Nobody has to be defenseless against cyber attacks. All you need is a comprehensive security system. But what makes your system secure? Claudia Eckert, IT security expert from the Fraunhofer Institute for Applied and Integrated Security (AISEC), shares her knowledge.
Companies need to have complete control over their security system. If they do not, they risk cyber attacks that could mean a significant loss of revenue, as well as damage their image and reputation, and might even put them out of business. Though such incidents will probably never be completely avoidable, there are things you can do to make your company more secure, such as implementing a system of safety nets.
Security expert Eckert shared some advice:
1. Do not think of technology first
Find out what you need to protect, and how probable a successful cyber attack is. Every company has individual products, patents, and business innovations that make them stand out in the market. Where does your company store that information? Which processes and systems are involved? Until you can answer these questions, you will not be able to find the security strategy you need or run a detailed analysis on the current security situation.
2. Establish a detailed emergency plan
Employees and entire departments must all know exactly what to do if malware penetrates the system. All necessary steps about how to deal with it should be documented in an emergency handbook. Having an aligned security plan in place is the best prevention against desperate actions like pulling the plug, which is unlikely to help.
3. Make your administrators familiar with hacking tools
To defend yourself from attacks, you need to know your enemies and their strategies well. Hackers are smart. Since they know that many virus scanners are only as good as the last update, they use advanced persistent threats, which attack, then lay low, only to launch another attack later. “They adapt to our defenses,” says Eckert. You need to know these methods to defend yourself against them successfully.
4. Control the use of mobile devices
Restrict the use of mobile devices so that they cannot access encrypted mails and internal servers. “Zone concepts” or “Sandboxes” are good examples of ways for smartphones and tablets to be used safely. But there is a problem: Most private smartphones and tablets are not integrated in the processes, do not receive updates, and thus run outside of the company’s security network. This makes every employee with such a device a security hazard.
5. Clean up identity management
Set clear rules for the authorization and train your employees regularly to and make sure they are informed about secure access data. All this is essential for a sound identity management.
6. Have good password practices
You can have the best identity management in the world, but it will be useless if your employees use one password for everything, or write them on post-its. ‘Do not rely on your employees’ sense of security. Control their password choices.
7. Raise awareness through training courses
Employees are often victims of social engineering attacks or fall for phishing e-mail traps. Make sure your employees know about the most important attack methods so they are more careful about opening e-mails with attachments seemingly sent by a friend.
8. Establish a central monitoring process for security systems and identify threats in real time
No security plan can protect against all eventualities. There will always be one incidents. The important thing is that when something does happen, you can react quickly, identify the affected devices, and isolate them before the malware spreads through the company.
9. Entrust your IT security to external services
Over Security as a Service, small and midsize companies can secure all these competencies for themselves with the cloud. The extreme complexity of data security often leads to companies “spending a lot of money for measures that don’t work,” Eckert explains. Or they only invest in “very specific measures” whenever they happen to have money for it. This is not a long-term solution.
10. Check your customers’ and suppliers’ security measures
Extend your strategy to suppliers and partners. What use is the best security system if the IT systems of your partners are not secure? Or if the communication systems you use to send information back and forth is not properly encrypted?
Claudia Eckert is the director of the Fraunhofer Institute for Applied and Integrated Security (AISEC) and the head of IT Security at the Technische Universität München. The 56-year-old has been soing research on Network Security since her doctorate in 1993.
Top image: Shutterstock