Avanade’s Arno Zwegers highlights what all businesses need to bear in mind when it comes to cybersecurity.
Unless you work in the IT security industry, there’s something you may not be aware of. You might not realise just how vulnerable your computer security really is. We all need to shake off a few misconceptions to help every business stay safer.
First, we need to get rid of the analogy between cybersecurity and physical security. Images of locks, bolts, keys and bank vault metal doors – they’re all meaningless when it comes cybersecurity. You can lock a door and be 100pc certain no one could break in. But you can’t be 100pc sure with cybersecurity. It’s just not possible. All you can do is reduce the risk.
Second, we need to remind ourselves that security basics are essential. It’s not always immediately about complex security systems.
To reduce the risk of your devices, network and data being compromised, you need basic standards of cybersecurity hygiene, in much the same way we need to wash our hands and wear face masks to combat infectious diseases like Covid-19. It’s the same principle.
1. Keep your software up to date
Put rigid procedures and steps in place to ensure your software is up to date. Don’t postpone, don’t wait, don’t hesitate. Some organisations are still running Windows XP, which stopped receiving security updates in April 2014. Windows 7 is no better. It too is no longer receiving security updates.
It’s important that companies around the world get to Windows 10 as quickly as possible and make sure that their computers, servers and applications are brought up to date – and then kept up to date.
2. Educate your staff about cybersecurity
Most attacks still come via email, and Covid-19 has only made things worse. Spearfishing attacks have increased during lockdown.
Last March, cybersecurity researchers detected a surge in phishing scams attempting to exploit people’s fears about the coronavirus outbreak. By August, Interpol said that cyberattacks had risen at an alarming rate.
Because of all of this, security professionals are more stressed and overworked than ever before. To support them, it’s vital that everyone in your organisation is fully trained in cybersecurity basics. They need the ability to distinguish between a genuine email and a phishing email.
These basics are so important, and it’s shocking to see how many organisations get them wrong or don’t do them at all. It’s a constant fight, it’s never ‘complete’ – always changing, always moving forward.
3. Know about the data you have and how it is shared
Data leaks don’t always happen on purpose, they can be accidental. It’s all too easy to share a slide containing sensitive data not intended for outside use.
Understand the value of your data. Who shares data? What do employees want to share and with who? What tools are used to share? And which tools are safe? In other words, you need data security governance.
Working from home has disrupted the traditional IT security perimeter. With endpoints dispersed across geographies and networks, your organisation’s data and the digital identities of all your employees are your most important digital assets.
Make sure you put tools in place to determine what can be done with your organisation’s data, by who, and when.
4. Get your threat response ready
Put runbooks in place for when the worst happens. Everyone in your organisation needs to know what they need to do, the steps they need to take, and the people you need to speak to.
Consider the tools you need. Businesses don’t need an expensive security tool to see that you have vulnerabilities.
Instead, invest in tools that protect your endpoints, monitor end user behaviour, and add encryption to keep data safe. Monitor the security behaviour of your end users to detect abnormal behaviour, so that your experienced IT teams can investigate and take appropriate action.
One recent story is a lesson to us all. One organisation’s software wasn’t patched and lacked the latest updates. Sounds sloppy, right? Well, they had a good excuse; the business postponed the updates to avoid downtime. But this left a known vulnerability wide open to hackers, who soon began an email phishing campaign. It didn’t take long for an employee to take the bait and click on a malicious attachment.
The hacker’s fateful payload did nothing more than make the PC run slower, but this meant a call to the IT helpdesk was needed. IT then logged onto the affected computer using credentials with full access privileges to other computers and servers, and the hacker was in.
5. Find the right balance
The eternal dilemma for IT leaders is where to set the security control dial. Too tight a grip over data and software leads to disgruntled users who simply start using their own tools outside of the company’s control.
Too little control and you’ll end up with data leaks and hacks all over the place. There is a third way: understand what your users need the most and make it happen for them in the way they want. Don’t work against them – work with them.
Hackers usually take the path of least resistance. They target the organisations that are least secure. But when they do get into your network or infiltrate a computer (after all, you’re not going to stop every attack), you need to make their life very difficult.
By Arno Zwegers
Arno Zwegers is the security practice lead for Avanade Netherlands. A version of this article appeared on Avanade’s blog.