Last July, the social security numbers, birth dates and residential addresses of 143 million people were exposed in a data breach that will go down in history as one of the worst. Of those 143 million people, 209,000 had their credit card information made public as well.
The company in question was Equifax (opens in new tab), a consumer credit reporting agency that’s now synonymous with vulnerability. When we hear about attacks like this we’re usually quick to blame the hackers, but in almost every case there were security measures that could have be taken to prevent the attacks, and which other businesses should be following to ensure they don't become the next victim.
For one, did you know you can have your firm audited for its cyber security? While this may seem like a no-brainer many companies fail to comply with contemporary protection standards. But because it’s an admittedly nerve-wracking endeavor, we’ve arranged our own do-it-yourself cyber security audit that you can perform for yourself by following a few easy steps.
1. Make sure your software is up to date
Outdated software is a common culprit when it comes to failed cyber security audits. Whether your business is small or large, it’s crucial that everyone is logged into the same network and using the same, most recent builds of whatever operating system you’ve opted for. You may think you don’t have to worry about your Linux-based servers, but if they’re not up to date with the latest security measures you could be vulnerable.
For this reason you’re going to want to use an enterprise network rather than deploying software manually on a per-computer basis. Doing so allows you or a specially trained team to implement and manage the company shield, instead of leaving everyone to fend for themselves.
No matter how skilled your employees, you can’t trust everyone to constantly remain on top of security-related tasks in a timely manner. Installing a major software patch even a day or two late can open up your company to some particularly devastating threats – and the last thing you want your company known for is an outage.
2. Review your cyber security battalion
Take a look at who is in charge of your company’s security push today. Is it an individual or a team of experts who know their trade better than they know you? It’s critical that you assign clear-cut responsibility to someone who is as familiar with the ropes as they are with the back of their hands.
Once you’ve assigned some sort of cybersecurity responsibility at your company, ensure that you communicate regularly with this person or group of people. And we'd go a step further, by ensuring that the people you’ve put in charge are communicating clearly with other employees about the steps they're taking to safeguard your business.
When everyone working at your company is aware of cybersecurity procedures it's far less likely that unwelcome visitors will abuse your systems. Many authorities on the subject also recommend that you arrange for your employees to receive training on security posture, and you’ll want to thoroughly document attendance at these events.
3. Assess currently instated measures
Here’s where you’ll want to inspect the hardware and software your company is using at the present. This goes hand-in-hand to some extent with step 1, and you’ll want to make sure that your servers, databases as well as other hardware and software, are all connected to a secure network. Double-check that the programs your employees are using for work haven’t been compromised with vulnerabilities.
The same principle applies to everything that comes in, or goes out, of your offices. That means laptops, tablets and mobile phones should be assessed, or else you’ll be leaving the company at risk of malware and a multitude of other threats.
A lot of companies tend to ignore smartphones and other mobile devices when considering a cybersecurity plan of action. Nevertheless, these pose a threat that’s equal to or sometimes greater than that from desktop workstation computers and servers. Bear that in mind as you reflect on the safety of all tools operated by corporate personnel.
4. Forestall any and all risks
Given that, according to the IBM Cyber Security Intelligence Index (opens in new tab), human error is responsible for 95% of all security incidents that take place, ensure that such errors can’t compromise you or your business. Threats such as phishing scams, ransomware and identity theft are increasingly ubiquitous in the information age, but there's lots you can do to guard against them.
By taking control of your network – or working with someone you trust to do it for you – you can keep security concerns down to a minimum. Of course, this means paying close attention to which sites and services your employees can access, and which of those are prone to malicious behavior.
Likewise, do your research. If one person in the IT department is the only one that understands your company’s defenses, communicate with them and do your best to understand the ins and outs of the operation. Most importantly, prepare yourself to be informed and present in the unfortunate event that your company ends up in a bind, which leads us to our final point.
5. Plan ahead
Last, but certainly not least, you don’t want to wait until you’re under fire before you make a conscious decision to start getting proactive about cyber security – and you need to be prepared if an attack does happen, and have a post-breach recovery protocol up your sleeve.
Better yet, the plan ought to span multiple departments, rather than leaving IT in charge of the whole recovery process. The procedure for addressing such an episode must be put in writing, constantly updated to adhere to new developments in the cybersecurity field, and tested regularly to make sure it won’t fail you in a real-world scenario.
With all of these steps in mind, your business can pass a proper cybersecurity audit with flying colors. That said, you will have to take steps above and beyond those outlined here to maximise protection against breaches in the foreseeable future. It's better to be safe than sorry.
- Security Week by TechRadar Pro is brought to you in association with CyberGhost.