Prevention is the best medicine. So why don't we think that way about cybersecurity? Why act only after an attack has occurred?
Governance Institute of Australia’s course on Security Risk will help your organisation identify, protect, detect, respond, and recover from threats.
Here are ten secure computing tips based on the Australian Cyber Security Center’s (ACSC) standards and frameworks.
1. Adopt a company cybersecurity policy
Does your company have a cybersecurity policy?
If you don’t know or don’t have one, you should. Your policy will guide everything from social media use to email encryption. It should mention security measures and disciplinary action for breaking the policy.
ACSC is just one example, but there are many more options available. Once you have a policy decision, you need to determine how much of it you will implement. For example, ACSC Protect Principles include the vetting of all personnel with access to systems, applications and data as well as multiple methods of login authentication. This level of vetting and authentication may not be practical for all organisations. You can decide how many of the principles to implement for your business.
2. Identify all equipment
Your business needs a list of all of the equipment you use.
This includes both hardware and software. Make sure to identify and track all laptops, tablets, smartphones, and other items your business owns.
Good cybersecurity is about being proactive. By knowing what you have, you know what you should protect.
3. Back up and protect your data
The easiest way to protect your data is to control who has access to your devices and network. Make sure employees, vendors, and anyone else you work with, who has access to sensitive information, understands what your cybersecurity policy is.
Protecting your data also means conducting regular backups of your data. This could be onsite, offsite, or a combination of both.
It also entails encrypting sensitive data, such as using the International Organization for Standardization ISO/International Electrotechnical Commission (IEC) specification.
4. Monitor your devices and networks for unauthorised access
Monitor your devices for any unusual activity. That could include USB devices, unknown software installations, or unauthorised network access. If something looks suspicious, investigate it.
Computer security software such as a password manager can help users create a secure password that is not easily guessed or brute-forced. They can generate a password that is lengthy, complex, and encrypted.
5. Train your employees
Knowledge is power. Train your employees on how to identify potential threats such as phishing attempts and other unusual activities.
Regular training and awareness is key to preventing costly mistakes. That brings us to our next tip.
6. Have someone in charge
Have a designated person or persons in charge of your cybersecurity efforts. If an employee identifies a potential threat or is unsure of something, who should they report the incident to?
There should be a clear leader and educator who is in charge of reviewing your cybersecurity plan and educating your staff.
7. Recover from an attack
In the event of a cybersecurity attack, repair and restore the affected parts of your network. Keep your employees and any affected customers informed of your response. Recovering well will ensure your organisation can mitigate the effects of a cyberattack, and communicating to your employees and customers will maintain trust.
8. Prepare for emergencies and natural disasters
Good cybersecurity is dealing with threats. But not all threats are human.
It’s easy to overlook emergencies and natural disasters. Depending on where you are located, bushfires, floods, landslides, earthquakes, and more can all be unwanted events. By the year 2050, natural disasters in Australia are predicted to reach a total economic cost of $39 billion.
Within the past few years alone we have seen and experienced major events such as the 2010 ‒ 2011 Queensland floods and the devasting 2019 ‒ 2020 bushfires.
Then there is of course the increased cybersecurity threat that has emerged with the COVID-19 pandemic.
Even if your business is not directly impacted, a natural disaster can bring unsavoury characters to light. Many hackers and scammers prey on others in the wake of disasters, scamming for ‘donations’.
9. Have an action plan
A comprehensive plan should have a response for everything.
Your plan should dictate how you notify at-risk employees and customers of a threat. It should indicate how you will investigate an attack. It should also indicate how you will report the incident to law enforcement.
After an attack occurs, be sure to update your plan. What did you learn from the attack? What are the weak points in your plan?
Once you have determined that, modify your plan accordingly.
10. Test your plan
Finally, you need to test your cybersecurity plan.
An untested plan isn’t a very good plan. You’re leaving yourself at risk by not knowing for certain whether your cybersecurity plans are effective. Test your plan regularly, so you can identify weak points and adjust accordingly.
Otherwise, you are acting under the assumption that your plan is foolproof.
Security risk training
Secure computing should be a priority for any business. That’s why Governance Institute covers cybersecurity themes in our courses and Certificates for risk management and governance professionals.