Like most major breaches, we don’t know the exact details around the Optus hack, but it’s possible it happened at a time when data was being transferred from one system to another and created an ‘open door’ for the hacker to penetrate.
Whatever the specifics, the bottom line is whoever the company was using for its cybersecurity didn’t work, and it exposes the need for multi-layered security to protect the data that’s central to our businesses and personal lives.
Cybersecurity is the responsibility of every business, company and individual — to protect their own data, their client data, and the data they work with.
It doesn’t need to be over-complicated. Think of it as a similar analogy to the steps you take when protecting your home. You wouldn’t lock the front door and leave the windows unlocked. You have a lock on your front door, and there’s probably one on the back. Then you probably have multiple layers of protection to keep you secure. You have a hidden safe, perhaps an alarm system with some motion sensor cameras. Maybe you have a dog, and a great big fence with a video intercom system to permit access only to those people that you know.
Protecting your data is exactly the same idea. The difference is the levels of protection you put in place relative to your business and yourself, and the level of data and information you glean from your clients and your own IP, financial and business records.
Consider how much it would cost you, your business and your clients should that information fall into the wrong hands? Most businesses would experience catastrophic repercussions in reputation and financial loss.
Here are some fundamentals to keep your data safe.
Passwords and multi-layer authentication
Yes, they are the bane of our modern existence, but they are a critical fundamental layer to protecting our privacy and information.
Earlier this year, NordPass released a report that outlined the choices of CEOs and other Fortune 500 company leaders made around their passwords, attributed to more than 15.6 million data breaches across 17 industries.
Outside of installing a password protector and generator, the best option for selecting a password is choosing a three or more word random phrase no less than 14 characters, with no personal connection to you, that you can easily remember, interspersed with required capitalisation, numbers and symbols. Think ‘dolly5@idpotatoB00k$’.
Adopting a strong and unique password also alleviates the need to change it several times per year. However, if you believe you’ve been compromised, changing it immediately is still recommended.
Multi-factor authentication adds a further layer of security by forcing users to identify themselves beyond their username and password with a fingerprint, one-time passwords (OTPs) sent via email or text, or answering security questions.
Update your software
It sounds simple, but setting your software and systems to automatically update is often overlooked and one of your best defences. The creators of software platforms, systems, and applications are consistently making their platforms more secure to stay ahead of the hacker community and spyware generators, so enabling these updates is imperative.
Schedule them to be at the least disruptive time, like after business hours or in the middle of the night. Enable these automated updates everywhere, including your security software.
Clicking ‘remind me later’ when prompted for an update, could be too late.
Back-up your data
Regularly back-up your important data. Make a copy of it and store it offline, offsite, on a removable hard drive, in cloud storage or with a secure data-centre.
This is a critical step to not only stop data loss, but to restore it if it is lost, stolen, corrupted, inaccessible or deleted. Data recovery is expensive, time-consuming and often impossible. While there would still be a concern about data ending up in the wrong hands, the business needs to be able to recover and operate quickly if there’s an unfortunate event.
Outside of your database backup, you also need to think about endpoints, or the devices that your employees use to do their jobs such as laptops and phones, and including individual backup in your policy.
The nature of remote work, as well as encryption, backup testing and retention times and policies has given rise to engaging professional security and back-up services to manage these processes.
Train your staff
Your staff are an important piece of the puzzle, so how much do they know about cyber security? Outside of their understanding of your policies around corporate versus personal use for equipment and emails, would they recognise their equipment as a gateway to your organisation’s network?
They need to understand it’s part of their responsibility too. They also need to be educated in recognising suspicious activity, websites, emails and messages that may confront them, and report them.
There are free online training courses available that employees can access that will benefit your front line.
Staff also have the obligation to ensure they are safeguarding theirs and their organisation’s data with all the measures they can employ, as well as turning off microphones and cameras when not in use, and never letting family or friends access their business devices.
Multi-layered protection
A multi-layered approach is your best defence for the business. Internet security is more than about protecting data in transit, it encompasses email security, web content filtering, and can defend against malware, phishing, and malicious websites.
Increased remote working means greater risk, so it’s imperative, outside of the technical solutions in place, that your teams are on board.
Data breaches are caused by attacks from outside systems via the internet. Your internet security should go well beyond anti-virus software and firewalls.
--------------------------------------
* This article was initially published on SmartCompany Plus