Last updated May 2023
Big walls and metal detectors are no longer enough to defend a company from intruders. Today’s attackers come from cyberspace. To protect themselves from attack, enterprises need comprehensive cybersecurity policies. Let’s explore the essentials…
Remember when company security used to mean a burly human being with a name badge – and possibly a hat?
That was long ago. Today, defending a physical building from intruders is still necessary. However, the bigger worry is the growing army of cyber criminals that try to bypass defences via underground wires and Wi-Fi.
From the bad actors’ point of view, cybercrime makes much more sense than a physical raid. There’s no physical danger. And the rewards are huge. This is why, every year, the number of attacks grows.
In 2021, for example, the FBI 2021 Internet Crime Study reported 847,376 complaints in the US alone. That’s a seven percent increase from 2020. Meanwhile the Anti-Phishing Working found that in Q1 2022 there were 1,025,968 attacks — the worst quarter for phishing to date.
The financial impact is growing too. In 2022, the average cost of these attacks reached $4.35 million – up 2.6 percent on the previous year, according to IBM’s Cost of a Data Breach Report. It said the cost of different types of attack was as follows:
Phishing: $4.91 million
Business email compromise: $4.89 million
Vulnerability in third-party software: $4.55 million
Stolen or compromised credentials: $4.50 million
Malicious insider: $4.18 million
Thanks to the huge potential rewards of cybercrime, attackers are continually modifying their methods – and looking for new attack surfaces to target. In 2023, for example, analysts expect them to turn their attention to new 5G networks and use AI to develop alarming new deepfake scams.
But against this, cybersecurity experts are developing new tools to repel attacks. Meanwhile there’s a growing awareness of the importance of education. This is because most attacks are not especially technical. Instead, they rely on social engineering – fooling employees/consumers into volunteering sensitive information.
Speed of reaction also helps. The IBM report says it took an average of 277 days to identify and contain a breach in 2022. Shortening this to 200 days or less can save $1.12 million.
So, with this in mind, let’s explore 10 best practices that every business should adopt to protect itself from cyberattack.
#1. Use complex passwords – and change them frequently
Cyberattackers have many tools to help them guess passwords. People regularly post their birthdays and the names of their pets on social media. And if the fraudsters can’t guess, they can always use a brute force attack to try millions of combinations. So make it as difficult as possible for them. Use a long and complex password using a variety of uppercase and lowercase letters, as well as numbers and special characters. Avoid common words. Maybe try a password manager. Don’t use the same password for all of your accounts. And change them regularly.
#2. Make prompt security updates
Modern software seems to require software updates all the time. These updates contain critical security patches – fixing vulnerabilities on your software and applications that are susceptible to new cyber-attacks. It’s tempting to hit the ‘remind me later’ button. Don’t. Do it now.
#3. Train your employees
Some of the most damaging of all attacks are not especially clever or technical. Instead, they rely on spoofing well-meaning employees. For example, an attacker might use a modified company email address (changing a letter l for a number 1, maybe) to pose as a colleague and ask a favour. Consider cybercrime training to make staff aware of these risks.
#4. Limit access to sensitive data
A good way to reduce the risk of breaches is to limit the number of employees that have access to high-risk information. One method is 'access control and key management'. This limits how many employees can carry out sensitive tasks and gives all employees only the minimum permissions they need to do their work. It is called the principle of least privilege (POLP). Companies can set POLP policies by user, process, file type, time of day and other parameters.
Additionally, companies can adopt a ‘Zero Trust’ security policy. This is a model based on the principle of ‘trust no one, verify everywhere’. It assumes all requests must be authenticated, authorized and encrypted before granting access.
#5. Use multi-factor authentication
Nearly everyone is aware of multi-factor authentication. This method of protection backs up a single form of authentication (for example a password) with others (such as a text passcode, biometric or even the insertion of a physical key card).
#6. Install anti-virus software
With many forms of cyberattack the end goal is to install some form of malware on the victim’s computer or network. The best defence is to avoid falling for the criminal’s scam in the first place. But if malware is installed, anti-virus solutions can prevent, detect and remove it.
#7. Encrypt sensitive data
Every day seems to bring news of cyberattackers stealing sensitive data – from email passwords to financial credentials. There’s one obvious form of mitigation here: encrypt all sensitive data whether at rest or in motion. Encryption converts data into ciphertext, or a series of numbers, that can only be read by a decryption key.
#8. Avoid public Wi-Fi
As ‘bring your own device’ has become commonplace, more and more employees are connecting their laptops to public Wi-Fi networks. This is highly risky. It should be avoided. But if there is no alternative, users to at least connect via a Virtual Private Network (VPN). When you use a VPN your internet traffic is encrypted – meaning no one can intercept it and you can browse safely.
#9. Set up boundary firewalls and internet gateways
It’s critical to combine staff education and good practices with solid technical protections. IT department should therefore establish network perimeter defences, particularly web proxy, web filtering, content checking and firewall policies. These defences will block access to known malicious domains, maintain a list of known bad websites and even prevent users’ computers from communicating directly with the Internet.
#10. Do regular audits
A cybersecurity audit is an in-depth review of an organization’s security measures. It should reveal all potential risks and detail the policies, procedures and controls in place to manage these risks effectively. Enterprises should carry out audits regularly. Why? Because new threats are emerging all the time. And so is regulation. Having no audit plan not only increases exposure to new attacks, but also to fines, legal action, and reputational damage.
Interested to learn more? Carry on reading our related content:
The bad security habits you need to give up immediately
6 Tactics to Keep Your Email Secure