If you missed the debut of our podcast, “The Tech Factor”, don’t worry—here’s everything you need to know about cyber security, including our top five measures to protect your company against cyber criminals:
Use Complex Passwords
A recent news story revealed that Austal, the ASX-listed shipbuilder and defence contractor for the Australian government, was compromised in late 2018 by an attacker who used login credentials purchased from the dark web. It was eventually discovered that 40 different versions of “Password123” and “Austal123” were used throughout the Austal business, some of them even after the break-in.
Moral of the story: the weak link in any system, no matter how secure it may otherwise be, is often its users. That’s why it doesn’t matter how big your business or its budget is. If there’s one thing you can immediately implement for the sake of your cybersecurity, it’s the use of complex passwords.
What Makes A Password Strong?
- The use of special characters
- Length of eight characters, minimum
- Case variation: use a mix of capital and lowercase letters
- Include numbers
- For maximum security, consider completely random series of characters
Cybercriminals aren’t kids guessing passwords in their bedroom; on the contrary, they know what they’re doing. This can even include utilizing algorithms that input company names and generate basic combinations of common password elements.
How do I know if my password is weak?
- Names of pets, children, or other family members
- Anything frequently mentioned on social media (easy to obtain)
- Reusing passwords from personal accounts outside of the business platform
Even having a password methodology is a risk, because if it’s too formulaic, then just one breach can mean your whole system becoming vulnerable to attack. If you must adhere to an internal methodology when choosing your passwords, keep that methodology internal. Never share your company’s password requirements!
When it comes to password security, the trick is to make it easy for you to remember and hard for others to guess. If you can’t memorize a random series of letters and numbers without risking writing it down, then use keywords that have nothing to do with your industry coupled with numbers that have no significance to you. The more nonsensical, the better. For example, if you work in IT, choose a password like, “Dolphin234!” It’s got numbers, special characters, and a mix of upper and lowercase letters. More importantly, it’s both easy to remember and impossible to guess. Without a decent password, it’s not a matter of whether you’ll be compromised—it’s just a matter of when.
When you log into a system that uses a two-factor mechanism, it’ll send you a numerical code via text message or email, which you must then type into the application before you can proceed. Its purpose is to verify your identity quickly and securely.
Two-factor authentication is a staple of cyber security, and there’s no real reason not to use it. In fact, Google statistics from May 2019 showed that an SMS code sent to a recovery phone number helped block 100% of automated bot attacks, 96% of bulk phishing attacks, and 76% of target attacks. Adding simple measures like this to your security strategy can truly make all the difference in the world.
Further food for thought: the cloud can be as dangerous as it is beneficial. You can access it from anywhere—so can a cyber criminal. Therefore, at the bare minimum, anything accessed in the cloud needs to have two-factor authentication in place. Even though some platforms, such as Office 365, don’t require it at set-up, you should always enable this feature. Do everything in your power to keep your data safe.
Aside from accounting software and the usual, your personal life can benefit from two-factor authentication as well. When you can strengthen your weakest link and augment your security level with such a simple, single solution like this one, there’s just no excuse not to use it.
Cyber security culture in the workplace means the promotion and encouragement of safe practices as the logical and right thing to do—not only for the individual, but for the good of the group. It’s about making employees cognizant of potential threats so that they’ll amend their own behaviors in order to mitigate those risks. Therefore, in your interactions within your organization, keep in mind the following goals:
- Instill in people the concept that security belongs to everybody inside the organization. It’s not just one person’s responsibility to make sure that business information is safe and secure.
- Reward and recognize those who do the right thing where security is concerned.
- Make sure the content of your training (more on that in a moment) is engaging and memorable for employees.
As long as you show that you take company security seriously, your employees are likely to follow. For the few who may be more apathetic, you’ll want to tackle the problem as early in the hiring process as possible. Introduce cyber security as a core value of your company from the outset, if possible. In a moment, we’ll discuss exactly how to embed it into the very culture of your organisation.
Through training, we distill culture. If you want to really tighten your step number three, remember that it’s tied together with step four (and vice-versa). Culture and training go hand-in-hand.
There is a surprising variety of different forms of cyber security training. It can even be hands-on, audience-involved, and take place interactively in front of a group of people.
Some tips to consider:
- Standing up with a slideshow and telling people what to do is okay, but creating active listeners by asking questions and performing activities makes the message more likely to stick.
- A number of proprietary tools exist for training teams by, for example, requiring employees to pass knowledge checks, or by sending out fake cyber security attacks to staff members. You can receive information such as, “Who clicked to open the email?” and, “Did the employee fill out the information fields requested in the email?” These sorts of stats can tell you a lot about the work you have left to do in training your employees to be conscientious about their data.
- You can find a number of googlable free training resources out there. It doesn’t have to cost money to educate your company on cyber security.
- Have a non-management champion to lead the cyber security charge within your organization—someone who leads not by title, but by example. You’ll see some real positive results just by spotlighting employees who are good influences on their colleagues.
It’s also important to know that one-off training isn’t sufficient. Regular training sessions can seriously help, especially where employee turnaround is concerned. It’s great to reinforce this subject at least once a year, but hitting it every six months or so is going to be even better for your safety in the long-run.
Dark Web Monitoring
Most people have heard of the dark web, but don’t quite have a picture of what it is or what it means for cyber security.
The visible internet is the tip of an iceberg—only a small fraction of what’s present online. It’s what you can’t access just by typing a URL or even by using search engines. Beneath the surface of the water, however, is a deep layer of computers, devices, and servers that all communicate with each other, and most of its activities are inherently illicit. Here, cyber criminals often collaborate to steal people’s data in mass-scale attacks. Some of them are wholesalers who will sell your information, along with other people’s, in bulk to other criminals.
If you weren’t fully aware of this situation before, don’t panic. Nowadays, you can use different tools to scan the dark web and see what, if any, of your sensitive information can be purchased. These software then notify you or your company exactly what data is available on the dark web.
Cautionary Tale: Travelex
Travelex is the largest multinational foreign exchange company. On the first day of December, 2019, the company’s entire system went offline when a ransomware gang gained access to their network and downloaded 5GBs of customer data, including birthdays, credit card information, and national insurance numbers. The hackers threatened to sell this data unless Travelex paid them $2.3 million in bitcoin.
Travelex did pay the ransom—but there’s no guarantee that that data won’t be sold, if it hasn’t been already.
Pay Upfront for Cyber Security—The Cost is Heavier Down the Line
At the end of the day, we are dealing with very large, sophisticated cybercriminal networks that require money to join, because of course, there is money to be made with them—at your expense. The bottom line: they will eventually find a way in, and they’ll try to do whatever they can to ruthlessly extract funds from your organisation.
Make use of the options at your disposal. Tools like Dark Web ID allow you to monitor whether any of your clients’ credentials are exposed on the dark web, and in this example, it’s actually pretty affordable. Everyone’s cyber security has been compromised on some level at some point in time, but the proper preparation can help you attack the problem at its roots before it has a chance to grow.
The team at Club IT pride ourselves on providing reliable and trustworthy information to business owners in order to assist them in all things Business/Managed IT Solutions. If you’re still looking for further assistance or to hire a reliable IT Company, please don’t hesitate to contact us.