Can Cyber Attacks & Data Leaks be prevented?
In recent years, Pakistani companies, government departments, and politicians have been subject to countless cyber-attacks and data leaks. Cyber-attacks are more common than we think, they are happening all the time. But have we ever wondered if these can be controlled or prevented? The risk of cyber-attacks can be mitigated but can never be fully eliminated. Having a cyber security program is something not very common in organizations in Pakistan but there can be severe effects if your organization ever faces a data breach. The majority of the small businesses who have suffered from data breaches will close down within two years, so this issue needs to be treated extremely seriously. By adhering to certain fundamental cybersecurity principles, many of the recent breaches and assaults might have been easily avoided. So, if you want to strengthen the security posture of your firm, these are the recommendations I can provide based on my expertise in this area. Make a security policy if your company doesn’t have one already. This document contains the rules that can help you keep your data secure. The security policy should have an overall approach to how you can maintain the three main pillars of information security, which are confidentiality, integrity, and availability. It usually explains what the security goals of your organisation are. It is considered a high-level document and does not explain very detailed procedures and rules. To have a detailed security document, we have something called standards, procedures, and guidelines. Here is an example, if you have a security policy which states that the “secret” data must be encrypted, then the standards document will explain what type of encryption to use while procedure document will explain how to encrypt that data, and the Guidelines documents are some optional instructions. One of the most important things to include in your policy is to have a proper assets management plan. Without knowing what your assets are, you cannot protect them. Having a security policy will indicate the importance of security within the organization and it must be endorsed by the top management. This document should also be written very clearly and should be concise. You should also make sure the policy is useable and enforceable with the security controls. The security policy should be evaluated as well, and any modifications made should be properly versioned and shared with the employees. Humans are considered the weakest link when it comes to information security, but they can be trained and made aware of the risks. To develop a good security awareness program you have to understand your organization and its structure very well and know the people, culture, and habits. Try to learn what are the objectives and goals of each department. Getting support from the top management can be a success factor to make your security training program effective. There should be ab allocated budget for the training program, rather than doing a more traditional way of training these days employers are trying new techniques such as gamification and phishing simulations. Another factor that can play a major role in this is to have more frequent communication with your employees. I was reading a research paper recently which proves that employers who train or communicate with their employees more frequently about information security result in a positive outcome and reduce the risks for the organization. Most organization these days will provide their newcomer employees with security training as part of their onboarding procedure. This is a very good practice to make sure that your new employees can be made aware of the “do’s” and “don’t” when they join your team. Majority of the people are not even aware that just clicking an email link or attachment can get your device hacked and can be in full control of the malicious person without you being knowing of it. You can train your employees to detect if the email they are opening is from a legitimate sender or not and DO NOT click on the link or attachment if the email is from an unknown source. Another factor that a lot of people neglect is the fact that they don’t upgrade their devices when a new OS software version becomes available. You must maintain your device up to date as soon as a patch or update is released for the operating system or the applications you are using, because the malevolent person is also aware that a fix has been made public, and he will attempt to exploit the vulnerability. Similarly, using strong complex passwords and use multifactor authentication (MFA) may reduce the risk of account hack. MFA is one of the strong ways to keep your accounts secure. While installing a new application, make sure that it is from an official source, because unauthorized application might track your phone activities and allow a malevolent person to hack into your device. So be very careful about what you install on your device. Furthermore, using messaging apps is common these days, If you want to communicate using messaging app make sure it’s using encryption for data transfer. However, a simple home remedy for this can be keeping your personal and business phones separate. For the security awareness training make sure that the content is of high quality and engaging. To make it more effective you can launch customized training for each department so they can relate it to their roles and responsibilities. Last but not least make sure that your program has measurable goals. The number of people taking part in your security awareness is considered a Key Performance Indicator, but you can have more creative ways to measure the effectiveness of your training program by observing the reduction in successful phishing attacks too. There are a lot more methods to make your company more secure, but they all must begin with establishing a strong security policy and a well-designed security awareness program. The writer is Cyber Security Expert based in Beijing, China.