If 2018 has taught us anything, it’s that keeping your data secure is more important than ever. In the last year we have seen the Facebook/Cambridge Analytica scandal, the Marriott hotel group data breach, the Morrisons employee data breach, and an undisclosed security flaw on the Google+ social network, to name a few. We have also seen the introduction of the EU’s General Data Protection Regulation (GDPR).
Whilst it appears that many consumers are now starting to see the importance of their data being kept secure and within their control, the rise in security breaches also poses a risk that data leaks become ‘the norm’ and as a result the required protection mechanisms aren’t put in place.
All organisations will hold sensitive data of some kind whether it’s employee data, client data, or sensitive data about the organisation itself. A breach of any type of data could be detrimental to an organisation.
I’ve put together my top 5 cyber security tips for keeping your organisation protected during 2019.
- Regularly patch your systems.
- Ensure the use of good passwords.
- Don’t forget about physical security.
- Spread the word.
- Get tested.
1. Regularly patch your systems
When it comes to cyber security, it may seem obvious but it’s important to ensure that the basics are covered. This includes regular patching of your applications and systems. The impact of being affected by a known vulnerability that has been fixed by a vendor will be far more work than ensuring your applications and systems are kept up-to-date. If you don’t have a patching policy in place, or your systems are not being patched regularly, this should be top of your list of things to get sorted in 2019.
You should also consider applications and systems outside of your network such as web applications and websites which may have been developed and hosted by a third party. We offer clients our Monthly Security Protection service to ensure that their web application and websites are patched regularly. If you are unsure whether you currently have something in place the first step is to check with your IT provider, as the chances are that you don’t.
If you are reading this and thinking that it’s not possible to patch because your software is no longer supported, or because your software will no longer work on the latest supported operating systems then you will need to address this first. At some point you will need to move away from legacy applications and systems, and it’s best to do this in a controlled way rather than at the point it becomes a necessity. Migrating existing desktop applications to hosted web applications can make things easier in the future.
2. Ensure the use of good passwords
People are still not using strong passwords, increasing the possibility of having an account hacked. SplashData’s Top 100 worst passwords of 2018 show that top two worst passwords (123456 and password) are unchanged from last year. Interestingly the password that occupied the third spot last year (12345678) has been replaced with 123456789, perhaps a sign of what many people thought was a good update to their previous password.
As well as using good quality passwords is not duplicating passwords across different applications and systems. In the event that a user’s credentials are compromised on one application, by not using the same password for other applications will help to ensure the impact is minimal as the credentials cannot be used to access further data.
Ensuring employees within an organisation use good, non-duplicated passwords can require a mixture of policy, training, and provision of tools. One of the more common arguments against using different good quality passwords across systems and applications is that there are simply too many to remember. Today there are number of password managers available which can help users manage their passwords and reduce duplication of passwords.
Adding additional layers of authentication such as Two-factor Authentication, or Two-step Authentication to logins can also be a good way to improve security on accounts used by users, as it will require a user to have or know something additional to their username and password in order to successfully authenticate.
3. Don’t forget about physical security
With so much focus on the digital security it’s easy to forget about the physical side of cyber security. For some attackers, gaining physical access to data is easier to achieve than trying to hack into a system. Through social engineering, or other means, attackers can find their way into secure areas of organisations in order to gain access to sensitive data. It’s also possible that an attack may come from within the organisation.
Ensuring you have relevant policies and procedures in place and that these are upheld can help to protect your organisation from an attacker whether they are an employee or external. This may be as simple as ensuring employees lock their screens when they are away from their machines.
You should also not forget that sensitive data that is stored physically is disposed of correctly when no longer needed. This doesn’t only cover disk drives, laptops, mobile devices, or desktop machines, as most devices have some kind of digital storage built into them. In 2010 CBS News reported how photocopiers which had not been properly disposed of could be used to uncover sensitive data.
4. Spread the word
No one person can protect your organisation from the cyber security threats that we are faced with. Cyber security is as strong as the weakest link, which also includes people. If people in your organisation are unaware of the risks, not able to identify threats, or don’t adhere to company policy, it can undermine any other work that is done to help protect your organisation.
Creating policies and procedures can help, but it’s important that employees know what they are, and what they are there for to ensure that they are followed.
Making sure you employees are aware of what a threat is, what it looks like, and how to deal with it will help to ensure that you can protect against avoidable mistakes. It might just mean the difference from somebody downloading that dodgy email attachment or plugging in that free USB thumb drive that they were given at a conference or on the way in to work.
5. Get tested
Many organisations will have data stored within an online, often custom built, web application. Whether the data stored concerns employees, clients, or the organisation itself the security of these web applications can easily be taken for granted. However, if you’ve never had web application penetration testing performed then how do you even know if your applications are secure?
As a starting point I would recommend that you get security testing carried out on your web applications so you can understand where your weaknesses are. You can then look to get these vulnerabilities mitigated against to improve the security of the applications you use. It’s often best practice to get your application tested by a third-party who didn’t originally develop your application. Many companies including ourselves provide web application penetration testing services to help you identify the vulnerabilities that need to be fixed.
It’s important not to think of web application penetration testing as a one-off task. Over time new vulnerabilities are discovered and web applications are often developed to implement new functionality. This can lead to the introduction of further vulnerabilities into your web applications. Performing testing on a regular basis or after changes have been made can help to keep your web applications secure.