Ten Steps Businesses Should Take To Protect Against Cyber Crime
So far in this series, we’ve discussed the state of cyber crimes, and the increasing threat and global efforts to combat it. In this third and final installment, I write about what organisations can do to do better protect themselves from cyber crime.
As more of our lives migrates online, threats to our virtual world translate very quickly and easily into threats to our real world. Especially for businesses.
According to a 2014 report from the Washington-DC-based Centre for Strategic and International Studies, incidents of cyber crime in the previous year affected more than 40 million people in the US, 54 million in Turkey, 20 million in Korea, 16 million in Germany, and more than 20 million in China. There is also evidence to suggest that they are growing in scale.
In June 2015, the UK government published a survey in which it placed the average cost of each breach at between £1.46 million and £3.14 million ($US2.1 million-$US4.52 million) in large organizations and £75,000 and £311,000 ($US108,000-$US448,000) in smaller ones. That’s up more than three-fold on the previous year’s figures.
The UK government recommends that businesses take the following ten steps to protect themselves against cyber crime. The advice is equally valid in the US and elsewhere.
1. Define and Communicate
Assess the risks to your organization's information assets with the same vigor as you would for legal, regulatory, financial, or operational risk. To achieve this, embed an information risk management regime across your organisation, enlist the support of your board, and communicate your risk management policy across your organisation.
2. Think Secure
Manage the configuration and use of your information and communication systems. Remove or disable unnecessary functionality, and keep everything patched against known vulnerabilities.
3. Protect Your Networks
Connecting to untrusted networks exposes your organisation to cyber attacks. Follow recognised network design principles when configuring perimeter and internal network segments. Filter all traffic at the network perimeter so that only traffic required to support your business is allowed. Monitor traffic for unusual activity.
4. Manage User Privileges
Users of your information and communication systems should only be provided with the privileges that they need to do their job. Control the number of privileged accounts for roles such as system or database administrators, and ensure this type of account is not used for high risk or day-to-day user activities.
Produce user security policies that describe acceptable and secure use of your organisation’s information and communication systems. These should be formally acknowledged in employment terms and conditions. All users should receive regular training on the cyber risks they face as employees and individuals.
6. Manage Incidents
Establish an incident response and disaster recovery capability that addresses the full range of incidents that can occur. All incident management plans, including disaster recovery and business continuity, should be regularly tested. Report online crimes to the relevant law enforcement agency.
7. Protect Yourself from Malware
Produce policies that directly address the business processes (such as email, web browsing, removable media and personally owned devices) that are vulnerable to malware. Scan for malware across your organization and protect all host and client machines with antivirus solutions that will actively scan for malware.
Establish a monitoring strategy and develop supporting policies, taking into account previous security incidents and attacks, and your organization's incident management policies. Continuously monitor inbound and outbound network traffic to identify unusual activity or trends that could indicate attacks and the compromise of data.
9. Control Removable Media
Produce removable media policies that control the use of removable media for the import and export of information. Where the use of removable media is unavoidable, limit the types of media that can be used together with the users, systems, and types of information that can be transferred. Scan all media for malware using a standalone media scanner before any data is imported into your organization’s system.
10. Develop a Home and Mobile Working Policy
Assess the risks to all types of mobile working and develop appropriate security policies. Train mobile users on the secure use of their mobile devices for locations they will be working from.
All posts in this series: