BUSINESSES should use different cyber-security measures to ensure the safety of cash flow and business data, and keep customers safe online, a leading expert has said.
Roy Shelton, the CEO of the Connectus Group, commented as part of Cyber Awareness Month which runs through October.
He said: “Proactive cyber security is hard for companies to achieve as they generally lack the skills , experience, and tools to do so. By partnering with a partner, companies can finally get on the front foot and have round the clock protection and stop being reactive and living in the hope that nothing will impact their business from a cyber perspective. The cyber threat is not going away and as we live our lives and run our businesses in an increasing complex digital landscape were data theft and malicious brand damage is becoming all too regular occurrence”
Mr Shelton warned the risks come from various sources, including internet-borne attacks in the form of malware or spyware and user-made risks such as weak passwords and mis-placed information.
This is in addition to inherent flaws or vulnerabilities in software and systems which can be used by threat actors to subvert systems and software. Malicious hackers design malware to exploit unpatched software flaws, so running updates as soon as they are available is advisable.
Making sure your data is encrypted and regularly backed up with help to prevent incidents and ensure that a business can recover as soon as possible.
Mr Shelton said: “The use of strong passwords is essential to good cyber-security, which should use a combination of capital and lowercase letters, numbers, and symbols. The use of personal data in the password should be avoided and it should be changed regularly.
The more complex a password is, the less likely it is to be guessed by an attacker. It is estimated that some 80% of company data breaches result from weak passwords. They should be unique, at least eight characters long, and users should be encouraged not to use the same password across different accounts.”
The National Cyber Security Centre has published a guide on the best password practices for protecting data with passwords. An extra layer of security for logins can be added with two-factor authentication, where typically an additional PIN code sent by text message is required as an additional safeguard. Keycards and biometric checks can also be involved.
Controlling access to data and systems is also essential to ensure that it is authorised. This starts with making sure that physical access to premises and server rooms is controlled and access restricted for non-authorised personnel.
Restricting what data can be accessed through software controls is important, as is what can be copied from business systems and saved on storage devices. Certain types of email attachments should also be restricted as they can spread malware, which would often include executable files with .exe extensions.
Firewalls are another standard protection, as they act as gatekeepers between company systems and the internet. They act as a barrier to prevent the spread of malware and viruses, though it is important that physical firewall devices have their firmware updated regularly to be fully effective.
Security software such as anti-virus, anti-malware and anti-spyware software should be deployed on corporate systems to prevent the spread of malicious programs. It is also crucial to keep software and devices updated to prevent hackers and criminals from exploiting bugs and vulnerabilities.
Intrusion monitoring adds another important layer of security. Detection systems can send out email alerts to administrators if suspicious activity is spotted, allowing potential attacks to be stopped at an early stage.
Good network security involves monitoring traffic and identifying potentially malicious traffic, enabling an organisation to block or filter connections to mitigate threats. Protection against denial-of-service (DoS) attacks against servers is also a consideration, as hackers can disrupt normal operations and cause website outages.
Security of IoT (Internet of Things) devices, sensors or machines that are designed for certain applications need consideration, as they are often insecure by design with simple default password. Security of cloud applications also need considering by, for example, detecting security misconfigurations.
Mr Shelton added: “Raising awareness among staff is another strategy to employ, to make sure that they understand the relevant policies and procedures and to make sure that they are provided with regular cyber-security training.
“Some 3.4 billion phishing emails are sent annually and it can take just one careless click on a link in an email to allow hackers access to company systems if adequate protections are not in place.
“Creating a secure cyber-security policy document will ensure that all users are aware of the risks but it can also specify how often IT teams conduct risk assessments and penetration testing. A disaster recovery plan can also ensure users know what to do in the event of a breach.”