How to secure your organisation
Security experts put their heads together to answer the question 'How can enterprises secure themselves?'
Enterprises are under constant assault from hackers trying to get access to their servers, and the precious data they hold.
And those attacks comprise everything from the persistent barrage of low level attacks, where hackers send out mass requests to websites, in effect rattling the windows and doors looking for easy ways in, through to sophisticated, targeted intrusions that are next to impossible to prevent.
The hall of shame of breached firms is an impressive list of some of the world's largest and most respected companies. Most recently, credit agency Experian had the records of 15 million T-Mobile customers stolen, but other firms to have experienced significant breaches in recent years include Sony, Target, the US Office of Personnel Management and, embarrassingly, security firm RSA.
So what can firms do to protect themselves, besides lock the doors, bar the windows and unplug everything from the internet (and go out of business)?
Computing asked the experts and put a list together of some basic tips.
1. Change your mindset
Start by paying more attention to detail, advises anti-virus and internet security firm ESET.
"Be careful about everything you encounter in the digital world. Be it an unusual work email, a link that your colleague sent you during lunch or anything that you found during a break on your social network. In case you don't know the sender or there is something dubious about the content, the best thing to do is to avoid it," writes the firm on its blog.
2. Use good internet security
It's best to treat the internet as the Wild West - lawless and rife with both opportunity and criminality.
On that note, Tom Gaffney, security adviser at F-Secure UK, states that 60 per cent of SMEs have suffered some form of cyber attack.
"Most common attack vectors are viruses that would be prevented by a good AV solution. Too many businesses a) put their head in the sand or b) use free solutions," says Gaffney.
"Neither delivers the protection needed. For a modest outlay, depending on the size of your organisation, you protect your company intellectual property, your customer data and if that doesn't chime home as a truth then consider the average cost of fixing such breaches for an SME is upwards of £65,000, that's a business case any MD/FD should get their head around," he adds.
3. Complete a comprehensive risk assessment
"Attackers are becoming more inventive with how they target businesses. And the variety of methods used highlights that there is huge room for improvement from organisations in all areas, from education to technology," says David Kennerley, head of threat research in EMEA, at Webroot. Kennerley singles out risks assessments as his top tip for businesses looking to improve security.
And F-Secure's Gaffney agrees. "If you manage customer data and/or financial transactions, you need to know where the risks to your organisation lay. Many organisations would prefer to remain in ignorance of the situation or think it is too costly and complex to address.
"Security audits should not be out of the pocket of even the smallest business. The government is even trying to help, SMEs should check out the government voucher scheme, but hurry as it ends soon. If you miss this offer then keep an eye on similar initiatives. Do yourself a favour and talk to any of the companies that could help," he says.
4. Don't panic!
It was good advice for Arthur Dent, and it's good advice for today's enterprises.
"You realised that you made a mistake and surfed a malicious site? Take a deep breath, think rationally, and if you aren't sure what to do, ask some of your more experienced colleagues or IT support for help," advises Eset.
"If nobody is around, don't rush to find the solution. It is better to let the content idle, than hurry and make more mistakes on the way," the firm adds.
5. Educate and inform your staff
"Most security breaches start with a staff member doing something they shouldn't," says Gaffney.
"You can't blame people for making mistakes, not all are security experts. However, simple education can raise awareness of where risks lie. Strong passwords, treat customer and business data like your own personal banking/health records, get people to think security and safety as part of their mindset. If you don't know how, search the internet and you'll find many simple rules on how to train and how to keep safe. Hey, ask your AV vendor to help!" he concludes.
Webroot's Kennerley advises firms to roll out security training and make everyone within the business responsible for the security of its assets.
"Everyone needs to fully understand the next steps when a threat is detected, and responsibilities need to be defined in a comprehensive recovery plan," he states.
More tips are available on the website of the Information Commissioner's Office.