CyberSecurity: 6 Hacks to Avoid Getting Hacked
Target, the IRS, Hillary Clinton, Sony, healthcare systems… the list goes on with new stories of cyber security breaches and hacking. A cyber-attack can lead to financial and reputational losses from which it can be difficult to recover. A cybersecurity breach can negatively impact your business continuity and force the organization into disaster recovery mode. Sometimes simple preventive measures can help mitigate risk, before disaster strikes. Here are 6 hacks you can try to help your organization avoid getting hacked.
- Stop insider attacks
- “Gone phishing”
- Password security
- Defend against intrusions at the device level
- Avoid band-aid security fixes
- Mandatory cybersecurity education
1. Stop insider attacks
Studies estimate that between 40-90% of cyber-attacks originate from inside the organization. This can either be a hack savvy IT professional, a disgruntled employee, or even an accident caused by an uniformed employee.
Hack: Ensure Accountability and Security via Password Policies
Avoid having a universal company passcode to any device, network, application or internet site. Make sure each employee has an individualized login and password to ensure accountability and the give you the power to revoke an individual’s access, without disrupting the rest of the company’s access. Having separate logins also helps you monitor, just who made a change or mistake, regardless of whether it was deliberate or accidental. Immediately cancel network access and passwords when employees leave the company, to avoid them using passwords to remotely access the network in future.
2. “Gone Phishing”
Social engineering is getting more advanced and creative every day. Hackers use sound effects, role play, or whatever it takes to get the information they need to access your secure data. This can be over the phone, in person, via email or through social media tools.
Hack: Don’t take the bait.
The same holds true for phone calls. Don’t be fooled by sob stories, threats or name dropping. Stick with the rules of cyber security.
Reinforce with your employees that they shouldn't provide their password to anyone (even the IT department) over the telephone. Educate your staff to help recognize a phishing phone call, conversation or email. Ask that they not open any suspicious emails, and advise them to contact the IT team immediately. These types of messages are becoming increasingly sophisticated, as they can include personal details, or even make references to specific company projects or products. It is very easy to name drop members of the team, as so much of this is available via social networking and the internet.
3. Password Security
I know, I know… you hear this all the time from your IT department, but let’s face it… the IT teams know it works.
Hack: Create strong passwords and change them frequently
This also includes never using the same password for all of your accounts – that’s just asking for trouble. As soon as these cyber criminals hack into one program or device, they will have instant access to all of your personal and professional data, and worse it provides an open window into your companies network. Try to create diverse passwords that combine numbers, symbols and other factors to ensure it is safe and secure. You should also ensure that passwords are changed every few months.
4. Defend against intrusions at the device level
There is a famous story about an Apple Computer employee who mistakenly left his iPhone behind in a social establishment. The mobile phone happened to have top secret images of what the future release of the next iPhone model would look like. The iPhone and the images made it to a tech publisher who broke the story and shared the photos.
Let’s not forget about spyware, malware and viruses. Even legitimate software tools such as password keepers can be used as a means to hack a device or network.
Hack: Build a layered device wall
Layer one: A secure device begins at the password level (as stated in Hack 3). Insist that employees use complex password creation on both their work devices, as well as their personal devices that may be used to access email or the organization’s network.
Layer two: Encourage the team to pay attention to notifications regarding updates to their device’s
- device operating system
- software updates or downloads
- anti-virus software
- web browsers
Although these system notifications can sometimes seem to be a nuisance, it is much easier to review them in the few seconds it takes vs. the dealing with the damage that can happen, should you end up with malware, viruses, ransomeware or spyware. Avoid accepting automatic updates and review and approve each one. Have employees contact IT if they notice any suspicious software on their system.
Layer three: Run network surveillance often, but on an irregular schedule. Even though it is easier to automate, including extra unscheduled surveillance could keep your data safe if someone is aware of the schedule or surveillance routine.
Layer four: Report any loss of devices to IT immediately so they can unauthorized from the network. ). It is critical to for employees to understand that cyber-attacks can occur just by a cyber-criminal having access to an employee’s laptop, tablet or mobile device.
5. Avoid Band-Aid solutions
Many companies will quickly add more levels of security software if there is a breach. Although multiple layers of security software can be helpful, it won’t work until the source of the breach is resolved.
Hack: Fix the source of the breach before adding a firewall or filter.
If you have already experience any sort of network or devices security disruption, adding firewalls and filters to a platform that is already insecure is basically the same as putting a band-aid on a gaping wound. You need to fix the problem first. Hackers know just how to locate your vulnerabilities. You need to discover where the security problems are, and then have an IT profession fix the issue.
6. Cybersecurity Education
Employee education can be one of the most effective methods of preventing a cyber-attack. Having a policy is sometimes not enough, even when employees read it, the information may not stick.
Hack: Hold a mandatory cybersecurity employee education session
I recommend a mandatory in-service training. This should recur annually, but you may want to have adhoc trainings should new threats arise (ie ransomeware). Have a quiz at the end of each session to determine if the team has a full understanding of security policies or concerns.
Know your cybersecurity risks. There is no greater threat to organizational resilience than a cybersecurity breach. Be sure to conduct a business impact analysis and develop a strong business continuity plan that emphasizes cybersecurity. There are many continuity consultants and free online tools that can help you get started.
Learn more about business continuity maturity in this free PPT.