Last updated May 2023
Big walls and metal detectors are no longer enough to defend a company from intruders. Today's attackers come from cyberspace. To protect themselves from attacks, enterprises need comprehensive cybersecurity policies. Let's explore the essentials…
Remember when company security used to mean a burly human being with a name badge – and possibly a hat?
That was long ago. Today, defending a physical building from intruders is still necessary. However, the bigger worry is the growing army of cyber criminals who try to bypass defences via underground wires and Wi-Fi.
The Rise of Cybercrime: Understanding the Financial and Operational Impacts
From the bad actors' point of view, cybercrime makes much more sense than a physical raid. There's no physical danger. And the rewards are huge. This is why, every year, the number of attacks grows.
In 2021, for example, the FBI's 2021 Internet Crime Study reported 847,376 complaints in the US alone. That's a seven per cent increase from 2020.
Meanwhile, the Anti-Phishing Working found that in Q1 2022, there were 1,025,968 attacks — the worst quarter for phishing to date.
The financial impact is growing, too. In 2022, the average cost of these attacks reached $4.35 million – up 2.6 per cent on the previous year, according to IBM's Cost of a Data Breach Report. It said the cost of different types of attack was as follows:
- Phishing: $4.91 million
- Business email compromise: $4.89 million
- Vulnerability in third-party software: $4.55 million
- Stolen or compromised credentials: $4.50 million
- Malicious insider: $4.18 million
Thanks to the huge potential rewards of cybercrime, attackers are continually modifying their methods – and looking for new attack surfaces to target. In 2023, for example, analysts expect them to turn their attention to new 5G networks and use AI to develop alarming new deepfake scams.
But against this, cybersecurity experts are developing new tools to repel attacks. Meanwhile, there's a growing awareness of the importance of education. This is because most attacks are not especially technical. Instead, they rely on social engineering – fooling employees/consumers into volunteering sensitive information.
Cybersecurity in Action: Best Practices for Businesses
So, with this in mind, let's explore ten best practices that every business should adopt to protect itself from cyberattacks.
#1 Use complex passwords – and change them frequently
Cyberattackers have many tools to help them guess passwords. People regularly post their birthdays and their pets' names on social media. If the fraudsters can't guess, they can always use a brute force attack to try millions of combinations, making it as difficult as possible for them. Use a long and complex password using a variety of uppercase and lowercase letters, as well as numbers and special characters. Avoid common words. Maybe try a password manager. Please don't use the same password for all your accounts, And change them regularly.
#2 Make prompt security updates
Modern software seems to require software updates all the time. These updates contain critical security patches – fixing vulnerabilities on your software and applications susceptible to new cyber-attacks. It is tempting to hit the 'remind me late" but don't do it now.
#3 Train your employees
Some of the most damaging attacks are not especially clever or technical. Instead, they rely on spoofing well-meaning employees. For example, an attacker might use a modified company email address (changing the letter l for a number 1, maybe) to pose as a colleague and ask a favour. Consider cybercrime training to make staff aware of these risks.
4. Limit access to sensitive data
A good way to reduce the risk of breaches is to limit the number of employees accessing high-risk information. One method is 'access control and key management. This determines how many employees can carry out sensitive tasks and gives all employees only the minimum permissions they need to do their work. It is called the principle of least privilege (POLP). Companies can set POLP policies by user, process, file type, time of day and other parameters.
Additionally, companies can adopt a 'Zero Trust" security policy. This model is based on the principle of 'trust no one, verify everywhere. It assumes all requests must be authenticated, authorized and encrypted before granting access.
# . Use multi-factor authentication
Nearly everyone is aware of multi-factor authentication. This protection method backs up a single form of authentication (for example, a password) with others (such as a text passcode, biometrics, or even the insertion of a physical key card).
#6. Install anti-virus software
With many forms of cyberattacks, the goal is to install some form of malware on the victim's computer or network. The best defence is to avoid falling for the criminal's scam in the first place. But if malware is installed, anti-virus solutions can prevent, detect and remove it.
7. Encrypt sensitive data
Every day seems to bring news of cyberattackers stealing sensitive data – from email passwords to financial credentials. One obvious mitigation form here is to encrypt all sensitive data, whether at rest or in mot on. Encryption converts data into ciphertext, or a series of numbers, that can only be read by a decryption key. #8. Avoid public Wi-Fi'As 'bring your device' has become commonplace, and more and more employees are connecting their laptops to public Wi-Fi networks. This is highly risky. It should be avoided. But if there is no alternative, users can at least connect via a Virtual Private Network (V N). When you use a VPN, your internet traffic is encrypted – meaning no one can intercept it, and you can browse safely
#9. Set up boundary firewalls and internet gatewIt's
Combining staff education and good practices with solid technical protections is critical. The IT department should, therefore, establish network perimeter defences, particularly web proxy, web filtering, content checking and firewall policies. These defences will block access to known malicious domains, maintain a list of known bad websites and even prevent users' computers from communicating directly with the Internet
#10. Do regular audits
A cybersecurity audit is an in-depth review of an organization's security measures. It should reveal all potential risks and detail the policies, procedures and controls to manage them effectively. Enterprises should carry out audits regularly. Why? Because new threats are emerging all the time. And so is regulation. Having no audit plan increases exposure to recent attacks and fines, legal action, and reputational damage.
Interested to learn more? Carry on reading our related content:
The bad security habits you need to give up immediately
6 Tactics to Keep Your Email Secure