COVID-19 has made people acutely aware of the importance of personal hygiene, and we should be equally vigilant when it comes to cyber hygiene.
Cyber attacks are on the rise, meaning businesses of all sizes are vulnerable to attacks like malware and phishing, particularly if businesses aren’t getting the cyber-hygiene basics right.
When it comes to cybersecurity, SME owners and managers often think that all they need to do is deploy the latest technologies. While technology is important, it can be rendered useless without good hygiene habits.
Start by taking these basic but important steps:
- Implement a strong password policy
- Educate employees on cybersecurity risks and threats
- Introduce two-factor authentication (2FA)
There are three additional cyber hygiene practices that can be the difference between secure data and a data breach.
Because new and innovative cyber attacks dominate the headlines, many SME owners and managers focus on protection against the latest threats. However, the majority of attacks use vulnerabilities in systems that have existed for months or years; and rely on users running unpatched systems and/or software.
It’s important to patch regularly, as patch updates address vulnerabilities in systems and provide an added layer of security.
Australian and global legislations such as Notifiable Data Breaches and General Data Protection Regulation (GDPR) mean organisations of all sizes have data security obligations. As a result, it’s important that all businesses understand the type of information they have and, more importantly, who can access it.
Enabling access controls ensures that only people who should access information, do access it, which reduces the risk of a breach. For example, there’s no need for a car washer to access a car dealership’s customer credit history, but it is necessary for a salesperson who is required to determine someone’s borrowing capabilities.
“Prepare for the worst and hope for the best,” should be your motto.
While no business wants to be the victim of a data breach, it is important organisations have a plan in place should one occur.
In the event of a data breach, time is of the essence so having a “checklist” is vital. This should include what and how the business will communicate with key stakeholders (e.g. customers) and then determine the IT team’s role in minimising damage and ensuring operations can continue.
Unfortunately, incident response is often ad-hoc and this means businesses lack direction during a crisis. A directionless and unprepared approach leads to unnecessary downtime and disruption, a significant cost to the business (according to Gartner, the average cost of IT downtime is $5,600 per minute), not to mention any reputational damage that results.
Practicing cyber hygiene is not the answer to organisational security, it’s the foundation. It’s not recommended that a business implements a cybersecurity strategy without technology, however it’s crucial the cyber-hygiene basics are undertaken and consistently upheld alongside any technological investments. Failure to do so can not only lead to data breaches that directly impact the bottom line through lost time, but also see security investments wasted because they weren’t supported by the right practices.
In order to stop COVID-19 we’re encouraged to socially distance and wash our hands; in order to protect against cyberattacks, it’s important to patch, manage access and develop an incident response plan. And that’s just the start.