In recent years, we’ve seen several organisations fall victim to a severe cyber-attack or put themselves at risk of one with poor cyber-security practices.
And despite the increasing awareness of the consequences, we know it’s more and more of an issue. One out of every five Australian businesses has been hit by a cyber-attack.
It’s important to protect your organisations, but many people say they can’t spend a lot of time thinking about it when they’ve got a company to run and employees to manage.
Time and time again we see organisations with sub optimal cyber-security.
Here are five suggested steps to take to reduce your risk or impact of a cyber-attack:
- Create cyber security awareness amongst your staff
IT security systems can only go so far. You also need to be able to rely on your employees practising safe internet and network usage to achieve greater protection from hackers. Over 90% of cyber-attacks use information stolen from employees who unwittingly give it away.
This is where company-wide cyber-security education needs to be implemented and, as a starting point, it should cover six key elements:
- Guidelines around acceptable use of supplied technology, both in and out of the office
- Protocol to ensure personal and business data/information is always secure
- Procedures on how disaster recovery will roll out in the event of a security breach
- Password security practices
- Information on how employees are to use the network and what level of access they are provided with
- How to recognise ‘suspect’ emails or posts (including on social media)
- Invest in security and backup
I can’t stress enough that every business needs to invest in multi-layered security, robust backup, and recovery systems to mitigate risk from cyber-attacks.
This is about being proactive and reducing the consequences of an attack – which, of course, is better than finding out your systems are deficient and having to suffer excessive downtime, or paying a ‘ransom’ for critical data to be decrypted or returned.
- Stay up-to-date with all your security systems
There’s no point having a security system in place and then not keeping it up-to-date, but this is something we see all the time. The capability of attackers is increasing regularly and scams continue to evolve, which means you should have the latest release of definitions or software to stay protected.
This goes for all your company-owned mobile devices too, not just the technology in the office. While your employees have responsibility for using their equipment in a safe manner (e.g., deleting suspicious emails), it is still important to do your due diligence and ensure devices are regularly updated. If the mobile devices are staff owned, then BYOD guidelines for accessing the company network need to recognise security risks and implications.
- Don’t settle for easy-to-remember passwords
Most people see passwords as an annoying part of using technology, but they are there for a reason. However, in day-to-day business operations, they are often misused.
A lot of organisations still make the mistake of issuing all staff default (and easily guessed) passwords and not encouraging or forcing people to regularly change them. Just google ‘top 10 passwords 2023’ and you’ll see how easy it might be to break into a network without robust password controls.
A study in the USA in 2023 showed ‘123456’ as the most common password!
Place more emphasis on creating strong, unique passwords for all business-related software, hardware and devices. Ensure they are changed on a regular basis too (this can be automated). Strong passwords should be more than 10 characters long and contain a mix of upper and lower case letters, as well as numbers and other symbols.
- Test your backups and security systems regularly
There would be nothing worse than thinking you have all the right backups and systems in place, only to discover after a cyber-attack that something wasn’t working as it should. Regular testing should be built into your IT policy to ensure that you are never left vulnerable to an attack. An untested DR or recovery plan is not a plan.
How prepared are you for a cyber-attack? Do you have the right knowledge and tools for any scenario? Or do you only react when you need to?
