Your essential guide to internet security
We explain how to ensure both you and your business remain safe online
The internet is a fickle beast. On the one hand, we now have access to the sum total of human knowledge at our fingertips across an incredible range of devices. On the other, it's opened up both users and business to a whole new world of crime, where scammers are waiting seemingly round every corner. Not only are they ready to take advantage of the ever-growing digital landscape, but the disruption of recent months has brought cyber criminals a whole host of new opportunities.
However, just because a threat is out there, doesn't mean you must inevitably be vulnerable to it. Here are some simple steps to ensure both you and your business remain safe on the internet.
Install internet security software
Running internet security software on your endpoints (computers, mobile devices, tablets, etc) is the simplest place to start with a project like this.
Most of the well known antivirus firms, such as Kaspersky Lab, Symantec and AVG, have dedicated internet security products for both individuals and small to medium businesses (SMBs). These products will warning if a page isn't secure, which is particularly important if you're going to be entering sensitive personal data, or if a page is trying to redirect you. They also typically offer protection against malware downloads, including ransomware.
This type of software should ideally be used in conjunction with other on-device anti-malware programs.
Large enterprises will likely have dedicated security resources - either in the form of an individual or team - which should be leading internet security efforts and monitoring. For these businesses, an off-the-shelf solution is unlikely to be suitable. Instead, they should liaise with vendors and/or security-focused managed service providers to develop a system that's suitable for them.
Implement network security systems
Security appliances are a must, particularly for businesses with a large corporate network. The most fundamental of these is the firewall, which filters web traffic to try and prevent malware or malicious actors gaining access to the internal network. There are also email protection systems, and secure web gateway solutions that also offer protection for other internet-connected systems, such as instant messaging programmes.
If your organisation has IoT devices that are connected to the public internet, you should be paying particular attention to finding systems that can protect these end points as well, as their built-in security may not be as strong as those on PCs, laptops or mobile devices.
Educating the rest of the business is a key component of the internet security process for businesses.
The entire business should be encouraged to take a sceptical "better safe than sorry" approach, particularly as workers are one of the most common ways malicious actors gain entry to corporate systems.
For example, genuine-looking messages can be laden with hidden traps, like documents or PDFs containing malicious payloads or links to infected websites a technique commonly known as phishing or, when someone like the CEO or CFO is targeted, whaling.
Users should be told that if they receive an email from the finance department asking to "double check this invoice", for example, they shouldn't be afraid to ask for more details about the contents before opening it. Even better, if your company uses an instant message platform, such as Skype for Business, Slack or Yammer, users should be encouraged to contact the sender directly there to double check. Similarly, the entire organisation must be trained to be receptive to this "belt and braces" approach and not become irritated with colleagues who are doing the best thing for the security of the business.
Simplify to secure
Reduce complexity by integrating your security ecosystemDownload now
Similarly, if the email comes from a supplier or customer and includes an attachment or link, it's better for the recipient to call them up for clarification or details than to blindly click the link out of a sense of typical British "don't make a fuss" sentiment.
Users should also be aware of potential phone scams, particularly if the caller claims to be from "Microsoft Support" or similar, or the bank.
The IT department, perhaps in collaboration with HR, should be responsible keeping users up to date with the latest policies and best practices and encouraging individuals to come forward with any questions or concerns.
Be flexible and prepared
One thing every organisation learned in 2020 is that things don’t always go to plan. The widescale shift to remote working as a result of COVID-19 has favoured those organisations with the ability to be flexible with ready-to-go remote working strategies, including stellar cyber security.
Ensure you have a contingency plan for disruptions to normal working arrangements. If your employees can’t work from the office, is the endpoint security on their devices sufficient when they don’t have the added protection of the company network firewall? Are you using an OS that’s supported and regularly patched? You should ensure you’ve updated both your software and hardware so that it is compatible with the latest in security technology, and you may want to consider options such as cloud-based platforms with tight security measures that keep your staff and company data safe from any location.
Adapting staff training is key, too. By now, most people are aware that you should be cautious of an email promising big things from a strange email address, but are your employees trained to spot new threats as they emerge? Do they know that accessing information on their personal devices can be a major security risk, or that they should take steps to secure their home network? It’s vital that you keep everyone informed and prepared so that both your staff and your organisation remain safe online.
Test your defences
Everyone is confident in their own ability to create an infallible system, but there's really only one way to be sure your defences hold up under stress get someone to attack them. This will test any technical measures you've put in place, like security software, fire breaks and so on, as well as the efficacy of any training that's been put in place.
There are businesses and individuals that specialise in penetration testing who can be brought in as independent consultants. Alternatively, many security vendors also offer this service, but it may be more useful to use them before you roll out their software than after.
This kind of activity shouldn't be a one-off, however. The security landscape is ever-evolving, with new threats and methods of attack appearing all the time. This kind of drill should be carried out at least once a year to identify any areas of weakness you need to improve upon.
Have a data breach response plan in place
Sometimes, the worst happens and your business should be prepared for this eventuality. Nobody wants to be left trying to figure out who's responsible for notifying the CEO that an attack is taking place once it's already underway.
A data breach response plan should include the names and contact details of the people who will be involved in responding to a breach, whether it's an attack in progress or one that's over by the time it's discovered. This will include members of the IT team and the CTO, who should all have defined roles, as well as the data protection officer (DPO).
In a larger business, this will also include a dedicated person (for example, the CTO's PA), who is responsible for contacting the company's legal team and, if appropriate, PR agency/crisis comms team.
Finally, make sure you keep yourself up to date with the latest security news and best practices from reliable sources.
Main image credit: Bigstock
Four cyber security essentials that your board of directors wants to know
The insights to help you deliver what they needDownload now
Data: A resource much too valuable to leave unprotected
Protect your data to protect your companyDownload now
Improving cyber security for remote working
13 recommendations for security from any locationDownload now
Why CEOS should care about the move to SAP S/4HANA
And how they can accelerate business valueDownload now