Understandably, information security is often confused with cyber security. This is because of the close overlap between the two.
Information security concerns the protection of data you store, across all formats. Cyber security, however, focuses exclusively on the digital channel. In short, cyber security is the protection of your data within cyber space. This article therefore deals with both.
These days, most businesses rely significantly on IT to protect their important company data, so it’s in your interest that your information security in the digital realm is properly secured. Your responsibility is to ensure that you’re keeping up to date with all of the best practices in information security.
With this in mind, these are our Top 5 Information Security Tips!
1. Strong password policy needed in information security
A weak password is the equivalent of leaving your front door open whilst you’re at work. It’s a really simple way for cyber criminals to steal your data.
For context, the password ‘123456’ was the most hacked password in 2018, with it found to have been used 23.2 million times in breached accounts. Ideally your password should be both lengthy and complex, including both upper and lower case letters, numbers, and punctuation.
You should probably avoid using complete words too. Cyber criminals use a method called a dictionary attack, attempting to breach your accounts by using a program that enters every word in the dictionary as your password.
For example, if you used ‘password’ as your password (which we do not recommend!), it would be cracked easily by a dictionary attack. Using a password generator when creating your passwords is a great way to protect yourself from this type of attack – it completely randomises your password, making it virtually impossible for your password to be guessed.
Also, make sure that you use a different password for every account that you own. If your social media accounts is hacked and you use the same password for your internet banking account, then you’re at very high risk of fraud.
Therefore, we recommend that you change your password every 6 months – it reduces the risk of being hacked.You need more than a good password to secure your accounts, however. Layered security through the use of multi-factor authentication (MFA) is essential as it makes it a lot harder for your credentials to be stolen. In fact, a recent Microsoft study found that multi-factor authentication blocks 99% of account hacks.
2. Bring Your Own Device (BYOD) Policy
If you allow staff, or any external parties, to bring their own devices on-site for business use – and this includes mobile phones – then you must implement a BYOD policy. The reason for this is that you don’t know how secure devices outside of your business are.
Allowing any device onto your network opens your business up to a variety of risks:
- Perhaps a mobile or laptop is infected with malware;
- Maybe a user accesses illegal content;
- If the device has no security, a criminal could use their device as an access point into your corporate network.
Ideally you should always be aware of every single device that is connected to your network. It only takes someone with malicious intent to connect their laptop to your WiFi. If one device containing a malware payload gets into your network, you could be facing a data breach.
There are numerous risks associated with non-corporate devices accessing your network, so a BYOD policy is a formal, codified way of minimising these risks.
For example, you may choose to refuse access to your network unless the device in question has full, up-to-date endpoint security. You might also insist that all devices containing or accessing business data have multi-factor authentication enabled, layering your security.There are many more steps you can take to prevent 3rd party devices from becoming a threat – and you may even request that certain apps or websites are blocked whilst connected to the business network.
However you decide to setup your BYOD policy, the terms between the business and those subject to the policy must be clear.
3. Verify firewall configurations essential for information security
It’s all well and good having network security in place, but you need to ensure that the firewall is protecting your network in the way it ought to be.
Think of your firewall as security staff on the door of a building – you might have the front door protected, but is your firewall configured to account for threats that could get in through a back window or through a hatch in the roof?Configuring your firewall, or having your managed service provider do it for you, is essential. This ensures that traffic coming in and out of your network is being properly policed. Some next-generation firewalls, such as WatchGuard, actually examine individual packets of data forensically, giving you full visibility of your network traffic.
The reason this is important is that a well-configured firewall can often be the difference between excellent information security and a data breach.
You will want your IT team to examine every router that it used to direct network traffic around your business.
We have seen instances in businesses where someone has sought to extend their WiFi signal, so they plugged in a basic home-use router.
NEVER do this. If you’ve spent time, money, and resources securing your business with enterprise-grade firewalls, this can bring your security down in a matter of seconds. Basic routers are not appropriate for corporate use and are easily hackable.
4. Update all Devices and Software
Make sure all your business devices are kept up to date, including software updates. Contrary to the myth that Chromebooks and Apple devices cannot be hacked – all devices are hackable. And if your device can be hacked, your data can be stolen.
A popular method of extracting data from businesses is via exploits in software. This is why your laptop or PC might seem as if it’s updating constantly – it’s to patch these exploits. Therefore the onus is on you, or your managed service provider, to install all possible updates.
Only recently, Martin, Neuways’ Managing Director, had his say on safeguarding data on devices. His advice is to treat all your data that is stored on a device like confidential files in your office.
You wouldn’t leave your confidential files open on a desk for someone to read or take – and the same applies with the data stored on your devices. Always keep them up to date, password-protected, and on your person at all times.
5. Teach and Encourage Cyber Awareness
This might take the form of end-user IT awareness training.
Ultimately, you need to be really careful where you click. This includes emails, websites, and text messages. Cyber criminals have honed all sorts of methods to try and catch you out, including phishing – the impersonation of a trusted source.
Social engineering is one of the more sinister ways cyber criminals achieving this. If you have a presence on social media and happen to share a lot of information, criminals can use this when crafting an email designed to catch you off guard.
For example, you might be expecting an invoice from a business you’ve been working with recently. If a criminal spoofs an invoice, and you fall for it, you might find yourself handing your business’s banking details over without realising.
You need to ensure that the whole of your business is aware of a what phishing is, and the techniques used, in order to mitigate against this threat.
The best practice is this: even if there is a hint of doubt whether the email received is a legitimate correspondence, don’t open it. Call the person you’ve received it from in order to verify its authenticity.
This might feel awkward, or a little unnecessary, but it’s far less awkward than realising you’ve handed over critical business or banking data. 92% of malware is delivered by email, so it’s always worth verifying the authenticity of your correspondences, as part of your commitment to information security.
If you want more information or advice about Information Security, say firstname.lastname@example.org
or give us a call 01283 753 333.