Cyber attacks are becoming increasingly sophisticated and government data shows that nearly a third of companies now risk falling victim to an attack. These are often because organisations don’t have adequate defences in place, which is leaving them vulnerable to attack. In this article, Richard Nelson, senior technical architect at Probrand, considers three ways in which businesses can improve their cyber hygiene and guard against the risk of security threats.
- Prepare for an attack
Despite the huge and ever present risk of cybercrime, the evidence shows that many businesses remain complacent. A recent Probrand study revealed that despite advanced solutions being relatively affordable – and sometimes free – businesses are relying on basic security measures. For example, the survey found that almost two thirds (64%) are still using usernames and passwords to protect their entire company network.
We know from speaking to smaller businesses that this lack of action is often down to an assumption they won’t be hit. They believe, wrongly, that they aren’t a juicy enough catch for a hacker. The reality is it can be more lucrative for criminals to pursue smaller entities because, compared to huge corporations, they are easier to breach – and provide lower hanging fruit.
It’s worth noting that, such is the sophistication of modern cybercrime, the IT security industry is moving towards a ‘zero trust’ mindset. This school of thought assumes a breach will happen. It would be healthy for all businesses to adopt this approach as anticipating attacks will lead organisations to be more proactive in their preparation.
- Activate multi-factor authentication and endpoint security
Businesses can very quickly reduce the threat to their business by deploying multi-factor authentication (MFA). This vital tool forces users to pass through multiple login steps and access the corporate network, and the data within. The Proband study found that just a third (36%) have MFA in place, however. This is despite the fact that these solutions are often free across all platforms, particularly critical systems.
It is important to educate users on the importance of these solutions though, as there is a risk of MFA fatigue – which occurs when users click through prompts without fully reading them, or ignore them altogether when they tire of receiving alerts. In general, businesses should be looking to engage in broader IT security education with staff where possible – as, despite having all the best intentions, human error can – and does – occur. For example, it’s very easy for people to click on a rogue link – and the implications of this can be severe. Systems can become exposed to malware, ransomware and unauthorised access. Regular education on cyber hygiene, however, is proven to help reduce the chances of these types of attack being successful.
Businesses can further mitigate the chance of employees accidentally clicking through to dangerous and malicious websites by deploying strong endpoint security. The Probrand study found, however, that almost two thirds (62%) do not have this critical web filtering solutions in place.
- Implement a robust backup and recovery plan
Adopting a ‘zero trust’ approach means you assume the worse will happen. If you have that mindset, you’ll want to ensure you can recover after an attack – and that requires paying attention to backup and recovery. When asked how easily they could recover from an attack, the Probrand study found more than four in five (81%) were not confident that they had a robust, up-to-date backup and recovery plan in place.
This is worrying, as without this protection vital data and critical systems can be lost forever. This is often devastating for smaller businesses and can mean they need to cease operating altogether. Further to this, the study also found that 25% of organisations still store backups on their network without an air gap. These air gaps are vital in restoring data in the event of an attack, as they typically sit off-site so will not have been compromised by the same attack.
If you want to ensure smooth business continuity after an attack, it’s vital that you put the development of a robust disaster recovery plan at the top of the agenda. It’s also advisable to regularly test these capabilities, much like you would a fire drill. This will help to identify any gaps in the process and ensure that everything runs smoothly when an attack comes your way.
More generally, it’s essential that businesses become more proactive in their approach to IT security – and assume they will, rather than they won’t, become victims of cybercrime. This will lead to organisations taking threats more seriously and greater investment of time and resources into finding solutions. By following these three simple steps, businesses will give themselves a great start in this process – and know that, should the worst happen, they have done the right things to protect themselves and recover quickly. This will vastly reduce any risk of financial loss and reputable damage, which could have a catastrophic effect on any organisation.