Your essential guide to internet security
How can you stay safe on the internet?
The internet is a fickle beast. On the one hand, we now have access to the sum total of human knowledge (and human opinion) at our fingertips across an incredible range of devices. On the other, it's opened us up to a whole new world of crime, where scammers are waiting seemingly round every corner.
But just because a threat is out there, doesn't mean you must inevitably be vulnerable to it.
Here are some simple steps to ensure both you and your business remain safe on the internet.
Install internet security software
Running internet security software on your endpoints (computers, mobile devices, tablets, etc) is the simplest place to start with a project like this.
Most of the well known antivirus firms, such as Kaspersky Lab, Symantec and AVG, have dedicated internet security products for both individuals and small to medium businesses (SMBs). They include features such as warning you if a page isn't secure, which is particularly important if you're going to be entering sensitive personal data, or if a page is trying to redirect you, as well as protection against malware downloads, including ransomware.
This type of software should ideally be used in conjunction with other on-device anti-malware programs.
Large enterprises will likely have dedicated security resources - either in the form of an individual or team - which should be leading internet security efforts and monitoring. For these businesses, an off-the-shelf solution is unlikely to be suitable. Instead, they should liaise with vendors and/or security-focused managed service providers to develop a system that's suitable for them.
Implement network security systems
Security appliances are a must, particularly for businesses with a large corporate network. The most fundamental of these is the firewall, which filters web traffic to try and prevent malware or malicious actors gaining access to the internal network. There are also email protection systems, and secure web gateway solutions that also offer protection for other internet-connected systems, such as instant messaging programmes.
If your organisation has IoT devices that are connected to the public internet, you should be paying particular attention to finding systems that can protect these end points as well, as their built-in security may not be as strong as those on PCs, laptops or mobile devices.
Educating the rest of the business is a key component of the internet security process for businesses.
The entire business should be encouraged to take a sceptical "better safe than sorry" approach, particularly as workers are one of the most common ways malicious actors gain entry to corporate systems.
For example, genuine-looking messages can be laden with hidden traps, like documents or PDFs containing malicious payloads or links to infected websites a technique commonly known as phishing or, when someone like the CEO or CFO is targeted, whaling.
Users should be told that if they receive an email from the finance department asking to "double check this invoice", for example, they shouldn't be afraid to ask for more details about the contents before opening it. Even better, if your company uses an instant message platform, such as Skype for Business, Slack or Yammer, users should be encouraged to contact the sender directly there to double check. Similarly, the entire organisation must be trained to be receptive to this "belt and braces" approach and not become irritated with colleagues who are doing the best thing for the security of the business.
Similarly, if the email comes from a supplier or customer and includes an attachment or link, it's better for the recipient to call them up for clarification or details than to blindly click the link out of a sense of typical British "don't make a fuss" sentiment.
Users should also be aware of potential phone scams, particularly if the caller claims to be from "Microsoft Support" or similar, or the bank.
The IT department, perhaps in collaboration with HR, should be responsible keeping users up to date with the latest policies and best practices and encouraging individuals to come forward with any questions or concerns.
Test your defences
Everyone is confident in their own ability to create an infallible system, but there's really only one way to be sure your defences hold up under stress get someone to attack them. This will test any technical measures you've put in place, like security software, fire breaks and so on, as well as the efficacy of any training that's been put in place.
There are businesses and individuals that specialise in penetration testing who can be brought in as independent consultants. Alternatively, many security vendors also offer this service, but it may be more useful to use them before you roll out their software than after.
This kind of activity shouldn't be a one-off, however. The security landscape is ever-evolving, with new threats and methods of attack appearing all the time. This kind of drill should be carried out at least once a year to identify any areas of weakness you need to improve upon.
Have a data breach response plan in place
Sometimes, the worst happens and your business should be prepared for this eventuality. Nobody wants to be left trying to figure out who's responsible for notifying the CEO that an attack is taking place once it's already underway.
A data breach response plan should include the names and contact details of the people who will be involved in responding to a breach, whether it's an attack in progress or one that's over by the time it's discovered. This will include members of the IT team and the CTO, who should all have defined roles, as well as the data protection officer (DPO).
In a larger business, this will also include a dedicated person (for example, the CTO's PA), who is responsible for contacting the company's legal team and, if appropriate, PR agency/crisis comms team.
Finally, make sure you keep yourself up to date with the latest security news and best practices from reliable sources.
Main image credit: Bigstock
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now