“We have been hacked!” Probably the most dreaded news a CEO can get hit with. But cybersecurity compromises are not only from external sources. Insiders are just as capable of causing harm as external attackers, whether through the distribution of malware, spyware, viruses, or just sheer negligence.
Here are 5 common pitfalls or poor cyber practices your company could be vulnerable to and how you can prioritize them now to guard against insider risks to its cybersecurity.
A. Don’t play down the role of Physical Security
Don’t get too ‘comfortable’ when attending to your physical security. It should be your top focus. The majority of insider events can be avoided by simply preventing anyone (unauthorized access, to use an industry term) -physically- from entering your vital infrastructure.
For example, consider Red Dot; a heating and conditioning business in the Seattle area, where two janitors stole employee and client personal information by searching desks, filing cabinets, and garbage cans. Before being apprehended, they procured fake credit cards, broke into bank accounts, and stole tens of thousands of dollars.
Put high-value systems in isolated locations with rigorous access controls. Keycards are convenient and affordable, but they only provide single-factor authentication and can be misplaced, stolen, or borrowed. Even if the audit log may indicate that Alice went into the computer room at 10:03:34 in the morning, what if Bob was actually using her key?
Card thieves can be stopped by adding two-factor authentication to keycards, such as using a PIN and a keycard, but compliant employees will still lend their cards and PINs to coworkers.
Think about biometric verification. Although pricey, fingerprint scanners and comparable tools are common options.
Securing your computer systems, however, is insufficient. Vulnerabilities can come from unlocked hard copies, thieves, or untoward coworkers who could steal vital material. Ensure that every employee has a lockable drawer in their desk or filing cabinet to protect confidential information.
B. Don’t ignore Segmenting of LANs
Although they should take center stage among your internal defenses, reliable monitoring points for host or network-based intrusion detection systems might be difficult to locate.
Network-based systems rely on LAN sniffers, while host-based systems typically use agents. It is simple to monitor a single internet connection, but it might be challenging to locate appropriate locations—choke points—within frequently turbulent LANs. Each LAN segment should have its own sniffer, in the ideal world. This is cumbersome, unworkable, and will probably overload you with pointless notifications in a large network.
A better strategy is to think of your LAN as a collection of enclaves, each with its own zone of trust and separated by firewalls where they connect to the corporate backbone.
C. DON’T neglect thorough screening of your new recruits
In general, it is best to spend more time looking into an applicant’s background. If your organization considers background checks too time-consuming, consider outsourcing.
However, background checks don’t always provide the complete picture. For instance, a standard check might confirm the applicant’s current address but would not show that a known scam artist or a dissatisfied ex-employee lives at the same home.
Such relationships can be found using services like Systems Research & Development’s NORA (Non-Obvious Relationship Awareness). NORA is able to conduct personnel checks on current employees, potential hires, subcontractors, and vendors by merging data from seemingly unconnected company systems.
D. DON’T underrate the need for sophisticated Firewall and Anti-malware programs.
According to research, malware infection, which made up 53% of all cyberattacks in the UAE in 2017, was the most frequent type of cybercrime. And since ransomware is currently the most common cyber security concern for small businesses, safeguarding your company from it and other forms of malware is essential.
Ransomware is a threat that is difficult to combat with current anti-virus technologies because it evolves almost as quickly as new anti-virus tools. When it is too late to save your files, ransomware might operate covertly in the background and go undetected by an antivirus program. Therefore, it is crucial to spend money on software that has been created particularly to address this problem.
While efficient anti-malware programs can detect and contain software infections when they attack, it is crucial to stop them from ever reaching your database in the first place.
Therefore, the key to preventing malware from getting into your computer systems is to invest in an efficient firewall. Additionally, because cybersecurity risks are evolving quickly, it’s important to always pay attention to update notifications and run them as soon as they appear. These updates are a crucial weapon in the fight against cyberattacks since they are developed in response to the most recent cyber threats.
Educate your staff on the use of all software
You may prevent ransomware assaults, which can infiltrate computer systems through emails and other employee-related mistakes, by employing firewall and anti-malware software in conjunction with employee education.
E. DON’T disregard the risk from using free public wi-fi to work on sensitive documents.
It’s tempting to take your laptop and connect to the free public wi-fi considering how many of us work remotely or answer a few work emails on the weekend from a cafe. It’s all over, after all, and the boss won’t wait until Monday to examine that project. However, locations that provide free wi-fi, such as your local coffee shop, the airport, or the hotel, put you at risk for fraud.
When using free public WiFi, avoid accessing your email, online bank, or credit card accounts, advises FBI fraud specialist Frank Abagnale. This is due to the “evil twin” fraud, in which con artists create false networks that mimic actual ones but aren’t.
This is not an exhaustive list of corporate cyber do’s and don’t -or best practices-. However, these are relatively simple measures you can imbibe into your company’s work environment through a structured and deliberate GRC implementation. Perhaps you’re reading this but don’t know where to start then speak to one of our risk auditors for free today. At Daakyi; we believe small and medium-sized businesses should not be left in the dark due to budget restrictions. Talk to an expert today!