The question one has to ask yourself isn’t about whether or not to protect your servers and cloud backend against malware and other malicious attacks. The question is, is what I have in place to protect my IT environment against cyber-attacks secure enough? And the answer is also not always that simple. According to Forbes research, here are 5 best practices one has to consider to mitigate risk against cyber-attacks:
Educate all stakeholders and staff about the risks and the consequences associated with these risks. IT and cyber-security should be tied in with overall risk management. In some cases it might require extra focus to raise the awareness of cybersecurity and the risks involved. One can no longer play ostrich and think this will never happen to us. It is almost inevitable that it is going to happen, the question is when and what can be done to mitigate the risk. Some firms appoint new board members who have a good understanding and background in the IT space who can influence executive decisions and implement good policies to prevent cyber security breaches and threats.
2. Risk Assessment
Ongoing risk assessments is a must and should be preformed on a monthly, quarterly and annual basis. Many organisations still see this as a once off exercise to have the tick in the box. The problem is that cybercrime is constantly evolving which means by not being proactive, one’s risk actually increases. Another good piece of advice is collaboration. See what is happening in other firms and industries and meet with other CTOs and CIOs to collaborate.
3. Cybersecurity training
Research clearly shows that employees are the biggest risk for firms. A few tips are regular training (not just once a year) which can be varied between topics like passwords, visitor access, emails. It also helps to make the training practical and enjoyable. Show employees what healthy cyber hygiene looks like so they will implement these principles at home and protect their own families and home systems. Don’t just list the does and don’ts – explain it in a way the employees really understands. To test how much of the training is understood, some firms send phishing emails to see if they click on the links or open the attachments. Those who fail the test are then required to take additional training.
4. Access Management
How many people have access to data, systems and facilities, which roles are assigned and how is the access granted and managed? What are the policies and procedures in place for allowing and terminating access? How often are these policies updated? This is typically an are that is hard to manage and often neglected. How I access to systems and data being monitored? What happens if an employees change jobs? How quickly is access changed? Multifactor authentication is obviously best practice from outside the firewall and in certain internal areas. Two factor authentication is an absolute must have when trying to access the network from the outside. It is good practice to implement two factor authentication even on social media platforms such as LinkedIn and Twitter. For protecting backend environments such as files servers or data centres, Hardware Security Modules should be used as and extra layer of authentication.
5. Vendor Management
Even though most firms have policies in place regarding vendor selection, most do not address security training for those who have access to the network or data. Even though vendors typically provide risk management and performance reports they lack the jurisdiction to deal with bigger companies. Vendors have to be assessed on an ongoing basis. Good practice is to apply standards at various levels of engagement eg planning, deployment, selection and termination. It is important for vendors to obtain permission before bringing on any new vendor that handles, touches or stores data.
Robert KellermanMarketing consultant for ellipticSecure.
Robert Kellerman is an engineer who specialises in technical marketing. He loves his family, making music, hiking and surfing. He is a bit of a coffee fanatic and roasts his own beans. He lives in Somerset West, Cape Town.