This month is Cyber Security Awareness Month and this week is Security Serious. In honour of both, here are my top ten tips to improve your organisation’s security. Whether you’re big or small, cyber insecurity is a real issue that we all need to address. Security shouldn’t be about locking down all information or getting in the way of people working, but it should be proportionate, holistic and tailored to the needs, context and risk appetite of the organisation.
With that in mind, here are my top ten tips:
- Undertake a third party audit of your information security. Expert, external eyes will help you work out what you’re doing right as well as where – and how – to improve.
- Get your policies in order. Policies should be clear, concise, accessible and appropriate to the business. They also, very importantly and often overlooked, need to be well-communicated and enforced.
- Everyone in the organisation should have training – whether this is in-depth specialist training or general awareness-raising will vary depending on the organisation and people’s roles.
- Consider your culture and if you find there’s a tendency to scaremonger, scapegoat or rule by fear, it’s time for cultural change.
- Review your governance. Who owns information risk and how is this disseminated throughout the rest of the organisation? If you don’t already have them, consider approaching some keen staff members to see if they would act as ‘cyber ambassadors’.
- Focus on passwords. Often the quickest and easiest way for an attacker to compromise your network, which is not surprising considering ‘123456’ and ‘password’ were the two most common passwords of last year.
- Put two-factor authentication in place wherever you can, and make sure people understand it and use it. This is linked to number 6, in that two-factor means you are no longer relying on passwords alone. Despite the simplicity and effectiveness of 2FA, unfortunately most people are unaware of it and not engaging with it.
- Look at your physical and personnel security. Like many of these tips, a good information security audit should cover this as there is much more to information security than digital. Social engineering (or ‘people hacking’) takes advantage of poor physical security and organisations who fail to empower their staff to challenge strangers in the office or stop someone from tailgating.
- Keep up-to-date with threats. One of the most common, and successful, attacks right now is CEO Fraud, which often involves spoofed emails. Use team meetings to make staff aware of threats and try to make these discussions as engaging and interactive as possible.
- Ensure your system is well-configured. Patches and updates should be timely, vulnerability scans should be regular, firewalls should be in place and penetration testing should be carried out and the recommendations implemented.
Bonus tip: it’s now widely accepted that, when it comes to information breaches, it’s not a case of ‘if’ but ‘when’. As such, your incident response plan (developed under 2 – get your policies in order) should be tested before a breach, so that the first time you put it into practice isn’t when you need it the most.
There is no such thing as 100% security, but you can and should mitigate risk where possible – the tips above will help you do just that. If you want more assistance or information, please get in touch with me.
By Dr Jessica Barker