Essential Steps To Prevent Cyber Attacks


Cyber attacks are the word of the day when it comes to the digital world; whether on a national level, for business, or in personal life, our increased reliance on cyberspace, its applications, conveniences, and necessities have made us and our information very vulnerable.

In macro terms, the economic impact of cybercrime is heavy, from the direct costs of an attack due to recovery and cybercrimes, to indirect costs like inhibiting innovation and expanding employment, loss of custom due to loss of trust, and so on. The Centre of Strategic and International Studies (CSIS) estimated that the cost of cybercrime to business totaled $400 billion worldwide. Countries themselves can be victims - or perpetrators - of cybercrime, a risk that's only likely to grow as our digital sophistication grows.

On a micro level, our personal accounts and identities are at risk online. Cynics will tell you that if you want to stay safe, keep your home computer off the information grid and stay off the Internet completely. Phishing emails relate to home addresses as well as business, and realistic-looking spoofing can gather your personal information under the guise of a legitimate transaction. Downloading software, and increasingly apps for your mobile device, can bring malware with or in place of the software you thought you were getting.

From organizations to individuals, steps can be taken to make our cyber world safer. Sometimes these steps can feel burdensome or unnecessary, but understanding the risks can make undertaking a personal or organizational security plan feel much more worthwhile.

Risks

Should governments be worried about cyber attacks from other countries? The risks on a national level, at this point, are unknown in terms of probability, but the nature of what is at stake makes government systems high-risk. Cyber espionage can be carried out, and sensitive information sold or released. The trusted countries of today could be adversaries tomorrow. And even for lesser cybercriminals the government databases hold a massive amount of useful information.

Information and intellectual property are the stock in trade of the developed world, and it is also what is most vulnerable. The richer the economy, of course, the more a country and its economic entities are at risk of cyber attack. The U.S., Japan, Britain and South Korea have been identified as some of the biggest and likeliest targets. For developed countries, cybercrime has had a negative impact, causing restrictions on hiring in sensitive positions, and overall causing a shifting of employment away from valuable jobs for security reasons.

In 2014, Sony, Home Depot, the City of New York, and Target were among a number of high-profile security breaches. Late in 2014 a German steel mill had undergone "massive damage" as a result of a cyber-attack. In the steel mill, hackers used a spoofed email that got users to open an attachment containing malware that deployed itself in the mill's systems, enabling the attackers to have access to the full system where they wreaked havoc, managing to harm the production system so much that a blast furnace could not be shut down, causing enormous harm.

And that highlights another problem: employees, whose careless or malicious behavior is the greatest security risk of all. Malicious activity by people who have legitimate access, carelessness about passwords, email attachments, company equipment, and use of their own equipment, all present openings for hackers and social engineers to launch an attack on an organization.

Even a small business can be a target - and this happens more and more frequently, as hackers find that these businesses, even handling credit cards as they do, have not implemented basic security to protect their information.

Cybercrime can include:

  • Stealing intellectual property;

  • Stealing personal information, including financial or medical records;

  • Accessing government and defense-related information;

  • Disrupting services, whether online or through online control;

  • Fraud;

  • The sale of valuable information;

  • Hacking for “kicks”;

  • Hacktivism with political or ideological agendas.

The problem for businesses, governments, and even for individuals; budgets is justifying the cost before a problem occurs. Business is cost-and-profit-driven, and security is clearly on the cost side. Moreover, many senior managers are only vaguely aware of how digital their own business has become; they were hired in pen-and-paper days, and despite knowing better in theory, that is how they still the company to be run. That is why C-suite managers are often successful social engineering targets.

However, the more cybercrime occurs, the more the urgency of secure practices and infrastructure becomes of importance, even at budget time. There are things that can be done from the macro organizational level to the micro single-user level, to help everyone be more security-aware and compliant.

Prevention for Organizations:
  • Create an internal data security policy. This is a rich area known as Data Governance. Ideally an organization should have clear policies that govern the collection, use, and storage of data at all points in its lifecycle: who can access it and how, and what it can be used for.

  • Account management. Rules should specify that user accounts are only assigned to authorized users, and that higher level access is only granted as needed. Close communication with HR and with partners and vendors should ensure than accounts are changed quickly when the user's status is changed.

  • Create a policy that controls access to removable media. Malware can be put on thumb drives, and with or without the user's knowledge, executed on insertion into a computer. Many organizations are now limiting the use of removable media to protect against this. People should never use media that doesn't have a trusted source, and malware-detection software should be set to scan all newly mounted removable media.

  • Insure your network is protected.Perimeter protections like firewalls and Internet gateways are a must. Whether your network is physically onsite or virtual, your internal networks must be safe from unauthorized access from the Internet.

  • Use secure configuration. This means that computers and other devices should provide only the services required to fulfill their role. You don't need Internet access on a machine that serves an Access database to a team of a dozen users.

  • Educate your employees on your data security policy and on basic security measures. Given that employees are, deliberately or inadvertently, a company's greatest risk, this makes employee education one of the most cost-effective preventive measures a business can take. Employees should know your company's data policy, as well as know how to recognize suspicious emails, how to create a safe password, how to manage passwords, not to use removable media, and so on. Educate your partners, vendors, and clients as well; make sure your policies are understood by all who use them.

  • Monitor the system. Log network activity, and regularly monitor the logs for suspicious or simply unusual activity.

  • Use cloud services. Moving to the cloud can offer cost savings along with security supplied by experts. A subscription to cloud services can supply savings on infrastructure and platform development, as well as offering a way to serve applications to your clients. At the same time as saving you money, you gain security, because cloud service providers have to be security experts.

  • Hire an expert. Hiring a knowledgeable security expert is worth the cost of entry into the world of organizational security. Though it may be costly, it could be the most cost-effective option for quickly identifying your vulnerabilities and protecting against their misuse.

  • Share knowledge. This means not only sharing what you know, but learning from others. There is a lot of practical information out there that you can take advantage of. And data professionals should share information back among both peers and competitors. Security cuts across competitive lines.

  • Have an incident response plan. If the worst happens, don't get caught without a plan. Know how to detect and confirm a breach, and what you need to do if one happens. Include any compliance requirements in your recovery plan. Know who needs to be notified. If there is evidence of criminal activity, notify law enforcement.

Prevention for Everyone:
  • Use malware protection. Antivirus and malware programs are a basic item - if you connect to the Internet install an anti-malware program.

  • Keep your computers updated. One of the most basic security methods available to organizations and individuals is ensuring your software, including security patches and malware definitions, is kept up to date. For the individual user, these often become annoying little pop-ups to be dismissed, barely read, but the wise user will pay attention. Businesses can schedule updates and make updating part of a defined process.

  • Create passwords that are strong, change them frequently and don't use the same password across accounts. Passwords should be changed every six months, and using something recognizable from your life makes you open to social engineering attacks, or attackers who can correlate social media data with other identity information. Creating diverse passwords that use a combination of letters, numbers, and symbols leaves you less open to attack.

  • Use two-factor authentication when you have the opportunity. Many services like banks and other handlers of financial transactions offer two-factor authentication for logging into your account. This means that in addition to your username and password, you might require a number sent to your email or text, or to verify a security question.

  • Do not enter personal information, especially credit card numbers, on sites that are not secure.Secure sites start with the SSL/TLS indicator https//. They are also shown in many browsers as green (generally shown in extended validation SSL certificate), and/or with a lock symbol that tells you the website is certified safe.

  • Don't log into your private accounts on public computers or on public networks. Your coffee shop network may be an open, non-secure network that is open to hackers. Even if you take precautions, another user's carelessness can put you at risk.

  • Back up your files. This is one we should all know already, but it can't be said enough. Data on a computer is at risk, if for no other reason than from equipment failure of the computer itself. Get in the habit of backing up your files regularly. Many services now come with cloud storage.

Areas for extra awareness

  • Email

Email is a risky way to send personal information. Don't use it for credit card numbers, bank accounts, or other information that can make you vulnerable to fraud or identity theft.

Don't fall for phishing emails. Phishing is a scam where an email appears to be legitimate - say, from your bank, telling you to go to a website and verify some information. The website is spoofed, however, and information entered there is collected by identity thieves or other criminals. Some phishing emails are clever and well-designed, but many are easy to spot, containing spelling errors or bad grammar.


  • Mobile awareness

Don't skip over permissions when you're installing apps - read them. Many apps require long lists of permissions and are perfectly legitimate, but it's good to know who has access to what - and to ensure that if you are permitting an exchange of information, that you trust the source. Phone apps can access your contacts, your location, and your camera, giving the criminally-inclined access to a lot of your life.

Trust the app publisher. Not only you must trust the publisher, but you must also make sure the publisher of the software that you download matches the one you expect. Using legitimate software to install malware on your phone is one of the greatest vulnerabilities of your mobile device.

Set policies.Employers who allow employees to bring their own devices to work should require them to install anti-virus software and implement any other available safety measures.

Conclusion

Security is mainly in your hands, whether you are a user, a service provider, or an information services chief. There are many steps that can be taken on an organizational and an individual level that lessen the threat inherent in simply being connected to the Internet. Most of these are within the reach of companies and individuals with little effort, and prevention, as has been proven time and time again, is better than recovery.


Comments

No responses found. Be the first to comment...


  • Do not include your name, "with regards" etc in the comment. Write detailed comment, relevant to the topic.
  • No HTML formatting and links to other web sites are allowed.
  • This is a strictly moderated site. Absolutely no spam allowed.
  • Name:
    Email: