cyber attack : 5 security controls to protect against them

protect yourself from cyber attack

cyber attack : 5 security controls to protect against them

Ever increasing incidents of cyber attack means employees and small business must work harder and smarter to ensure the safest possible working environment. Some simple strategies employed robustly can minimise the impact of massive problems when the attacks come.

Every few weeks we see stories about how valuable but private data has been hacked or stolen or simply broken in to. Even the smallest organisations need to think through and apply an ongoing cyber defense strategy. Central is your employees, who need to understand what a vital role they play in protecting the company. Equally important is that organisational leadership provides sufficient and effective support to all their workers, by having 5 fundamental security controls.

 

Phishing tests

 

A form of fraud. Phishing is a form cyber attack where the attacker tries to learn information such as login credentials or account information. They masquerade as a reputable entity or person in an email, Instant Messaging, or other chat channels.

Design some simple tests that will flag up if your staff need some additional cyber security training.  Create an email that looks like a genuine request to provide details that your security policy does not allow. Mimic the way cyber criminals encourage recipients to reveal user names or passwords or pin numbers.

Provide evidence. An effective phishing test provides evidence the recipient of an email clicked on provided links. It tests partial or complete details have been entered. These tests give you confidence that policies are being adhered to, or indicate you have a training need. In the process, your people become more familiar with the ways and means of cyber attack criminals, thus reducing the risk.

 

Two-factor authentication

 

I use two-factor authentication wherever it is offered. It is a hassle. I sometimes get mad at the extra time it takes, but it is an additional step up in security. You can go one further and employ a separate authentication device and single-use codes (like many banks now use) for additional security. With two-factor authentication (2FA), sometimes called two-step verification,  the user provides two authentication factors to verify they are who they say they are.  It is more secure than single-factor authentication (SFA), a security process in which the user provides only one factor – typically a password.

 

Non-password validation methods

 

Prove they are human. You have seen websites often ask for a response ‘to prove you are human’ and it usually includes image-based questions. This method uses dynamic information, such as a visual prompt not possible to glean from static form text. It tests visual and immediate information processing. For example, reCaptcha requires making a change on the screen that is difficult to script and therefore protects against automated attacks.

Visual prompts guard against hackers who use machine learning to simply brute force their way in. They bombard websites or authentication mechanisms with thousands of combinations until one is finally successful. With sufficient computing power, it is simple to try millions of possible combinations in a short time. Using visual and human intelligence responses reduce the chances a single-factor / single control method can be cracked. It also strengthens your authentication protocols.Testing visual and human intelligence responses reduce the likelihood of passwords being the single control mechanism and so strengthens the authentication protocols.

 

Spam reporting and virus scanning

 

Use tools to check all incoming email. When you use integrated tools, suspect emails and attachments, are quickly identified as spam, and “quarantined” to a safe zone. If you are a Gmail user, you know how this is automatically done for you, with amazing accuracy. If you  have no tools to separate spam from real messages and to check for viruses in email or attachments, do something about it today! The reason is simple: attachments or code with a sinister intent must be prevented from deploying.  This allows early reporting of suspicious emails and protects against them being spread throughout the organisation and network.

 

Good housekeeping against cyber attack

 

Strong administrative procedures can significantly reduce the risk of cyber attack. Take care that the policies you introduce are actually more helpful than they are annoying to your staff! They should include regular antivirus scans and upgrades, strong password policies that are enforced, and the automated cleaning of browsing history and cache folders.

Keep your security policies in front of people. Make sure your people know what your cyber attack policies are, how you apply them, and why it is important these measures are adhered to. Your staff should also know how to check incoming email address has not been “masked” and that they should report any email they consider to be a threat or a security concern, to whoever looks after your IT security. It is better to have unfounded reports and to educate staff than to have no reports, and a sudden calamity to cope with. If a report does indicate a problem, then firewall and other network configuration changes can be determined and made.

Regular reminders of what good email practice looks like will minimise the chance a cyber attack will succeed. Always include a reminder that your staff should not click on links from external sources and that must never give away information like their passwords or usernames, or pin numbers. If you have documented your cyber attack policies and procedures, remind your staff where they can find them.

 

Mark Taylor
mark@onesheep.org
No Comments

Sorry, the comment form is closed at this time.