Throughout October, organisations across Ireland will take part in European Cyber Security Month. The campaign, coordinated by ENISA and the European Commission, provides cyber security tips to raise the public’s awareness of data protection.
With in-person and online events throughout the month, there has never been an easier way to get involved with the campaign. Find out how with our essential cyber security advice.
Cyber security tips for European Cyber Security Month
According to an Aon study, 18% of Irish firms suffered a security incident last year, and more than two-thirds said they plan to invest more in threat prevention.
But what can you do to prevent hackers from infiltrating your systems? There are countless possibilities, but we’ve highlighted ten essential cyber security tips to help you get started.
1. Enforce better password practices
Passwords are the foundation of an organisation’s security practices, but all too often, employees use simple credentials that are easy to guess. Alternatively, they might reuse the same passwords across multiple accounts – meaning a breach of one system could have a domino effect.
If you are to strengthen your organisational security, you must take a more active role in password management. This begins by enforcing rules, such as the minimum password length and guidance on using unique credentials for each account.
Traditional wisdom states that passwords should combine letters, numbers and special characters, but experts now believe there are better ways to create passwords.
Two creative options are:
Mnemonics, where you take the first letter from each word of a memorable sentence; or
A series of three or four random words.
These are easy to remember, and they will be unique to you, making them almost impossible for hackers to crack.
2. Enable multi-factor authentication
MFA (multi-factor authentication) is a security system that requires users to provide two or more pieces of information to access an account. This is typically a password, as well as a one-time code sent to your phone or email address, a push notification on an app, or a biometric scan.
This mechanism is a cost-effective and robust way to secure corporate accounts, and it adds a second layer of protection in case a user’s password is compromised.
3. Classify your data
Some pieces of data are more important than others, and this is where information classification can help. A classification system helps you identify records that are most in need of protection and where they are located.
A typical system has four tiers:
Confidential (only senior management have access);
Restricted (most managers have access);
Internal (all employees have access); and
Public information (everyone has access).
By highlighting your information in this way, you can focus resources on protecting confidential information. You can find specific advice on how to do that in the international standard for information security, ISO 27001, which features a dedicated section on information classification.
4. Back up your files
No list of cyber security tips would be complete without a reminder to back up your sensitive data. Businesses can grind to a halt if documents are lost, which can happen in a cyber attack, a system failure or due to human error.
Server-level data should be backed up daily and stored in a secure, offline location, while sensitive records should be backed up at least once a week. You can also obtain ISO 27017 certification – a supplementary standard in the ISO 2700 family that focuses on cloud security, for more structure on data backups.
5. Create a business continuity plan
A business continuity plan (BCP) is another great way to support your organisation in the event of a cyber security incident. The plan helps you identify scenarios that could can cause disruption, such as:
Natural disasters; and
The plan outlines specific ways that operations might be disrupted in each of those scenarios and lists temporary measures that can help minimise the damage.
6. Encrypt your data
Data encryption describes the process of encoding files to ensure that only authorised personnel can view them. You might think that encryption should be reserved for highly classified information, but the practice of encrypting and decrypting data is straightforward – with many systems embedding it into their systems by default – that it’s recommended in many scenarios.
It’s particularly useful for data in transit, such as email attachments and files kept on removable devices. The information could otherwise be exposed to business email compromise schemes or man-in-the-middle attacks, but if the data is encrypted, hackers won’t be able to view any stolen files.
7. Use a VPN
VPNs (virtual private networks) are essential in modern hybrid working environments. We often overlook the security risks of remote work, but with every employee using their own personal Internet connection – and sometimes relying on public networks – it’s much harder to monitor network traffic and prevent hackers from compromising your systems.
But with a VPN, organisations can replicate the protections provided by the office environment, creating a secure ‘tunnel’ for data transmission. The virtual network provides end-to-end encryption, protecting it from anyone attempting to intercept network traffic, and it allows remote workers to connect to their corporate networks as if they were in the office.
8. Educate your employees
Did you know that 74% of data breaches involve human error? Whether employees fall for phishing scams, misconfigure databases or accidentally throw away sensitive data, they pose a massive security risk. Although technological solutions, such as those we’ve discussed here, can help, the most important thing you can do is to teach employees to avoid costly mistakes.
Regular staff awareness training programmes are a great place to start, but you should support those lessons by building a culture of effective information security. You might, for instance:
Remind your teams about best practices in meetings;
Explain why your policies and processes are in place;
Reward them for responsible behaviour; and
Put up posters around the office with information security tips.
9. Implement access controls
Access controls are a great way of protecting sensitive data, like payroll records and intellectual data, that should only be viewed by certain employees. The system works by first identifying which folders and systems relate to certain job roles, which then determines who should be permitted to access them.
10. Perform a risk assessment
An information security risk assessment is essentially an audit of your organisation that provides a real-world look at the ways that a cyber security incident might occur, and it helps you answer these questions:
Under what scenarios are we under threat?
How damaging would each of these scenarios be?
How likely is it that these scenarios will occur?
By answering these questions, you’ll understand which risks you should be most concerned about and be able to prioritise your resources appropriately.
Looking for more cyber security tips?
The advice we’ve listed here form a solid foundation for organisational security, but there are endless possibilities for strengthening your defences. Those who want more cyber security tips should consult ISO 27001.
We’ve referenced it throughout this article, and it’s no wonder. The international standard provides comprehensive advice on implementing an information security management system. Its framework covers everything from technical controls and processes to staff awareness training and risk assessments.
You might also consider certifying to the Cyber Essentials scheme. It’s a security framework that contains five controls that can protect you from 80% of common cyber attacks.
Cyber Essentials offers guidance on:
Firewalls and router protection
Those looking for more rigorous advice would be better suited to Cyber Essentials Plus. This advanced scheme includes a technical audit, an external vulnerability assessment and additional tests to ensure that the organisation’s systems are fully secure.
Learn more about Cyber Essentials certification.