As human beings living and working in a digital world, our lives have become increasingly internet facing. Whether you are logging on to a cloud based corporate network or making a private mobile banking transaction, you are exposing yourself – identity and data – to the internet. Whilst the internet has bought almost incalculable benefits to the global population and business, threats from malware attacks remain.
The good news is that the tech industry has responded to these threats and a whole new IT security market has grown up to manage the risk and protect data, corporate networks and your devices. If you go back five years, malware was commonplace across the business world. Malware protection technology has come a long way and today, the focus of criminal activity is more about taking advantage of people and processes, as opposed to security vulnerabilities in software and technology.
Carefully designed phishing and fraudulent emails can still bypass the strongest of email filters. The strategies behind these emails are constantly adapting. For example, if someone you deal with every day has their email account compromised, your email filters will have no reason to block emails from this source.
Cyber Security and Cloud
Whilst safeguarding against malware is positive news and that email/web filtering is proven to be highly effective, the migration of business applications to the cloud has opened up new hazards. Cloud systems are 100 per cent internet facing compared to traditional on premise IT systems.
Fortunately, there is now a powerful combination of tech, telecoms, software and cloud services to protect cloud based enterprises from malware attacks. However, this has made criminals become more creative and constantly looking at ways, beyond technology, to access company networks, people, data, customers and suppliers.
They have shifted their focus onto HUMANS, the processes they follow and their behaviour patterns. They look for any opportunity to deceive or trick the end user to ‘let them in’. We all know not to open an email or text message from an unfamiliar name or number. But, it is much harder to identify a remarkably realistic supplier invoice from a recognised address or an email seemingly from another employee or even director!
Implementing a Cyber Security Solution
It’s clear that all businesses need to have a digital security strategy in place to protect themselves. The basics include:
- implementing the right security software and configuration
- ensure regular software upgrades happen
- proactive network monitoring
- plan for replacing old equipment and patching existing hardware
- have recovery and back-up procedures in place
- training staff to follow security processes and be cyber security aware
These are the minimum requirements that any business or SME should implement. Criminals will find it hard to get around this level of security. Whilst this technology will prevent most breaches, it cannot fully protect an organisation from human error, even in a security-conscious corporate environment.
What Else Your Business Can Do to Improve Cyber Security?
Even if you have great cyber security technology and applications in place, it is important to make sure that you help any individual – staff, suppliers or customers – who has legitimate access to your network to operate securely. Multi Factor Authentication (MFA) and better password management is a simple and easy way to make sure this happens. It is already proving to be highly effective in reducing malware attacks.
Multi Factor Authentication adds a layer of protection as part of any login process or when accessing accounts, apps or data. When a user’s login from a new device or location occurs, the user is asked to provide an additional form of identity verification. This could be a text to a mobile, a phone call or an app on your phone which asks for a code or confirmation of login. Even if an attacker has breached your company’s other defences, obtained a user’s credentials and then attempts to login into a user account with the correct credentials, they won’t be successful unless they have this second piece of information.
MFA is automatically enabled by default on many consumer services and websites. However, it is not often turned on by default for many business services like Microsoft 365. It’s worth noting, that enabling MFA on your company network without pre-warning and training employees/network users, is likely to cause login issues. Activating corporate-wide MFA is definitely worthwhile but should be introduced in a well communicated and coordinated way.
During the past six to twelve months, Excalibur has proactively recommended MFA to its new and existing customers who do not already use it. It is a powerful security tool for any cloud based organisation and business that operates a hybrid office and remote working model where anytime/anywhere login is required.
Employees and consumers have been using passwords to authenticate corporate and private internet applications since the start of internet use. Passwords remain one of the best ways to validate identity and network access and have been ‘managed’ in a number of ways including password expiry solutions or simply encouraging people to use more numbers, letters and symbols in a password.
Today, the key recommendation is for people to use non-expiry passwords, BUT to have a unique password to each service you use e.g. Linkedin, 365, Facebook or company login. This means that should an end user click on a phishing email, only one password and application is exposed to a potential data breach.
Keeping each password unique, means it can never be used or work anywhere else on the internet or company network.
Whilst having multiple passwords to remember sounds difficult for a busy individual to manage for work and home, there are excellent password management programmes that help keep your digital life secure. They only require end-users to remember one password. The manager then generates unique passwords for each internet facing application that the user uses, whether at work or home.
Major companies like Microsoft, Google and Cisco all have password management solutions. Free password managers like LastPass are also available to use.
So, how do password managers work?
A password manager will generate secure passwords and store them in a secure digital vault. The manager software basically ‘mushes’ the passwords which makes it very difficult for any one to compromise.
Password software uses intelligent and secure algorithms to generate random, new passwords on request. The password manager then stores the passwords and other registration data, like payment details and personal information, in a SSL-encrypted vault. End users can then access this stored data from a cloud connected device, but only once they have entered the master password.
On top have using the right security technology, it is clear that efficient password management reduces the ability of hackers to take advantage of people within an organisation. It not only makes people think twice, but encourages them to follow a secure logon process where there is less margin for error. Combined with MFA, it is a powerful, yet relatively simple and cost-effective way of strengthening your company’s cyber security.
It is becoming increasingly important for organisations to implement one or both of these security processes in order to meet rising data compliance standards now required by customers and suppliers alike.
At Excalibur, we would always recommend that any business looking to upgrade its security should look at technology, people and process. If you would like to discuss your organisation’s cyber security please contact us on 01793 438881.