The easiest defence against malware and ransomware is having anti-malware and anti-virus programs installed, and regularly updated, to protect your data. Ensuring that all firewall security is enabled and updated consistently helps to safeguard all incoming and outgoing traffic and keeps employees from browsing dubious sites. Staff must be trained to take responsibility for their actions online. Refraining from clicking suspicious links, for example, is a simple way to avoid malware contamination.
Phishing and spear-phishing
- Requests for personal information: Employees must be alert to potential phishing emails from attackers asking them to update passwords or any other login credentials. Legitimate or trusted sources do not ask for sensitive information by email
- Spelling or grammar issues: Emails with these issues should be viewed with caution. Legitimate companies review their outgoing emails thoroughly for such errors before they are sent out
- Unassociated URLs: Phishing emails may direct the target to URLs that include the names of legitimate brands and/or those associated with your business but are in fact fraudulent
- Mismatched URLs: The URL displayed in the link may look legitimate but when the mouse is hovered over the hyperlink in Outlook or single-clicked in Google the actual hyperlink doesn’t match and is therefore likely to be fraudulent.
- Never responding to spam, pop-up messages, or emails from providers or vendors unless you have requested contact first
- Ignoring generic-looking requests for personal data
- Never supplying sensitive information digitally (via email or link)
- Never filling out forms embedded in emails
- Not responding to emails that appear to come from other employees requesting sensitive information such as passwords. Speak to them in person or phone them to verify their request or ask a manager how to proceed
- Limiting the personal information shared on social media networks (employees shouldn’t be posting anything they wouldn’t want displayed on a public banner)
- Putting in place additional authentication and verification steps for sensitive requests like electronic transfers of funds.
Man-in-the-middle and man-in-the-browser attacks
Distributed denial of service
Advanced persistent threats
Remote desktop protocol
- Change login details (user name as well as password) from the default ‘Administrator’ to something more complex. This will require disabling the existing administrator account and setting up a new one
- Limit the number of people who can login using RDP, thereby lowering the risk of a security gap
- Lock users out after a certain number of login attempts.
- Implement a clear cyber security policy and enforce it – there is no point in rules that aren’t strictly followed
- Educate employees about why company systems need to be kept secure
- Implement a training program to educate employees about cyber security measures
- To be alerted when employees do something suspicious, monitoring software can be installed. User behaviour analytics (UBA) can identify inconsistencies in users’ actions. The behaviour of both maliciously motivated insiders and outsiders can be highlighted
- Implementing an anti-fraud strategy involves identifying the personnel issues involved and working with senior members of staff on implementing anti-fraud measures: eg audit trails, systems to track email, records of which employees have access to sensitive data
- Businesses should have a protocol in place to instantly revoke access to company data on termination of employment.
Bring your own devices
- Businesses should devise and implement a clear BYOD policy that sets out security protocols that assist in keeping the devices secure
- Employees should be trained on how to keep their devices secure, and their software and security patches up-to-date
- Devices should be set to lock automatically when not in use and employees need to use a secure PIN to protect the business from data breaches in the event of loss or theft
- Employees can be taught how to encrypt hard drives and USBs before they put any work-related information on them
- When personal data and corporate data are kept on the same device, businesses can train employees on how to ring-fence data; eg corporate data can be kept in a specific app and stored in a backup facility so it can be recovered if the device is lost or stolen
- Mobile device management (MDM) software can be implemented to wipe lost or stolen devices. However, all data on the device would not need to be deleted if corporate data is ring-fenced – only the particular folder or app that contains company data
- Employees can be provided with a user-friendly mechanism for secure remote access to company data that is stored in a central location (such as a mobile app that requires a login and uses an encrypted connection to communicate with corporate servers)
- To prevent any viruses or malware infecting the company network through security loops in mobile phone apps, businesses can use a virtual private network (VPN) to ensure a secure and encrypted connection
- Ensure that employees always use a VPN when doing anything work-related on public wi-fi
- Educate employees about the risk of Internet of Things (IoT) devices and ensure they are covered in the BYOD policy (some employees may be unaware of the risks they pose to company security and may not even know their IoT device is connected to the internet, eg wireless mice can be hacked)
- Disconnect any IoT devices that don’t need to be connected to the internet
- Employees should be provided with technical support to ensure security measures are correctly implemented
- You may also want to consider using enterprise mobility management (EMM) software which can help determine how mobile devices are used on your system, as well as detect risks
- All devices accessing the company network should be identified
- Penetration tests must be regularly conducted to identify potential vulnerabilities
- The system must be constantly monitored for any security breaches.