IT security is a hot topic. Companies everywhere need to watch out for new viruses, incidents of ransomware and malware, with cyberattacks more of a risk now than ever. Here are 5 strategies for tackling IT risks.
As a business owner, you need to know that your IT security, networks, storage and devices are secure. Under GDPR and other regulations you also need to take every reasonable step to safeguard the data that you are entrusted with, and to keep your confidential information – such as financial and client details – secure.
Cyber threats can come from any angle. In the IT industry, these are known as attack vectors. Hackers and criminals can try and access your networks and secure data through internet connections, software, email, and even Excel and PDFs aren’t safe.
The question is, as a business owner, how do you reduce the risk of falling victim to a potentially crippling cyber attack?
The following steps don’t require an expensive outlay in technology or cyber security solutions – many ‘out of the box’ SaaS solutions can help shore up you defences without breaking the bank. Best practices like good password hygiene and cyber threat awareness raising exercises don’t need to cost your business anything, and could actually save substantial amounts of money and reputational damage if they prevent an attack. Have you implemented the following?
5 ways to mitigate IT security risks
It sounds simple, even obvious, but whenever you, or your employees, leave a device – a tablet, phone or computer – alone for a moment, make sure it’s protected with a strong password. It is far too easy to assume you’re safe when working in an office with colleagues. But what if someone is looking to steal data? What if a client is in the building? Or a contractor that you don’t know?
Without a password, you are taking too much of a risk and haven’t taken a reasonable step to mitigate a serious and avoidable security risk.
An IT team or external provider should also make sure that the passwords on every device – including personal mobiles – that contain sensitive data are secure. Don’t make it easy for cyber attackers. Use a combination of upper and lower case letters, numbers and symbols. In the world of passwords, longer more involved combinations are statistically far more secure. It sounds simple, but you run a much higher risk of a data breach without secure passwords.
If your office has public WiFi, you need to take the same approach with this password, and make sure it is changed every few months. Put a password policy in place for everything that constitutes an attack vector, therefore mitigating the risk of a cyber breach.
#2: Virtual Private Networks (VPN)
With smartphones we can work anywhere. Many professionals access emails and sensitive documents on the go, wherever they are, often over public WiFi.
Public WiFi and phone networks aren’t secure. Neither is the WiFi in your house or favourite coffee shop. Sure, network providers take every reasonable step to maintain high levels of security, but that doesn’t mean that cyber attackers haven’t found ways to implement attacks that steal data.
The only way to guarantee the security of your company’s data on-the-go is with a virtual private network (VPN). Once this is setup, your employees and anyone else who needs to access work email and files can do so through a secure network that can be monitored and protected. Again, maintain a password policy that changes every few months for an extra layer of security and be careful who is granted access.
#3: Multi-factor authentication
Another way to increase security is with multi-factor authentication. When logging in, a code can be sent to a registered mobile device. The person trying to gain access then needs to enter that code and the login sequence is complete. It is a common feature of financial service websites, the Government gateway and many other secure websites.
It is recommended that you provide that extra layer of safety for your network and employees. It can involve two or more steps, depending on how critical the systems being accessed.
#4: Remote lock-down/wipe
Finding out that your phone or laptop has been stolen is a nightmare. Especially when this is a company device full of sensitive information.
Make sure you have a lock-down and wipe procedure in place that can be implemented automatically 24/7. Whenever possible, ensure this is something an employee can initiate themselves through access to a secure website or on another device they own, even if that is a personal phone or laptop.
Wiping a computer or phone after it has been taken needs to happen quickly, which is why this isn’t something that should wait until the next working day. Even if a cyber criminal is able to hack the password you want to make sure there is nothing for them to find and potentially use to damage the reputation of the company.
#5: Use access prevention and controls
Do you know where all of your secure data is and who has access?
If not, then this is something you need to get serious about. In any company, there are always going to be files that need to be more secure than others. Know what they are, where they are and ensure there are ways to control and monitor access.
Set passwords and an access protocol around the relevant files and systems that are more sensitive. When access is granted, make sure any files that are downloaded are only accessed on secure work devices, or through the VPN. Have policies in place so that staff know they’re not allowed to send sensitive documents to personal devices.
Finally, provide regular training and cyber security awareness raising exercises so your staff understand the risks, adhere to cyber security policies, and know what to do if they suspect an attack or attempted breach.
Point them in the direction of our Cyber Security Vulnerability Quiz to test their knowledge and identify where further training could help.
With these security measures, your data should be safer and risks of being hit with a cyber attack are reduced. Taking measurable steps to improve security will keep your company compliant under GDPR and other regulations designed to protect customer data.