5 Ways To Increase Cybersecurity Awareness in Your Organization
Technology advancements have transformed organizations by making their business operations more streamlined and ensuring business efficiency. The growth of technology has created a wide range of opportunities for organizations, but also introduced them to new risks and vulnerabilities. Every vulnerability has the potential to be exploited by a cyber attacker through a software, command or code. The practice of protecting hardware, software, networks and data from any cyberattack is known as cybersecurity.
The first cyberattack in the world happened 31 years ago. The cyberattack was designed by Robert Morris, a graduate student at Cornell University. He wrote a program that copies itself to other devices under the same network, known as the Morris worm. The worm infected systems of several respected universities and research centers in USA. He claimed that the attack had innocent intentions. However, this attack was a wake-up call for IT departments to better protect organizational systems and data.
Three decades later, cyberattacks have increased and become far more complex. Today, cybersecurity is not only an IT department issue but is considered an enterprise-wide issue. With the increasing number and complexity of cyberattacks, it has become extremely difficult for organizations to keep up with the latest threats. According to a research published by ESG, a consulting company in the enterprise IT industry, 72% of cybersecurity professionals say that security analytics and operations are more difficult today than two years ago. This is a result of the cybersecurity challenges below:
- Cybersecurity Threat Landscape. Cybersecurity professionals find it difficult to keep up with constantly changing and persistent threats coming from the latest technology trends.
- Security Alerts. Security alerts are threat detection technologies that are deployed by organizations to detect potential threats. However, the security analysts surveyed claim that they have to capture and interpret data manually, which leads to false positives and mistakes.
- Cybersecurity Skills Shortage. In another research, ESG indicates that 51% of organizations claim to have a shortage of cybersecurity skills.
Understanding that not a single organization is immune from cyberattacks, no matter the size and industry in which it operates, should be enough reason to increase cybersecurity awareness among personnel. Increasing cybersecurity awareness will help organizations to protect valuable business and stakeholder information, and prevent potential cybersecurity threats.
In this article, we break down 5 cybersecurity ways to combat the most common cyberattacks and increase cybersecurity awareness in your organization.
1. USE EMAIL WITH CAUTION
Email usage is the most common method of communication within organizations. Work emails are used to share work-related information with internal and external users. Users should use emails with caution, by keeping in mind that whatever is shared via email is permanent. As stated in ISO/IEC 27032, a guideline standard on cybersecurity, cyberattacks can come from inside and outside of the private network of an organization. It is a common practice of threat actors to send emails containing malware or phishing scams to users to gain access to an organization’s critical information.
Organizations should train their users to identify and avoid suspicious emails. This can be done by implementing policies and procedures on the acceptable use of work emails. ISO/IEC 27001, a requirement standard on information security, has a control (A.8.1.3) that requires the establishment of rules for acceptable use of information and of assets associated with information and information systems. Considering the users have access to different types of information (e.g. confidential, proprietary, financial) which can be shared easily via email, organizations should establish and implement appropriate rules to prevent any loss of information.
2. USE OF MULTIFACTOR AUTHENTICATION
Multi-factor authentication is a security system that verifies user identity by requiring multiple credentials. Except from the basic credentials such a username and password, this system requires additional credentials such as a code from the smartphone, the answer to a security question, confirmation of an icon, a fingerprint or facial recognition. Why multifactor authentication is crucial for organizations? Organizations may have multiple user accounts for different information systems. For example, an employee may have user accounts for opening a laptop and using an application. In order to prevent password cracking and guessing attacks, different multifactor authentication should be created for each user account.
In the ISO/IEC 27032, multifactor authentication is referred to as ‘strong authentication’. The Standard mandates using strong authentication when it comes to personal or corporate sensitive information contained in online applications, as part of login authentication, and/or when critical transactions are being executed. As a technical control, multifactor authentication can strengthen the organization’s security against social engineering attacks, and ensure compliance with applicable laws and regulations on data protection.
Social engineering has become a growing trend when it comes to internet frauds. Social engineering is manipulation of individuals through internet scams to gain confidential information or funds. The most common social engineering attacks are phishing, pretexting, tailgating, quid pro quo, email hacking, vishing, honey trap and so on. On the other hand, the data protection landscape is constantly changing with the increasing need to protect personal information from cyberattacks. Since GDPR came into effect in 2018, many countries have and are developing their national legal frameworks on data protection.
3. SECURE THE NETWORK(S)
Besides information security, internet security and critical information infrastructure protection (CIIP), cybersecurity also includes another security domain known as network security. Network within organizations is used as a means of sharing data between two or more devices via physical or wireless connections. Given the increasing reliance on technology, network security is another aspect that has become very important for organizations in protecting their critical information.
ISO/IEC 27032 defines network security as the process concerned with the design, implementation and operations of networks for achieving the purposes of information security on network within organizations, between organizations, and between organizations and users. As previously mentioned, cyber-attacks can be launched from the inside of the private network (local area network) and from outside the private network (internet). To ensure the protection of information in networks, ISO/IEC 27001 provides a set of controls (A.13.1) on the management and control of networks, security of network services and segregation of networks.
One of the most common attacks to network security infrastructure are Man in the Middle (MiM)attacks. MiM attack is where a user gets between the sender and receiver of information and eavesdrops any information being exchanged. Usually, the attacker impersonates both parties and gains access to information that the parties were trying to send to each other. Most commonly this type of attack involves distributing malware that provides the attacker with access to a user’s web browser and data exchanged during the communication or transactions.
Organizations may implement physical and operational measures to ensure protection of network(s). In order to provide additional security, it is recommended to use a VPN (virtual private network) to secure the online presence of users. A VPN is encrypted connection that provides a secure connection, especially for organizations working in different locations. VPN connection can be implemented among personnel within and outside the organization. How VPN connection works? VPN covers the identity of a system or device user and encrypts data over the internet. VPN connection hides user browsing history, IP address and location, systems and devices.
4. INSTALL ANTI-VIRUS SOFTWARE
Another way to secure the network(s) of an organization is to install one or more anti-virus software. An anti-virus software is a program or set of programs that are designed to detect, prevent and remove any type of malware (e.g. viruses, worms, Trojan Horse, rootkit, spyware, adware, ransomware) and social engineering attacks. The purpose of anti-virus software is to protect data being shared over the network. It protects computer systems and devices from any potential threat, by flagging suspicious events, and blocking or removing identified malware.
ISO/IEC 27032 mandates the implementation of appropriate anti-virus and anti-spyware safeguards. Organizations are recommended to purchase or download software, browsers or applications from a trusted vendor. Most of these tools have pop-up blockers, which prevent malicious websites from displaying pop-up windows that contain malware. There is a social engineering attack that tricks users to download and install a false anti-virus software on systems known as rogue software.
Rogue software is a type of program that pretends to detect and remove malware from a computer system or other devices for a particular fee. Rogue software show fake detections and warnings for potential malware in a computer, laptop or mobile device. An example of such software are called scareware, which look like legitimate antivirus programs. They appear constantly on the screen indicating that a computer, laptop or mobile device has a wide range of detected threats that should be removed immediately.
5. BACK UP DATA
How is backup related to cybersecurity? Imagine a scenario where your organization has been hacked and the hacker is threating to expose your corporate sensitive information in exchange for a certain amount of money. Beyond destroying and stealing data, some hackers are motivated by money. Compromised or lost data can lead to disruption of business operations, loss of revenues, loss of trust, bad reputation, and non-compliance fines. Having a backup system in place can prevent system crushes, cyber-attacks, social engineering attacks, physical damages and data thefts. Therefore, backup should be embedded in the organization’s cybersecurity plan to avoid similar situations.
Organizations may use different methods for backing up data, depending on the advantages and disadvantages of each. There are two types of backups, known as local and cloud backups. Local backups refer to the method used to back up data by using a hard drive, flash drive, disk, magnetic tape drivers or external hard drives. This method of backing up data can be done without internet connection at all. However, local backups can occupy most of the on-site storage, and can be damaged by natural disasters. Cloud backups are quite the opposite of local backups, as they provide easy upload of data in the storage, are not vulnerable to physical damage and are more cost-effective as the business grows. Nowadays, organizations use different cloud storage services offered by Dropbox, Google Drive, OneDrive, Amazon Drive and other legit service providers.
ISO/IEC 27032 mandates organizations to include adequate backups for the software and hardware, as part of a cryptographic system, implemented for sharing purposes and emergency recovery needs.
Operations Supervisor, TRECCERT
Marigona Krasniqi is the Operations Supervisor of TRECCERT. In this role, she is responsible for managing the accreditation process, optimizing the operating capabilities and employing strategies to ensure customer satisfaction. Highly adept at startups transformation and business growth, Marigona enjoys the challenge of a complex work environment, by deploying strategic plans to support business objectives, enhance operational processes and ensure compliance with the accreditation standards.