10 Steps to Protect Your Company from Cyber Attacks
A cyber attack is a very specific type of threat that can result in a far-reaching disaster for a business. When someone or something attempts to gain unauthorized access to your computer systems, that attempt represents a cyber attack.
Cyber attacks come in a number of guises—ransomware, malware, phishing attempts, viruses, payment diversion fraud, denial of service disruptions and even hijacking of the system to mine cryptocurrency, for example. If the attack breaches the system, all of the data, information, programming, and even operating protocols that the system holds or accesses become vulnerable to compromise. The attack may not only steal or alter information but also expose it to others, destroy it, insert additional data or information, or even disable or override the system itself.
In response, companies are recognizing the need to address the issue of cyber security not only within their IT departments but also across their entire workforce. The new wisdom—“Cyber security is not a technology issue. It’s a business issue.” For many business owners, however, it can be an overwhelming issue. Here’s a cyber security to-do list to get you started.
Cyber Security To-Do List
1. People are often the weakest link, so know exactly who has system access.
While the technology that IT puts in place is designed to respond predictably and regularly, humans make independent decisions that aren’t always predictable or wise. Insider threats come from individuals who have authorized access to company information but may act in ways that put it at risk. IBM analysis breaks insider threats into three human sources:
- Employees who are careless or unaware of security policies and procedures.
- Disgruntled current or former employees.
- Third parties who have system access. Third parties include business partners, clients, contractors and vendors and suppliers.
2. Limit system accesses and permissions to the individuals who actually need them.
Modern technology and tools as simple as mobile phone apps allow administrators to control who has access to systems and can even limit permissions to certain operations or timeframes. Ensure that the people who have access really need it—and have unique, identifiable accounts and passwords to make them accountable. Likewise, remove access from individuals who don’t really need it. Cancel accesses and privileges as appropriate for individuals who change jobs, advance into other jobs, change sites or take extended periods of leave.
3. Provide training and refresher workshops to ensure you have an educated workforce and a secure business network of partnerships.
The people who have access to your systems and its sensitive data need to understand how to protect it and how to avoid actions that can put it at risk. Setting aside time for training seminars and dedicated meetings establishes a company culture that values the proper handling of sensitive proprietary information. It also ensures that everyone remains current as company operations are updated to counter new or developing cyber risks.
4. Publish official company security policies and procedures specifically addressing company-held data and systems and the risk of cyber threats.
Business owners need to work with their IT teams to publish company-specific reference documents that address the threat of cybercrime. Outline a table of contents as a checklist for factors you have or have not addressed within your business. At the very least, it should define the types of cyber threats your employees may face, describe the safe operating procedures that minimize risks, set policy to deal with security violations, and establish guidelines to follow if a cyber attack is launched or is successful.
5. Review, revise and distribute official updates to company policies and procedures regularly.
Your official company cyber policies and procedures should be treated as a living document that is constantly evolving. You can send out memos or other correspondence to alert employees of changes, but be sure to also consistently update the master document. Employees need one readily available source that specifies that the latest best practices you’ve requested are the ones they need to refer to and follow.
6. Be specific with your security guidelines.
With so much of our business communications and transactions online, employees need clarity on what qualifies as safe cyber practices versus risky ones. You and your IT team need to decide on and clearly communicate expectations for everyday operations that involve those types of access and the sharing of data or other information. Ask the important questions.
- How are people to use internal and external emails, and what is considered safe and appropriate communication?
- How do you want data transferred? What about attached files?
- What online accesses are allowed to other sites?
- What about company mobile devices that are taken home or exposed to public or other private Wi-Fi?
- What is the policy on external storage devices like mobile hard drives or thumb drives, for example, that may spread viruses?
7. Take the proper IT precautions in-house.
When the Hiscox Cyber Readiness Report 2021 looked at data establishing the first point of entry for cyber attacks, corporate-owned servers came in first. Following were corporate cloud servers, company websites, employees responding to cyber bait, corporate-owned mobile devices, employee-owned mobile devices, suppliers’ assets and corporate-owned Internet of things. Precautions include installing firewalls to ensure private network processes stay private, installing security software and any updates or patches, establishing unique accounts and log-ins for all users, and using data encryption requiring multi-factor authentication.
8. Invest in an off-site backup.
Your information really is that precious. Having a backup ensures that if a cyber attack destroys, alters or steals information or causes computer system failure issues, you’ll still have an original, uncompromised copy of your most important records and operating programs. You can save your information to a separate backup drive, a mobile device or cloud storage. Experts recommend daily incremental backups to a mobile device or cloud storage and weekly, quarterly and annual server backups.
9. Control and monitor access to company equipment and mobile devices.
With the increasing reliance on mobile devices like laptops, tablets, iPads and phones in addition to company in-house systems, keeping track of every piece of equipment, where that equipment is and what it is accessing can be a huge task. However, maintaining a current official inventory of devices is key in ensuring that all equipment is accounted for and running the correct software complete with the latest security updates. If you replace old equipment with new, be sure to collect retired devices so that you can wipe them of any sensitive data or software. Having just one out-of-date, unaccounted-for device offers cybercriminals backdoor access.
10. Preempt the unique challenges of public wireless accesses.
Remote work and teleworking scenarios have become more common due to the pandemic. Company representatives may call on clients at remote locations that have their own wireless services or stop at a restaurant, library or coffee shop with Wi-Fi to catch up on email, for example, or meet with a client. You may even want to supply Wi-Fi to your customers while they’re waiting or clients or vendors when they come to do business. However, as an NSA cyber security information sheet points out, public Wi-Fi is vulnerable to attackers who “employ malicious access points, redirect to malicious websites, inject malicious proxies, and eavesdrop on network traffic.” They may even exploit wireless technologies like Bluetooth or Near Field Communications radio interfaces. Solutions can include strategies like using encrypted company VPNs—virtual private networks—providing company hotspots and ensuring any Wi-Fi courtesy access provided to customers is completely separate from your company’s internal business network.
Prioritize Your Cyber Security
The fallout for businesses who suffer cybercrime is costly to both finances and reputation. Drawing from a sample of well over 6,000 businesses around the world, the Hiscox Cyber Readiness Report 2021 found that the number of firms targeted rose from 38 percent in 2020 to 43 percent in 2021—a figure perilously close to half—and 28 percent of those targeted reported more than five attacks in the past year. About one in six of those attacked “was hit with a ransom,” and 58 percent paid it. Every business is vulnerable, but every business can take the critical steps necessary to make cyber security a priority.