I was recently asked about the organisation’s most high-risk Cyber-attack vectors and whether we were well prepared to handle them in event they’d occur. I of course responded with a measured but honest answer to both the delight and dismay of the Business Head.
Never the less, the conversation ended well, with some action points on my behalf and a confident business owner, comfortable we’re proactive in our approach to Cyber Security.
As a result of the conversation, I’ve decided to highlight my top 3 cyber threats, that any business should have covered and how to mitigate them. If not, I’d recommend at least understanding what your organisation’s risks are and then implementing controls to mitigate them.
Ransomware – Has been rife and had a massive resurgence this year, especially in the US as of late. Targeting federal, state and municipal agencies. Let’s not forget the healthcare and educational institutions too.
• Employ anti-virus and anti-malware protection, ensuring that it’s maintained.
• Keep your applications, operating and hardware systems up-to-date.
• Well managed and consistent data backups will allow you to recover from most ransomware attacks. And remember to regularly test your backups.
Phishing – Continued to further establish itself through other platforms such as; Social Media Apps, Websites and SMS, which has made it more widespread than ever.
• If it sounds too good to be true it probably is.
• Be suspicious of unexpected messages and trust your gut.
• Make use of Anti-Spoofing protection, Spam filters and DMARC checks on your corporate email environment.
Insider threat. – A topic I’ve solely discussed in a previous article I wrote. The moment an organisation employs staff, whether permanent, on a contractual basis and with the occasional system access for 3rd party vendors, opens up the possibility of a data breach, whether intentional or unintentional.
• Excuse the incoming cliché but my number one recommendation is ‘Education education education!’
Educate all staff members to be alert to suspicious behaviour and encourage open communication.
• Provision access to data on a ‘need to know’ basis. Principles like ‘least privilege’ and ‘separation of duties’ are a great basis.
• Implement controls around the use of portable storage devices, online storage platforms and the use of third-party email.
All-in-all its important to note that; a well-informed Corporate governance structure, an evolving technology strategy, effective processes and procedures and consistent staff training will provide a great foundation to mitigating the aforementioned threats.
The reality that today brings, is that businesses of all sizes should protect their digital assets the same way a mother would protect its young – ‘at all costs’. It’s not a matter of if but when.
platinumrubygroup.com 