to share plenty of tips for keeping a cyber-safe business and hope that together, we can raise awareness on how to create a safer and more secure internet. Here's 31 cybersecurity tips for your business, one for each day of the month. These will also be tweeted using the hashtag #CyberAware every day so follow us to stay in touch.
The internet has gone from strength to strength and part of the beauty of it is the fact that it enables us all to communicate freely with people everywhere in the world. Now with the growth of Wi-Fi we have allowed ourselves to create devices which also connect to the internet and deliver or transfer data within a network. While this connectivity is amazing, the unfortunate downside is that each internet connected individual on the planet has their own networks and their own data that can fall victim to theft by black hat hackers.
And so we believe that by raising awareness of these vulnerabilities and educating the public on how to keep themselves safe, we can take steps towards an internet that is safe from attack.
So without further ado, here are 31 cybersecurity tips for businesses to protect themselves. One for each day in October. We will also be sharing these on Twitter using the hashtag #CyberAware so please follow us at @globalsign and help us share the message.
The Basic Steps to Online Security and Safety
1. Be Careful About What You Post About Yourself and Others
How you speak about others online says a lot about who you are, but it could also get you into trouble with the law or even open yourself up to theft or hacking. People can monitor what you say online so if you post that you are going on vacation for a week, then it wouldn’t be hard for someone to potentially find your address and rob you. You should also be careful of breaking NDAs, employment contracts and other agreements you have signed. Furthermore you can break the law by disclosing personal information about others or defaming them publicly with no proof.
2. Understand What Data Your Business Is Collecting and Ensure It Is Protected
In order to keep your business data safe online, you should conduct an audit of all data and identify which data is public information (and therefore doesn’t need to be closely guarded), which data has a medium importance and will not impact your business too much if discovered (this should have some security measures to protect it) and finally, which data is most important and personal to your business. The final category of data will impact your business greatly if lost or stolen and should be guarded safely with the highest security and least access rights from members of your business.
3. Use Multiple Authentication Methods
Authentication is the act of confirming an identity (whether a user, machine, or device) by comparing provided credentials against an existing database of authorized identities before allowing access to a given system or application. For example, think of entering your username and password before gaining access to your email account. However, rather than relying on passwords alone, which have grown increasingly unreliable, we recommend using multiple factors for the authentication process. Authentication factors include something you know (e.g. username/password, answer to security question), something you have (e.g. Digital Certificate, smart card), and something you are (e.g. fingerprint, facial recognition).
4. Enable HTTPs on Your Website
HTTPs websites have an SSL/TLS Certificate installed onto their servers. This certificate will encrypt all data transmitted from browser to server, whether that’s personal or financial info that’s submitted through the site or the contents of the webpage, from eavesdroppers (e.g. malicious parties, government surveillance). SSL Certificates can also tie your brand identity to your web presence, helping visitors know that your site is actually run by your company and not an imposter (i.e. phishing site). EV SSL makes this extra clear by turning the address bar green and prominently displaying your company name.
5. Use Strong Passwords and Don't Re-Use Them. Good: '34bGUI7&89@))'. Bad: '12345 or Eddy1'
Many hackers will sell the data they hack. This will includes information on thousands, if not millions, of people and their passwords. If you are using the same password for every account then it won’t be difficult for a hacker to gain access to all your systems. Otherwise a hacker may use ‘brute force’ to find your password. This is much harder if password is longer and contains more variety and does not spell out any words. Use a password manager of some kind to ensure you don’t keep forgetting your passwords.
6. Keep All Software Updated
Hackers are always looking for vulnerabilities in the software your business uses. This could be as simple as finding a way into your Windows network. The software companies themselves work hard to create patches and updates that fix these vulnerabilities so it’s important to update them as soon as an update is available.
7. Keep a Back-Up of All Your Data
Data backups ensure that if there is any data loss or theft, files can be recovered. You should always backup your data in a different location so hackers cannot access both areas and you should also backup your data regularly.
8. Provide Firewall Security for Your Internet Connection
Firewalls are designed to prevent unauthorized access from a private network. You can create a set of rules on your firewall so that it knows what to allow in and what to block out. A good firewall should monitor incoming and outgoing data.
Creating a Culture of Cybersecurity at Work
9. Establish a Bring Your Own Device – Mobile Workforce Policy
Some companies allow their employees to use their personal phones to conduct business. It’s great for business to increase productivity and efficiency but it leaves businesses vulnerable to an attack since phones can be hacked and used to access your corporate network. A BYOD policy will help to educate employees on the use of mobile technology and how to mitigate the risk of an attack.
10. Create an Incident Response Strategy
An incident response strategy allows your business to stay ahead of an attack. You can never be sure you are 100% secure so it is always best to have a plan in case you are a victim of a cyber-attack. This will ensure that if you do have an attack, you can respond quickly enough to keep attackers from getting hold of sensitive data and alert the press or customers should the attack be larger than expected. You should also ensure there is someone responsible for handling the response plan.
11. Password Training for Employees
All employees should be trained on the use of passwords. Examples of such training would include:
- Making sure employees do not write passwords down (where they can be stolen).
- Ensuring employees do not share passwords over any online communication, unless the communication is encrypted.
- Having employees create strong passwords and use a company password manager.
- Making sure employees do not re-use passwords for multiple company applications, or between personal and company use
12. Make Sure Employees Look for the S in HTTPs When Searching the Web
Employees will, from time to time, use the corporate IT network to visit websites or sign up for services, either for personal use or for the company. Before submitting any information, they should always be on the lookout for the padlock and HTTPS in the address bar. If the site is unprotected, they should not enter any information.
Note: It’s important to also educate employees on phishing websites (see tip 15 below). There have been cases of phishing websites using Domain Validated (DV) SSL Certificates to make their sites look more “real” and “trustworthy”.
13. Enable Secure Email Communication and Training to Mitigate Risk of Phishing Attacks
Email continues to be a weak point in cybersecurity, with data loss/breach and phishing attacks being two of the bigger threats. You should seek an email security solution capable of encrypting messages in transit and at rest, with the ability to verify message origin so it is easy for employees to spot spoofed emails and not fall for phishing. Ease of use for the end users is another important factor to consider.
14. Encourage Senior Leadership to Spearhead Cybersecurity Culture
With all company-wide change strategies, senior leadership should be the first to take on board the change. If leadership show to be following the change, then the rest of the company will follow.
15. Generate Phishing Simulation Tests to Keep Staff Alert – Gamify to Improve Engagement
Conduct phishing simulation tests in your company to test employee’s awareness. This should be done before and after training in order to measure the improvement your employees are making.
16. Form an Incident Response Team
While you should always have one head person in charge of making sure the incident response plan is being followed, you will need a team to help that person follow through quickly. For example, a PR person to release any communications and a sales person to speak to customers. Depending on the size of your organization and the possible size of the attack, you want to ensure the right people are managing the response.
17. Conduct an Inside Threat Analysis
An insider threat analysis will uncover any potential threats to your IT infrastructure that come from within your organization. This could be anything from employees and former employees to contractors, vendors, third party data suppliers or associates.
18. Create a Quick Response Guideline
Ensure that you have preparations to respond quickly and efficiently when you are faced with a cyber-attack. Communicate this plan to the rest of your organization and have someone in charge of ensuring the plan is carried out.
19. Outline a Plan for External Communication
GDPR requires that you inform the appropriate supervisory authority when you are aware of a breach. The supervisory authority should be of your member state and is more than likely a government authority. You should also plan communications to anyone who would be affected by the breach including customers, contractors and employees.
20. Communicate Incident Response to Employees
Keeping employees aware of the response plan and keeping them informed about the facts around the possible types of incident and responses will help remind them of their responsibilities to maintain confidentiality and minimize the risk of information being leaked to outside sources.
21. Learn From Past Mistakes
After any breach and incident response, once you are sure that you are no longer being hacked and can go back to normal operation, you should conduct a review. The review should allow you to discuss your incident response plan and decide if you need to make any adjustments to the plan based on the mistakes you made the first time around. You will also be communicating to IT with necessary changes to operations or communications in order to ensure the same vulnerabilities are not exploited again.
22. Always Assume There Is a Vulnerability – You Are Never 100% Safe
Just because you have invested time and money into a cybersecurity strategy for your organization does not ensure the safety of your systems. There is always a new vulnerability to find or a potential flaw in the network or a new staff member to exploit. You have to always assume that there is a way for hackers to get in.
The Future of Cybersecurity and Strategies for Safety and Privacy
23. Make Sure Your IT Infrastructure Is Cyber-Insured
Standard insurance policies don’t normally cover the loss of data; this is where cyber-insurance comes in. You also need to ensure you are covered in case your business experiences some downtime. Furthermore you may be holding third-party data or lose money to compliance and breach notification.
24. Give Every 'Thing' (Devices, Sensors, Systems etc.) an Identity
As companies develop faster, more efficient and more productive systems; they connect multiple devices and sensors together which share data – this is called an IoT infrastructure. Within this infrastructure, every “thing” needs an identity. With a unique strong device identity, things can authenticate when they come online and ensure secure and encrypted communication between other devices, services and users.
25. Ensure All Systems Are Only Accessible through STRONG Authentication
In the same way that you would ensure all of your most important data is only accessible through ‘strong’ authentication (see tip 3 above), you will ensure all of your business infrastructure that is critical is also only accessible through ‘strong’ authentication. If you work in a bank you will require multiple access points into your safe; it works the same online. Only aspect to consider is role-based access, or limiting access to critical systems to only certain privileged users.
26. Employ a Hacker
There are plenty of hackers around the world who do not want to steal your data illegally and sell it online. They want to help the world. These are known as ‘white hat’ hackers and every organization should have one to combat the ‘black hat’ hackers. You can only fight fire with fire they say.
27. Start Managing the Flow of Data Now
As our technologies improve, our data gets increasingly complex. In order to keep all data managed well and avoid any theft, you should know what data is moving around your organization and how it is moving from the source to the final point or user.
28. Leverage the Cloud
The cloud is a useful tool, especially for smaller or medium enterprises who want to outsource the protection of their data to a larger company. It is important to ensure that you have all the facts when signing up with a cloud provider. Make sure you know where they keep their datacenters and all the places where they might be able to store and access your information.
Building Resilience in Critical Systems
29. Ensure Your Network Is Segmented So Access to One System Does Not Allow Access to Another
Your corporate IT network shouldn’t all be accessible from one point, even if this point has ‘strong’ authentication. If you separate out your networks then a hacker cannot control everything by gaining access to one network. You should separate your systems by importance or how critical the network is to your business. Have your strongest security on the most critical networks.
30. Keep on Top of the Latest Regulations in Your Industry
In most industries there are already a set of standards and best practices that you will need to comply with in order to have a basic cybersecurity implementation. For the Energy sector there is the NIST Cybersecurity Framework, for the Automobile Industry there is the Framework for Automotive Cybersecurity Best Practices and for the payment card industry there is PCI DSS. It’s important to keep on top of any new regulation and ensure you are avoiding any fines.
31. Continue Research into New Technologies and Vendors
Our final piece of advice is to keep up-to-date with the latest security best practices, operators, vendors and technologies. Be prepared for updating software, using new tools and technologies to keep your infrastructure safe online.
So with these 31 cybersecurity tips for business we hope you have taken away the importance of staying on top of your business security. Know that a threat can and will more than likely come from inside the organization as opposed to outside. Always assume you are open to attack and be prepared for the inevitable.
If you would like more information on cybersecurity best practices you should watch a recording of our recent webinar on ‘Eliminating the Burden of SSL Management’.