As more and more business is conducted online, digital tools have become indispensable in the workplace. As a result, the amount of information we all produce and store online has grown exponentially.
In the meantime, cybercrime is on the rise, and data breaches are making headlines regularly. Every company is a target and no industry is immune. Thus, preparing for potential security threats must now be an everyday part of the business.
This article outlines the main pillars of a cybersecurity program to improve your company’s safety measures and help you ensure better protection for your data.
How can you improve cybersecurity in your business?
Regardless of size and industry, any company needs to develop a cybersecurity program to preserve business continuity and operational efficiency.
Industry experts have outlined the fundamental pillars for assessing and improving a company’s posture against cyber-attacks in the NIST Cybersecurity Framework.
Based on these internationally recognized best practices, we recommend creating a Cybersecurity Management Plan structured on three core principles:
Firstly, you should focus on prevention. Adopt a risk-based approach to gain visibility, precede known threats, and prioritize assets that require the most protection.
Secondly, you should implement security best practices and monitor their implementation.
Thirdly, you should narrow the gaps between detection, identification, and response to be prepared for a potential breach.
Let’s look at each of these phases in detail.
1. Readiness: How to identify cybersecurity risks in advance
A good first step to developing your cybersecurity plan is understanding what a cyberattack is and how it occurs. Besides, becoming familiar with the most frequent types of cyber threats is crucial to detecting them.
What are the most common types of cyber attacks?
Cyber attacks are ever-evolving. However, the schemes used to hack individuals and organizations are similar and recurring. Hackers recycle many of the same assault components and typically use the most proven forms of aggression because they still work.
The most frequent types of cyberattacks against businesses are malware and phishing.
If an antivirus warning ever appeared on your screen or you accidentally clicked a suspicious download button, chances are you’ve had a close encounter with malware.
Malware, short for malicious software, is an all-encompassing term that includes any software introduced in a computer system or a mobile device to damage or disable them and obtain sensitive information without a user’s consent.
It can take several forms, such as:
Ransomware locks a computer and retains control until the user pays a ransom. Sometimes attackers also encrypt all the data, threatening to release the information unless a payment is made.
This type of malware is installed by hackers on devices without the user’s knowledge. It tracks internet activity and collects account information, login credentials, financial data, and more. Spyware is also known as keylogger, as the data theft is usually carried out by logging the keystrokes to steal passwords or proprietary information and trade secrets that are typed on a computer.
Adware is designed to expose the victim to unwanted advertisements and collect data about browsing habits without the user’s consent.
Viruses are usually attached to a file or application and able to copy themselves and infect other legitimate files. They can also spread to other programs and computers on the same network. Viruses can corrupt data, format a computer, or completely shut down its operating system. They usually infect devices via email attachments or downloads, so they require human interaction to affect a device.
Worms are the most common type of malware. They infect devices by exploiting their vulnerabilities. Unlike viruses, worms don’t require any human action to infect a device and replicate themselves.
• Trojan horse
The Trojan horse appears as legitimate and harmless software, but it tricks users into installing or activating malware.
Phishing is the most common scam on the Internet, as well as the most used modus operandi to hack a device. It’s done via fraudulent emails designed to look like they come from a reliable source, such as a reputable company.
Phishing emails often include an urgent request to attend to some account issue to induce individuals into revealing personal information such as passwords or banking credentials. They may also contain attachments and ask for their download to infect the device with a malign file.
The attack scenarios are not limited to email; phishing can also be carried out by redirecting a website’s traffic to a fake corporate website that looks legitimate to steal login details (pharming).
What are the main risks for your business?
To ensure the proper protection of your data, you should examine the current state of your company’s cybersecurity.
Where could cybercriminals infiltrate? What would they steal? And finally, how can you prevent it?
Threat modelling is the process of figuring out what your potential cyber-attacks are likely to be and which data hackers would be after if they decide to attack you.
Through a data audit, you can get a better idea of what information you have, where it is located, who has access to it, and how it is protected. This inventory will give you the knowledge needed to properly assess the cybersecurity risks for such data while considering the threats unique to your business.
To better assess your risks, we recommend relying on OWASP best practices. In the IT field, the OWASP (Open Web Application Security Project) is a worldwide recognized organization that provides unbiased guidelines to improve IT security. The OWASP Risk Rating Methodology includes the following steps:
2. Proactivity: How to prevent cyberattacks and data breaches
After identifying the risks your business is subject to, you should implement changes to prevent them from becoming a reality. Once again, you should check the current status of your company.
Are your employees vigilant when it comes to phishing attacks or password security? Do they report suspicious behaviour as a possible signal of cybercrime in the making? Put more simply, do they know how to recognize potential cybersecurity risks?
Make sure to implement basic IT best practices and train employees to stay safe online.
These simple tips will help you protect your devices and networks:
- Set regular and automatic updates for operating systems and software applications
- Install and regularly update anti-virus, anti-spyware, and other anti-malware programs
- Install and activate web firewalls on your business networks to block unwanted traffic and use the newest web browser
- Secure your Wi-Fi network by periodically changing the administrative password
More than 80% of cyber intrusions stem from human error, although accidental. After all, it’s much easier for a cybercriminal to exploit human nature than to penetrate a firewall. Employees have access to the organization’s data and networks; therefore, they are part of its vulnerable attack surface.
The good news is that human behaviours are correctable and can be influenced by the company’s culture. However, 45% of employees receive no training from their employers. Many businesses neglect to spend money on staff training, even when they appoint part of the budget for other cybersecurity measures.
Everybody must be empowered to be proactive, recognize anomalous network activity and suspicious emails, spot phishing attempts and other security risks, and be encouraged to report them. To reach this goal, make sure to follow these recommendations:
- Establish security practices, internet use guidelines, and rules of behavior and monitor their implementation
- Require employees to use strong login credentials and keep them confidential
- Ensure an annual training on cybersecurity basics
- Require appropriate use of equipment: create and enforce policies to define the security measures required for all devices on your network
3. Resilience: What to do in the event of a data breach
Even if you’ve done everything in your power to prevent a data breach from occurring, it can still happen. Therefore, you should pre-establish response actions to minimize the potential damage and recovery operations to ensure business continuity.
The previous recommendations address the Identify, Protect, and Detect phases described in the NIST Cybersecurity framework. What needs to be analyzed now is how to approach the Respond and Recover functions. These have the same end goal as resilience – the ability to cope with a crisis and return to the pre-crisis status quickly.
If your business falls victim to a cyberattack, having a Crisis Management Plan in place will remind you not to panic and reassure your customers that the organization is prepared to respond.
A formal Crisis Management Plan should detail:
How to return to normal business operations
To mitigate the damage of a possible breach and re-establish the affected business operations quickly, you need to have a Business Continuity and Disaster Recovery Plan.
Make sure to follow these 4 crucial steps to create an effective strategy:
1. Where should you start?
The first step on the agenda should be determining which business processes are vital and time-sensitive for each department and what impact a potential disaster could have on them. In defining the order in which the operations should be restored, processes with the highest financial and operational significance should be the ones to recover first.
2. What will you need?
You should have a clear overview of the resources you need to recover the affected operations (people, technology, records, utilities, products) and how long it will likely take to restore any lost data.
3. Who will take charge?
Cyber incidents are often seen as only an IT attack where solely tech-savvy employees can make a contribution. On the contrary, you should assemble an internal crisis management team including people from all departments and avail of the skills from across the whole business. Additionally, a chain of command with clearly assigned roles and responsibilities will minimize the time from when a disaster hits until the recovery process begins.
4. How can you know it will work?
A plan cannot be considered complete and in place, until there is proof it will work as expected. Besides training people on their responsibilities, you should run tests periodically to ensure the effectiveness of the plan and the employees’ readiness. Conducting simulated disaster exercises is the only way to validate your recovery strategy and use lessons learned to make changes or updates if needed.
How to meet GDPR reporting obligations
Just as crucial as a recovery plan is to consider the legal implications of a cyber crisis. If a cyber-attack has endangered personal information your company holds, you need to attend to some obligations.
Personal data are protected in the EU by the GDPR, which defines a data breach as a violation of security leading to the unauthorized destruction, loss, alteration, disclosure of, or access to, personal data stored or processed.
If not addressed in a timely manner, a personal data breach may result in damage to data subjects, such as identity theft or fraud, financial loss, damage to reputation, loss of confidentiality, and so forth.
The GDPR demands to:
- Implement appropriate technological protection and organizational measures. This translates into robust breach detection, investigation, and internal reporting procedures in place.
- Keep a record of any personal data breaches, regardless of whether you are required to notify a supervisory authority or not.
- If the personal data breach is likely to pose a risk for the people affected, you should notify both the supervisory authority and the people damaged and inform them of how you are addressing the breach.
- If the personal data breach is not likely to result in a risk for the people affected, no communication is required. However, the lack of risk should be demonstrated by the presence of security measures minimizing the damages (like encryption, that makes the personal data unintelligible).
Boost cybersecurity with a document management system (DMS)
Storing documents on your devices makes your business vulnerable as your data is exposed to the risk of being damaged or stolen. This cannot happen if such data is kept safe in a Document Management System (DMS). Should a cyber disaster occur:
- All the documents would be safely stored in the system as well as offsite in the cloud and in multiple locations. In other words, no company data can get lost.
- In the case of inability to use the corporate computers in your office, you’ll be able to access your files from a different device and it will be just as secure.
- By setting regular backups to happen automatically, recovery of the data will be automated. So, even in the worst-case scenario, your business can still run.
Besides, adopting a DMS to protect your documents and data brings benefits that go beyond cybersecurity. Besides going paperless, managing documents digitally will improve efficiency and productivity in your company and, consequently, ensures a better customer experience.
Penneo helps you improve the cybersecurity of your documents
Penneo guarantees the most advanced protection to customers’ documents and data. Our solution is built on globally recognized industry standards and our IT system periodically undergoes third-party audits and assessments to document our security efforts. In particular:
- Penneo receives a yearly ISAE 3000 report
- We frame our information security processes in line with ISO 27001
- Our digital signatures are built on PAdES standard
- Penneo follows the cryptographic standards defined by NIST to protect PII
Alongside the security we ensure internally, we offer our users the following features to boost cybersecurity when managing documents:
- Access control and permission settings
- Individual account restricted to the job role
- Role-based model to get access on work-based needs
- Monitoring and audit trail to track activities
- Data processing policies that take place automatically
- Regular encrypted backups stored in the EU