08 October 2019

Top 5 tips for businesses to stay safe online

Most businesses nowadays will be using the internet to sell, buy and promote. It brings about opportunities and benefits to help businesses grow and influence. Keeping cyber-safe is of key importance, not just for businesses, but for everyone interacting with them. Some ways to stay safe online can be as easy as password safety, but sometimes, substantial cybersecurity measures are required. The reason behind this is quite simple – nobody wants to be hacked and nobody wants to be fined for not complying with security standards. Here are a few tips to keep your organisation safe online:

1. Secure passwords are essential

This might be obvious, but a lack of strong passwords can be the biggest culprit for an attack. A strong password can keep cybercriminals from accessing your emails, personal and business accounts. You should ensure your password is longer than 8 characters including capitals, numbers and, if possible, symbols.  It’s recommended to use random letters or even use multiple random words to create a strong password. You should only change your password if there is evidence or indication that the company has been compromised. Organisations could consider using SSO (Single-sign-on) or MFA (Multi-Factor Authentication). There are pros and cons to both, so make sure your company knows what’s best using this guide. It’s important employees never write passwords down or leave them in plain-sight.

The National Centre for Cybersecurity (NCSC) has created a list of passwords that should be blacklisted immediately. If any of your current passwords are even close to these – change them as soon as possible, as these passwords are the most common, meaning they are the most vulnerable.

2. Software updates are critical

All organisations will have software downloaded to their computers so it is highly important to update them as soon as update options appear. Most updates for software contains vital security upgrades to keep your business safe, so why would you ignore them? Even in the last year, companies have been warned about software not being updated and have notified clients/customers of bugs which can be exploited. Read an example of this from Microsoft.

Some updates may take five minutes, others can take longer, but it is absolutely essential to do so. Hackers look for outdated software with unpatched security flaws to exploit. They could gain access to your computers and install software to steal your personal and company information – also known as a ‘drive-by download’.

A survey by Google found that more than one-third of security professionals don’t keep their systems updated. Only 64% of experts update their software automatically or immediately after being notified of a new version.

Software Updates Google Survey

Firewalls: Having a firewall is the first line of defence for every organisation. Firewalls protect your internal networks from outside threats by only allowing authorised traffic, protocols, ports and applications to exchange data across the “wall” and denying access to traffic that can lead to attacks. All office computers, laptops and mobiles should have a firewall, not just the servers – and once again, keep them updated!

3. Understand your emails

When working in a corporate business, you are likely to be inundated with emails. It’s important to know what is legitimate, spam or harmful. Most companies will have a spam filter, but some do get through and you’ll need to be on the lookout for malicious emails. One of the biggest attacks vectors used by hackers is phishing. Phishing emails often look like legitimate emails, but once clicked, it can lead to a scam. If you enter your information, it can provide hackers with personal information such as credit cards, passwords, account numbers. If you find yourself a victim of a phishing attack, immediately change your passwords. This is why it’s so important not to use the same password for different accounts. Because if one password gets compromised, the cybercriminal can easily and quickly gain access to other accounts.

One major phishing attack in 2015 led to an American Technology company, Ubiquiti Networks, losing $46.7 million via “CEO Fraud” or “business email compromise”. A member of staff based in Hong Kong fell victim to a fraudulent email claiming to be from the CEO. The scammer targeted the finance department who transferred over $46 million held by the Hong Kong branch. Out of the $46 million lost – Ubiquiti only managed to recover $15 million.

4. Train your employees on cybersecurity safety

Unfortunately employees can be a company’s weakest link when it comes to cybersecurity. Training your employees on the basic security practices and policies will contribute to keeping internal cybersecurity issues at bay. Here are some key areas you should train your employees on:

Password safety – as mentioned above, password safety is one of the biggest, yet basic necessities for a company. Training your employees on how best to create and store passwords will help your organisation stay secure.

Browsing safety – Browsing sites can be an open door to malicious software, which can lead to attacks on company social accounts and applications. It’s therefore crucial to train employees on policies and guidelines when browsing sites. You’ll want to make sure your internet connection is safe by using a secure VPN connection. It’s important to check whether the websites you visit are ‘https’ instead of ‘http’. ‘Https’ will show a padlock in the URL field which indicates the website is secure and uses encryption to scramble your data so it can’t be intercepted by others.

Identifying cyber threats – Employees should be able to identify threats like phishing scams, DDoS attacks and viruses etc. Providing even a basic course in malware to look out for and how to identify them will help fight risks and vulnerabilities. They should be able to flag suspicious activity, telling the relevant people in the business to avoid malicious activity leading to a cyber-attack.

 

Training shouldn’t be just a one-off lesson. It should be up-to-date and regular to keep the information fresh during a time when the cybersecurity landscape is ever-changing. The training should not be limited to just IT staff – all employees should be knowledgeable on cybersecurity. It’s important to use experiments with simulated attacks alongside tests and drills, not just videos and classroom-style sessions.

5. Create a cybersecurity plan

Your business could have a 1 in 4 chance of being hacked according to researchers at the Ponemon Institute. Therefore creating a cybersecurity plan is a necessary precaution to significantly mitigate the damage done by hackers.

Creating a cybersecurity plan will give your employees a framework to follow in the event of a cyber-attack. It will also outline your IT assets and take protective measures in keeping them secure and keeping your organisation safe online.

Sources: NCSC  | The Conversation


IRM can help your organisation stay safe online against cyber attacks with our comprehensive range of cybersecurity services, consultancies and our integrated cyber GRC software platform. Visit our website or get in touch with us at hello@irmsecurity.com