Keeping your organisation’s network safe online requires ongoing vigilance and adherence to best practice procedures. Even then Internet security can still go wrong, and often in unforeseen ways.
As more businesses move their data online, owners and managers are aware that their exposure to risk is increasing. But many still think it is purely an IT problem, and that if they throw enough money at it then their organisation will be safe. And indeed, it is important to have the latest technology in place to protect sensitive information from hackers and viruses.
Ever present threats that can be minimised through security measures include:
• Viruses and malware – These are packets of malicious code designed to disable, disrupt, or destroy data when let loose in a network.
• Hackers – Whether malicious or not, hackers are constantly looking for new ways to penetrate an organisation’s defences. IT security providers are involved in an ongoing cold war to keep them out.
To a certain extent, you can minimise your risk of being hacked or infected by ensuring you have the latest technology in place. This could include:
• Firewalls and Intrusion Prevention Systems– These monitor a network’s incoming and outgoing data traffic, looking for anomalies which they are programmed to guard against.
• Encryption – This reduces data to a code during transmission, rendering it incomprehensible until re-deciphered at the other end.
• Anti-virus software – As new viruses and malware are invented, so too are patches to protect against them, making the latest virus protection a must-have for every business.
But just as Internet security evolves, so do the tricks and techniques employed by those who seek to compromise it. And one of the biggest threats to an enterprise’s security these days comes from within the organisation itself.
The enemy within
Whether accidental or intentional, employees can and do expose an organisation to online risks every day. With the advent of social media, criminals have changed their tactics to focus as much on the human weaknesses of an organisation as its physical weaknesses. And humans are generally much easier to outwit than machines.
Social engineering is where the flaws in human decision-making are exploited to gain entry to an organisation’s network. This can be achieved through the following means:
• Phishing – This is where criminals send emails to employees posing as authority figures or fellow employees in order to learn sensitive company information such as passwords.
• Vishing – The phone version of phishing, vishing is where a criminal requests verification of sensitive information from an employee, ironically often citing a security breach as the reason.
• Quid pro quo attacks – This is where a criminal calls random numbers within an organisation, claiming to be from IT or technical support. When they luck upon someone who is waiting for technical support, they will ‘help’ them fix their problem, obtaining sensitive information in the process.
Another way in which employees can expose their organisation to risk is through BYOD. Employees using their own devices at work can save an organisation money, but problems with this include the security of those devices.
IT staff need to make sure that each device has all the latest security updates on it. Even then, there is little control over which sites the employee visits on that device in their own time and what they might pick up when they do so.
Where the device is kept is also a problem. Who has access to it at the employee’s home, and what if it is stolen with sensitive company information onboard?
The best way to guard against hackers, viruses and malware is to ensure you have a multi-layered approach to security and are undergoing regular penetration tests. As far as the human element is concerned, education is the key.
An organisation can minimise the risk its employees pose to its online security in the following ways:
• Security awareness programs – These will teach employees what to be aware of, what constitutes safe practice, and what to do if they suspect the organisation’s security has been breached.
• Regular reviews of security practices – As new staff come onboard, online security should be part of their induction and leaving staff should be subject to an exit process to ensure sensitive information doesn’t leave with them.
• Internet security policies and procedures – These should be written into the organisation’s business plan, and staff regularly reminded of their contents and the repercussions of not adhering to them.
• Monitoring software – If regular breaches of Internet security continue, an organisation should consider monitoring employee Internet usage to identify and address dangerous online practices.