31 Business Cybersecurity Advice

Original author: Natasha Aidinyantz
  • Transfer
The Internet is constantly growing and improving, so we can now freely communicate with people all over the world. With the spread of Wi-Fi, we began to create devices that also connect to the Internet, transmitting data over the network. This is wonderful, but the flip side of the coin is that every person connected to the Internet on the planet now has its own networks and its own data, which can become a victim of theft.

We believe that raising awareness of these vulnerabilities and educating the public can make the Internet a little safer place. It will be useful for the business to learn about such effective IB measures as hiring hackers, simulating phishing for their employees and cyber insurance policies.

During October, when the month of cybersecurity was celebrated National Cyber ​​Security Awareness Month , we tweeted one tip each day. Here is a complete selection of 31 tips with additional explanations on how to protect yourself in the current environment.

Basic rules

1. Be careful what you post about yourself and others.

The way you talk about others on the Internet reveals a lot of your own personality. In addition, you can incur legal troubles or even become vulnerable to theft or hacking. People can keep track of what you say on the Internet - so if you said you were going on vacation this week, it would be easy for a potential robber to find your address. Caution should be exercised about violations of the NDA, employment contracts, and other agreements that you have signed. In addition, disclosure of someone else’s personal information or public accusations of a person without any evidence may be a violation of the law.

2. Understand what data your company collects - and make sure that it is protected

In order to keep your business data safe, you must conduct an audit and determine which of them is public information (and therefore should not be carefully protected), which have a medium level of importance, so that they will not affect the business much in case of a leak (some security measures should be established for them) and, finally, what data is most important and confidential. The latter category of data will greatly affect the business in case of theft - and they must be protected as reliably as possible with the most stringent access rights for employees and partners.

3. Use several authentication factors

Authentication is the act of confirming identification data (whether it is a user, computer or other device) by comparing the provided credentials with an existing database of authorized users before allowing access to the system of this system or application. For example, entering a username and password to access an email account. But instead of relying solely on passwords, which are becoming increasingly unreliable, we recommend using several factors for authentication. Among these factors are a user’s secret (for example, username / password, answer to a secret question), some of his physical property (for example, a digital certificate, smart card) and a certain biometric factor (for example, fingerprint, face recognition).

4. Enable HTTPS for your site

To activate HTTPS, an SSL / TLS certificate is installed on the server . This certificate encrypts all data between the browser and the server, whether it is personal or financial information that is entered on the web page, or the contents of the pages. This way information is protected from strangers (for example, from intruders and state surveillance). SSL certificates can also link your brand to a website: this allows visitors to make sure that your site really belongs to your company, and not to a scammer (in the case of a phishing site). The EV SSL certificate clearly demonstrates this by coloring the address bar of the browser in green and showing the name of your company.

5. Use strong and unique passwords. Good password: 34bGUI7 & 89 @)). Bad: 12345 or Eddy1

Many "black" hackers sell the data that they managed to obtain after hacking. Including information about thousands, if not millions, of users and their passwords. If you use the same password on every account, then it will be a trivial task for a hacker to gain access to all your systems. Or a hacker can pick up a password using brute force. It is much more difficult if the password is long, composed of various characters and does not contain words from the dictionary. Use some kind of password manager in order not to forget the unique passwords for each service.

6. Update all software

Hackers are always looking for new vulnerabilities in the software that your business uses. Finding them is as easy as finding a path on your Windows network. At the same time, software companies themselves are working hard to release patches to fix these vulnerabilities, so it is very important to update the software as soon as the update is released.

7. Back up all data

Backups ensure that in case of data loss, files can be restored. You should always store data in different places, physically separated, so that hackers could not gain access to everything at once. And backups need to be updated regularly.

8. Install a firewall on the gateway to the Internet

Firewalls are designed to prevent unauthorized access to a private network. You can set a set of rules to determine which traffic is allowed and which is prohibited. A good firewall should monitor both inbound and outbound traffic.

Safety Culture at Work

9. Set rules for using your own devices in the workplace

Some companies allow employees to use personal mobile phones for work. This increases productivity and efficiency, but opens up opportunities for attack, as these smartphones can be hacked and used to access your corporate network. The BYOD (Bring Your Own Device) rules will help educate employees about the use of mobile technology and how to reduce the risk of such an attack.

10. Create an incident response strategy

An incident response strategy will help you prepare in advance for an attack. You can never guarantee 100% security, so it’s better to have a backup plan in case you become a victim of a cyber attack. This ensures that you can respond quickly enough and prevent intruders from getting sensitive data. You will have time to warn the press or customers if the attack is stronger than expected. You should also make sure that there is a person in charge to implement the response plan.

11. Training employees to work with passwords

All employees need to be trained in the proper work with passwords. Including:

  • Do not write down the password on a piece of paper (this can be stolen).
  • Do not transmit the password through online communication channels if they are not encrypted.
  • Use strong passwords and corporate password manager.
  • Do not use the same passwords repeatedly for different company applications or for personal purposes.

12. Make sure employees check the presence of the letter S in HTTPS when searching the Internet

From time to time, employees will use the corporate IT network to visit sites and register with services for personal or corporate use. Before transmitting any information, they should always check for the presence of the HTTPS mark in the address bar of the browser. If the site is not protected, then no information can be transferred there.

Note: It is also important to tell employees about phishing sites (see tip 15 below). There have been cases where scammers used Domain Validated (DV) SSL certificates to make their sites look more real and reliable.

13. Use secure email communications and conduct training on the risks of phishing attacks

Mail remains the weak link in cybersecurity, and two of the most important threats are hacking / data leakage and phishing. You should look for an email protection solution that can encrypt messages on the go and in storage, with the ability to check the origin of messages so that it becomes a trivial task for an employee to identify fake emails and not become a victim of phishing. Ease of use for end users is another important factor to consider.

14. Leaders must spread a cybersecurity culture

In all corporate strategies, it is top management who must first accept these changes. If they set an example, then the whole company will follow them.

15. Simulation of phishing to keep employees in good shape - in a playful way for interest

Organize phishing simulation tests to test employee readiness. Tests should be conducted before and after the training on the risk of phishing attacks in order to measure the effect of these training.

Counter Cybercrime

16. Creation of a rapid response team

Although you should always have one main person responsible for following the incident response plan, you will need a team to help him. For example, a PR specialist for publishing press releases and communicating with the press and a sales representative for communicating with customers. Depending on the size of your organization and the possible size of the attack, you should make sure that the right people are on the team.

17. Perform an insider threat analysis

An insider threat analysis will reveal potential threats to your IT infrastructure that come from within your organization. Anyone can pose such a threat: from current and former employees to contractors, vendors, third-party data providers, and partners.

18. Write instructions for quick response

Make sure you are prepared to respond quickly and effectively in the event of a cyber attack. Send the plan to the company employees and appoint a person responsible for its implementation.

19. Outline a plan for external communications

European GDPR requires you to inform the appropriate supervisory authority as soon as it becomes aware of a hack. The supervisor must be in your country and most likely is a government organization. You should also plan communications with everyone who might be affected by the incident, including customers, contractors, and employees.

20. Inform staff about the response plan.

Knowing the plan and possible types of attacks will help employees remember their responsibilities to maintain confidentiality and minimize the risk of information leakage.

21. Draw conclusions from past mistakes

After hacking and carrying out incident response measures, when all the consequences have been eliminated and you can return to normal operation, an audit should be conducted. As part of this event, you can discuss the current incident response plan and decide whether to make any changes based on the mistakes made for the first time. You may need to contact the IT department to make changes to the procedures and communications so that the same vulnerabilities are not exploited again.

22. Always assume vulnerability - you are never 100% protected

The fact that a lot of money and time is invested in an information security strategy does not guarantee the protection of your systems. There will always be a new vulnerability that can be applied on your network, or a new employee through whom you can hack. One should always assume that hackers will have the opportunity to penetrate inside.

The future of information security, privacy and security strategies

23. Insurance for IT infrastructure

Conventional insurance policies usually do not cover data loss; and here cyber insurance policies come into effect. You should also make sure that insurance covers damage due to downtime, that is, downtime of services. In addition, you may suffer damage due to the storage of other people's data or the costs of implementing regulatory procedures and hacking notifications.

24. Each “thing” (devices, sensors, systems, etc.) must receive an identifier

As faster, more efficient, and more productive systems become available, companies integrate multiple devices and sensors into common networks that share data — this is called the Internet of Things (IoT) infrastructure. Within this infrastructure, each “thing” needs an identifier . With unique strong identifiers, they can authenticate when connected to the network and guarantee secure and encrypted communication with other devices, services and users.

25. Make sure all systems are accessible only through STRONG authentication

As you provide access to sensitive data only after “strong” authentication (see tip 3 above), access to the business infrastructure should also be limited. If you work in a bank, then you need to authenticate at several points at the same time to access the safe - the same rules apply online. Only here you still need to consider role-based access and providing access to critical systems to only certain privileged users.

26. Hire a hacker to work

There are a huge number of hackers in the world who are not going to break the law, steal your data and sell them online. They want to help the world. These are the so-called “white” hackers, and in every organization there should be such a person to resist the “black” hackers. As they say, the wedge is knocked out by wedge.

27. Immediately implement data flow control

As technology advances, our data becomes more complex. To keep data under control and avoid leakage, you need to know how it moves throughout the organization and how it moves from the source to the endpoint or user.

28. Use the cloud

Cloud services are a useful tool, especially for small and medium-sized companies who want to give their data under the protection of a large company. When registering with a cloud provider, it is important to make sure that you know everything about it. Where are the data centers, where exactly is your data stored and how can you access it.

Improving the sustainability of critical systems

29. Make sure your network is segmented so that access to one system will not allow access to another

Your entire corporate IT network should not be accessible from one point, even if “strong” authentication is at this point. If you segment networks, the hacker will not be able to control them all, gaining access to only one. Systems should be segmented by importance or by how important the network is to the business. Set maximum security to the most critical networks.

30. Stay Above Your Industry

Most industries abroad already have a set of standards and best practices that should be followed for the basic implementation of cybersecurity. For the energy sector, there is the NIST Cybersecurity Framework , for the automotive industry, the Automotive Cyber ​​Security Best Practices framework , and the PCI DSS for the payment card industry . It is important to stay above any new standards and ensure that no fines affect you.

31. Continue to explore new technologies and vendors

Our final tip is to keep abreast of the latest security best practices, operators, vendors and technologies. Be prepared to update software, use new tools and technologies to ensure the security of your infrastructure on the Internet.

With these tips, we hope that you have realized the importance of maximum business security. Be aware that a threat can and more than likely will come from within the organization, and not from the outside. Always assume that you are open to attack and ready for what will inevitably happen.

If you are interested in cloud and network PKI and identity management solutions , you can contact GlobalSign - One of the largest certification centers in the world, which guarantees the security of commercial activities and secure document management.

We announce the action “More cyber defense for sports”!

GlobalSign joins the celebration of the most ambitious event of all athletes and football fans - WORLD FOOTBALL CHAMPIONSHIP 2018 and GIVES 1 YEAR OF SSL PROTECTION! *

Promotion conditions:
* When you purchase any one - year SSL certificate of DV, OV or EV level, you receive a second year as a gift .
• The promotion applies to all sports-related websites.
• The promotion is valid only for new orders and does not apply to partners.
• To take advantage of the offer, send a request on the site with the promo code: SL003HBFR .

The promotion will last until July 15, 2018.
You can obtain additional information on the promotion from GlobalSign Russia managers by phone: +7 (499) 678 2210.
MORE PROTECTION with GlobalSign!