They're obvious to some, but not everyone takes these precautions.
Over the last year or so, I've been covering a number of information security, or infosec, events. And I keep hearing the same two messages. The amount of money being spent on security is increasing. The cost and impact of breaches is increasing even more rapidly.
In other words, were spending more and losing more. What can we do?
If you want to reduce the risk of having your systems accessed by unauthorised parties and mitigate the damage when your systems are breached there are a few things you can do.
1. Don’t open links in email
The word is that the eBay hack that was reported last week started when some eBay staff members were duped into opening links on phishing emails. As a result, their user credentials were captured and the bad guys used that information to access the records of over 140 million eBay users.
2. Use complex passwords
Every year, there's a report in the papers telling us that "123456" and "password" are still the most common passwords.
Seriously, use complex passwords that use a combination of upper and lower case letters, numbers and symbols.
3. Keep systems up to date
Those security updates that Microsoft, Apple and others release periodically are important. Many of the systems that are breached are attacked through vulnerabilities that the software companies have fixed and issued patches for.
Update your server and desktop systems regularly.
4. It's not about viruses any more
Most of the attacks made on systems come from compromising people and not systems. Although viruses are still out there, the broader category of malware (a portmanteau of malicious software) includes software that comes from installing dodgy software, accessing dodgy websites and opening untrusted email attachments.
That means your most important line of defence isn’t security software – it's educating your staff. Remember, prevention is the best cure.
5. Practice your breach procedures
You've got some breach procedures written down haven’t you? Things like how to recover data from backups, who to notify if your systems are compromised (customers, suppliers, business partners, service providers) and back up procedures if your IT systems are offline for a few days.
Think about what would happen if your main systems were offline for an hour, day or week and put in place plans for each situation. You might not be able to trade as normal but see if there are ways that will let you keep operating, even if only in a limited way.
The trouble with listening to specific security vendors is that they focus on the problems their solutions solve. But your business needs to think of all the potential risks and actions.
This is where the security industry is letting us down. Their focus is on point solutions. But by looking at how your business runs and how you can work around the loss or compromise of a system you can reduce the risk of your business being crippled if a key system is compromised.