Did you know that one-third of cybersecurity breaches are caused by human error? That’s the latest findings from the Notifiable Data Breaches Quarterly Statistics Report by the Office of the Australian Information Commissioner (OIAC). The report found that many of the cyber-incidents occurring in October, November and December 2018 exploited vulnerabilities caused by a human factor, such as absentmindedly clicking on a phishing email link, or mistakenly disclosing an important password (OIAC, 2019).
With cybersecurity incidents continuing to grow in frequency and sophistication, Australian businesses – regardless of size or industry – need to have a plan in place to protect themselves against becoming another statistic in the news. The first step is setting up strong lines of defence - especially when it comes to email security, passwords, and organisational protocols for dealing with breaches. But what risks should you focus on?
To help you get started, the team at ESET has collaborated with Chris Jeffery, chief guru of award-winning computer solutions provider CyberGuru, to bring you some key tips on how companies should protect themselves from email-based data breaches:
1. Train your staff on what to look for – repeatedly
Email security should begin with sufficient training on what constitutes a phishing email. Many scam emails now look very similar to legitimate communications sent from real businesses – meaning unsuspecting employees can be easily tricked. In order to protect your company data from cyberattacks, you must educate your employees on the latest tactics being employed by cybercriminals.
Staff should be trained to always check an email sender’s “from” address (not the email alias), watch out for any suspicious-seeming attachments, avoid unrecognised links, and look for poor spelling and grammar as signs of a malicious email.
“Many organisations have experienced significant loss from just one staff member opening an email that contained malware,” says Jeffery.
To better prepare your staff, try creating scenarios based on real life situations in the workplace. This will help strengthen your employees’ ability to identify a phishing email or fake links, and help both you and your team realise the common mistakes being made, and how to fix them.
By having additional measures in place to protect against unwanted emails such as an email filtering software solution, you can protect yourself and your organisation from email cyber-breaches. Unsure of how your business rates on cybersecurity? Consider getting professional security advice or trialling some cybersecurity solutions to help you take your business defence to the next level.
2. Encourage perfect password hygiene
“Many organisations still don’t manage passwords effectively,” says Jeffery. “Often, accounts are shared between users or staff, stored on sticky notes, written in notebooks easily accessible on desks, or printed using professional label makers and stuck under keyboards.”
Having said that, it can be hard to remember a hundred different passwords at one time. It’s useful to consider adopting password management software to solve this, and ensure you have strong, unique passwords for different services.
Jeffery recommends that passwords are unique for each website, contain a high level of complexity (definitely not ‘password123’), are changed regularly - and if one has been compromised, change it immediately. Another key aspect is making use of two-factor authentication, using a password and temporary code displayed on your smart phone or device.
3. Ensure your team works securely, wherever they are
Cybercriminals can access wider company servers and private data through public Wi-Fi networks. If your staff tend to work on the go, you’ll need to ensure they can access their emails and work documents in a secure way from their mobile devices.
If your team has to use public Wi-Fi to connect to a company network, ESET recommends using a virtual private network (VPN), and to avoid accessing any particularly sensitive company documents or accounts. Another option is to use a mobile data plan for a short amount of time, rather than using unreliable public Wi-Fi.
4. Stay savvy to stay secure
In case of a breach, business owners need to have a good understanding of the vulnerabilities out there and take reasonable steps to protect their customers’ data. The OIAC has developed a data breach preparation and response guide providing best practices to arm your staff with. Furthermore, if a breach has been discovered, the faster you respond, the faster you can limit your exposure and reputational damage.
This response should follow a four-step process: contain, assess, notify and review. However, prior to this, Jeffery strongly suggests speaking to a trusted ICT professional who can consult, advise and assist you in taking the appropriate actions to prevent such a breach. It is important to do so - particularly as significant penalties now apply through the Privacy Amendment and Notifiable Data Breaches Act for organisations who fail to take sufficient care in protecting their customers’ data.
Teaching your staff best practice, knowing how to spot attempted phishing and data breaches, and encouraging secure remote working is a great place to start if you want to protect your business against cyberattacks. For a defence that’s more advanced, consider checking out the ESET Business Security Trial – you can get a free trial license and personalised offer tailored to your company's needs, so you can be sure your data is as secure as possible.