Some companies allow their employees to use their personal phones to conduct business. It’s great for business to increase productivity and efficiency but it leaves businesses vulnerable to an attack since phones can be hacked and used to access your corporate network. A BYOD policy will help to educate employees on the use of mobile technology and how to mitigate the risk of an attack.
An incident response strategy allows your business to stay ahead of an attack. You can never be sure you are 100% secure so it is always best to have a plan in case you are a victim of a cyber-attack. This will ensure that if you do have an attack, you can respond quickly enough to keep attackers from getting hold of sensitive data and alert the press or customers should the attack be larger than expected. You should also ensure there is someone responsible for handling the response plan.
All employees should be trained on the use of passwords. Examples of such training would include:
Employees will, from time to time, use the corporate IT network to visit websites or sign up for services, either for personal use or for the company. Before submitting any information, they should always be on the lookout for the padlock and HTTPS in the address bar. If the site is unprotected, they should not enter any information.
Note: It’s important to also educate employees on phishing websites (see tip 15 below). There have been cases of phishing websites using Domain Validated (DV) SSL Certificates to make their sites look more “real” and “trustworthy”.
Email continues to be a weak point in cyber security, with data loss/breach and phishing attacks being two of the bigger threats. You should seek an email security solution capable of encrypting messages in transit and at rest, with the ability to verify message origin so it is easy for employees to spot spoofed emails and not fall for phishing. Ease of use for the end users is another important factor to consider.
With all company-wide change strategies, senior leadership should be the first to take on board the change. If leadership show to be following the change, then the rest of the company will follow.
Conduct phishing simulation tests in your company to test employee’s awareness. This should be done before and after training in order to measure the improvement your employees are making.
While you should always have one head person in charge of making sure the incident response plan is being followed, you will need a team to help that person follow through quickly. For example, a PR person to release any communications and a sales person to speak to customers. Depending on the size of your organization and the possible size of the attack, you want to ensure the right people are managing the response.
An insider threat analysis will uncover any potential threats to your IT infrastructure that come from within your organization. This could be anything from employees and former employees to contractors, vendors, third party data suppliers or associates.
Ensure that you have preparations to respond quickly and efficiently when you are faced with a cyber-attack. Communicate this plan to the rest of your organization and have someone in charge of ensuring the plan is carried out.
GDPR requires that you inform the appropriate supervisory authority when you are aware of a breach. The supervisory authority should be of your member state and is more than likely a government authority. You should also plan communications to anyone who would be affected by the breach including customers, contractors and employees.
Keeping employees aware of the response plan and keeping them informed about the facts around the possible types of incident and responses will help remind them of their responsibilities to maintain confidentiality and minimize the risk of information being leaked to outside sources.
After any breach and incident response, once you are sure that you are no longer being hacked and can go back to normal operation, you should conduct a review. The review should allow you to discuss your incident response plan and decide if you need to make any adjustments to the plan based on the mistakes you made the first time around. You will also be communicating to IT with necessary changes to operations or communications in order to ensure the same vulnerabilities are not exploited again.
Just because you have invested time and money into a cyber security strategy for your organization does not ensure the safety of your systems. There is always a new vulnerability to find or a potential flaw in the network or a new staff member to exploit. You have to always assume that there is a way for hackers to get in.
Standard insurance policies don’t normally cover the loss of data; this is where cyber-insurance comes in. You also need to ensure you are covered in case your business experiences some downtime. Furthermore you may be holding third-party data or lose money to compliance and breach notification.
As companies develop faster, more efficient and more productive systems; they connect multiple devices and sensors together which share data – this is called an IoT infrastructure. Within this infrastructure, every “thing” needs an identity. With a unique strong device identity, things can authenticate when they come online and ensure secure and encrypted communication between other devices, services and users.
In the same way that you would ensure all of your most important data is only accessible through ‘strong’ authentication (see tip 3 above), you will ensure all of your business infrastructure that is critical is also only accessible through ‘strong’ authentication. If you work in a bank you will require multiple access points into your safe; it works the same online. Only aspect to consider is role-based access, or limiting access to critical systems to only certain privileged users.
There are plenty of hackers around the world who do not want to steal your data illegally and sell it online. They want to help the world. These are known as ‘white hat’ hackers and every organization should have one to combat the ‘black hat’ hackers. You can only fight fire with fire they say.
As our technologies improve, our data gets increasingly complex. In order to keep all data managed well and avoid any theft, you should know what data is moving around your organization and how it is moving from the source to the final point or user.
The cloud is a useful tool, especially for smaller or medium enterprises who want to outsource the protection of their data to a larger company. It is important to ensure that you have all the facts when signing up with a cloud provider. Make sure you know where they keep their datacenters and all the places where they might be able to store and access your information.
Your corporate IT network shouldn’t all be accessible from one point, even if this point has ‘strong’ authentication. If you separate out your networks then a hacker cannot control everything by gaining access to one network. You should separate your systems by importance or how critical the network is to your business. Have your strongest security on the most critical networks.
In most industries there are already a set of standards and best practices that you will need to comply with in order to have a basic cyber security implementation. For the Energy sector there is the NIST Cyber security Framework, for the Automobile Industry there is the Framework for Automotive Cyber security Best Practices and for the payment card industry there is PCI DSS. It’s important to keep on top of any new regulation and ensure you are avoiding any fines.
Our final piece of advice is to keep up-to-date with the latest security best practices, operators, vendors and technologies. Be prepared for updating software, using new tools and technologies to keep your infrastructure safe online.
.
How to deal with Child Pornography (CP)/ Child Sexual Abuse Material (CSAM) or sexually explicit material in workplace?
All organizations should have clear and strong HR policies on how to deal with content on Child Pornography (CP)/ Child Sexual Abuse Material (CSAM) or sexually explicit material
Organizations should have clear rules for use of electronic devices provided by the organization
If any employee is found possessing obscene or indecent content, proper investigation and action should be taken against them
The organization should report any incidence of sharing and storage of obscene content within the organization to the police. The copy of the content should be saved as an evidence with restricted access
All other copies of the content should be deleted
They can also report through National Cyber Crime Reporting Portal (www.cybercrime.gov.in).
Publication, Collection and Distribution of Child Pornography (CP)/Child Sexual Abuse Material (CSAM) or sexually explicit material is illegal
Under Section 67 and 67A of Information Technology Act, 2000 makes publication and distribution of any material containing sexually explicit act or conduct in electronic form a punishable offence
Section 67B of IT Act, criminalizes browsing, downloading, creation, publication and distribution of child pornography
Reference:
Cyber Security Centre of Excellence 