Cyber attacks are a serious threat to every individual and corporate entity out there, but they’re not as widespread as you might think. The United States Computer Emergency Response Team (US-CERT) reports that cyber-attacks increased nearly 400% between 2006 and 2014. With such an increase in frequency and severity, you’d expect to see more incidents on the news–but you don’t. This is because most companies choose to stay silent about their security breaches; some don’t even know it’s happened until after the fact. Here is everything you need to know about cyber attacks..
So, why don’t more companies know about their own attacks? The answer is complex, but it boils down to the fact that hackers are becoming more discreet and sophisticated than ever before.
To begin with, most attackers rely on social engineering: they’re people who pretend to be someone they’re not in order to glean information about an organization’s security. Sometimes these individuals will pose as new employees or job applicants; other times they’ll just call up and pretend to be an IT representative. They might even email employees and ask for passwords, or send official-looking emails from what appears to be a legitimate source containing malware/viruses which–if clicked on–will infect your computer with software capable stealing information from you.
The most sophisticated cyber attackers, however, don’t use social engineering at all. Instead, they use tactics like spear-phishing and zero-day exploits to break into systems and networks undetected. If they know a lot, you have to know more about cyber attacks.
A “spear-phish,” for example, is a targeted version of phishing: hackers send messages containing malware/viruses which can allow them access to your system–be it corporate or personal–to individuals whose email addresses have been gathered through social engineering techniques. The messages they send are crafted so that only the recipient will open them; this means they look completely authentic. A zero day attack happens when a hacker discovers a weakness in software your company uses and takes advantage before anyone knows about it; we’re often reminded of this type of attack when we hear about government agencies or other large software/service companies getting breached by hackers.
However sophisticated the attack might be, there are steps you can take to avoid becoming a victim:
1. Educate your employees.
This may sound like an arduous task, but it’s actually quite simple: provide them with security awareness training and make sure they understand how to spot the telltale signs of a phishing/spear-phishing attempt. Make sure they never give out their usernames or passwords over the phone, email, etc., no matter who is asking for it; also teach them that if something seems suspicious or too good to be true, it probably is–and to use caution before clicking on anything at all. Make it a policy that everyone needs to know about cyber attacks.
2. Use network segmentation.
Network segmentation is something large companies have been doing for years in order to isolate certain data so that only those who need access have it; it’s essentially Demilitarized Zones (DMZs) for the inside of your network. This isolation helps prevent malware/viruses from moving freely throughout your system, thus blocking infiltration attempts.
3. Use vulnerability scanning software.
This type of software scans for vulnerabilities in your system and alerts you to anything that could be used by hackers, then suggests ways to fix them–all without affecting any existing programs or data on your PC or server.
4. Create a plan for responding to security breaches.
If you’re the victim of one of these sophisticated attacks, who is going to tell people? What are you going to say? How are you going to handle it? These are some questions you need answers to before it happens, so come up with a plan. Make sure your plan includes how you’re going to mitigate any damage that may have been done–not just information theft, but also reputation loss. You can’t afford to lose customers or clients over this. If necessary, educate them also on what they need to know about cyber attacks.
5. Have backup plans for everything.
If an attack occurs and you don’t have a backup plan in place, not only are you likely to suffer some losses, but the reputation of your company will suffer as well. If an attack has the potential to take down all of your servers/systems at once, make sure you have back-up servers and systems ready: one should be able to take over for another if it’s compromised by a cyber attacker (or even by something like a bug or power surge).
6. Update your computer systems regularly.
Just like the updates on your smartphone, you need to install Windows/Mac OS X updates and patches on your PC and servers; these additions are designed to close loopholes that hackers could exploit if they’re not there for them already.
7. Make sure you have strong anti-virus software installed on all of your machines.
Like any program, anti-virus software can become outdated over time, so make sure it’s up-to-date before new attacks come out–not after. If an attack successfully penetrates your system(s) through some other means than viruses/malware, the virus scanner may be able to detect it–and prevent it from spreading.
8. Use encryption software.
Encrypting your backup drives is an important way to protect yourself against hackers–if they can’t access the information on your drives, there’s no point in stealing them, right? This will slow down any would-be thieves and hopefully give you enough time to locate the encrypted drives and destroy them before they have a chance to do anything with what’s on it.
9. Keep all software up-to-date as well as hardware/devices that contain software (like modems, printers, etc.).
This may seem like common sense, but some people don’t bother updating their devices’ software at all–just think about how many times you’ve been prompted to update your smartphone or computer since you bought it. If you aren’t up-to-date on the latest software, chances are good that there’s a loophole in the code that can be exploited by an attack–and once they’re through one hole, they’ve got easy access to everything else.
10. Train your employees about how to identify cyber attacks and ways for them to do their part in staying safe while working with sensitive data.
Never tell anyone at your company what you don’t want falling into someone else’s hands; teach your employees about the importance of this (no matter how small/large your company is). They need to know about cyber attacks not only why it’s important but also the consequences involved if confidential information is mishandled or stolen (they don’t want their paychecks to stop coming in, either).
11. Make sure everyone does their part.
Everyone has a role to play when it comes to fighting cyber attacks–not just IT department employees. Everyone should know about cyber attacks. If you have others handling payroll or customer service requests, make sure they’re aware of the importance of information security as well. Also make sure all employees are careful about sharing passwords with anyone else who doesn’t need them for work-related reasons; if someone gains access to an employee’s shared password, they may gain access to your sensitive corporate data as well.
12. Know what your legal responsibilities are towards your customers/clients’ private information stored on your servers/systems.
This doesn’t just mean taking steps to prevent anyone from accessing such information; this also means taking steps to ensure that if sensitive data is hacked and made available online, you need to be ready to notify any affected parties as soon as possible.
13. Secure your physical locations.
Physical location security starts with the structure of your company’s building: don’t forget there are real people who can break in and steal whatever they want, so make sure your front door is solid and difficult for an intruder to get through (and post a few security cameras outside). If someone gets inside, use multiple locks on all doors–especially those leading to server rooms or storage areas. You should even consider installing motion-sensor lighting outside the building/on the property grounds as well as hidden surveillance cameras. Don’t forget about sewer lines–if someone can get access to them, they can easily break into the building undetected.
14. Make sure your business is insured against cyber attacks/data loss.
“Cyber insurance” may sound like a scam, but it’s actually a good investment if you’re serious about protecting yourself against cyber-attacks–and since you’re basing your entire company on IT security, it makes no sense NOT to invest in this type of insurance if it’s available to you. Invest in learning everything you need to know about cyber attacks. This will cover all costs related to notifying clients/customers affected by data breaches, credit monitoring services for those affected individuals, the cost of hiring forensic specialists (to examine server hard drives and other devices), legal fees, and more.
15. Make sure your employees know how to handle sensitive customer information.
There’s a distinct difference between personal and business emails: don’t mix them up! If you want to send an email about work matters, create a new “work” email account for this purpose. It may seem obvious, but many employees forget that they’re not supposed to use their social media accounts (e.g., Facebook, Twitter) as part of their job duties–and then accidentally or purposefully include such content in company emails for all to see; make it clear from the start what types of information should be sent over various channels/mediums and what shouldn’t be included at all (you don’t want customer credit card data accidentally shared in a Twitter post by an employee, for example).
16. Keep control over password access and usage.
Everyone in your company needs to follow the same rules when it comes to passwords: don’t share them with anyone else. If you get hacked because someone shared their password with another person (and that other person is involved in some kind of cyber attack), you’re legally liable for any damages incurred. As far as maintaining account security goes, no one should be using “admin” or “password” as their login credentials–nor should they write down passwords on sticky notes attached to desktop computers/workstations! Come up with unique, strong passwords for every single account available to your employees; make sure they understand why strong passwords are important (they help prevent hackers from gaining login access to any of your systems).
17. Make sure your computer hardware/software is up to date.
Your employees should always be running the latest version of their browser (e.g., Internet Explorer, Mozilla Firefox, Google Chrome) and other standard programs (e.g., Adobe Flash Player, Microsoft Silverlight); as new security holes are found in such software, you need to patch them as quickly as possible or risk becoming a victim of cyber attacks–and they’re usually very easy for hackers to use successfully if those vulnerabilities aren’t fixed with each update! The same goes for updates on all operating systems and server programs: make it clear that everyone needs to keep their devices’ OS and common programs on the latest version (and that no one should ever download/install software from untrusted third party websites).
18. Make sure you are encrypting all sensitive data as it’s transferred over the internet.
If someone is able to intercept your data as it travels across open networks, there’s a chance they’ll be able to go through it and discover sensitive information about your company or clients. If this happens, you could become a target of phishing attacks–so make sure both your business servers and workstations use encryption technology for all online activities. If your ISP doesn’t support encrypted connections with their network, consider switching providers–or even using a VPN connection instead of an unprotected broadband one to log into company files at home or when traveling (many businesses will fire an employee if they find out they’ve been doing work for the company while connected to a consumer connection, so make sure it’s strongly recommended that you never use personal connections to do any business activity at all).
19. Don’t install or use pirated software.
Using or installing unauthorized copies of software on your computers is a mistake: not only are you putting yourself at risk for malware infections and other cyber attacks, but you could also get sued by the original creator of the app/software (“infringing” on someone else’s copyright=risky from an employer-standpoint). Make sure all of your employees know a lot about cyber attacks and understand that it’s illegal to carry a pirated version of a program or game (which is why no one should ever download or install files from P2P sites, even if they’re “claimed” to be an official copy).
20. Make sure someone’s always monitoring the network.
No matter what kinds of protection measures you take (e.g., firewalls) or how great your employees are at avoiding phishing attempts (by not opening suspicious email attachments and clicking on links within emails that lead to websites they don’t recognize), there will still be threats lurking out there–and it’s up to the IT staff to make sure hackers aren’t able to gain access to any of your systems/networks! IT workers need regular training in order to learn new strategies for blocking cyber attacks–but since most companies now rely on those employees for all sorts of other tasks as well, it can be hard to schedule such training.
Which is why someone should always be looking out for threats and suspicious activity within your company’s systems! You can hire a third party IT service to take care of this monitoring (with daily scans and reports sent directly to you), or you could simply ask one even moderately tech-savvy employee (they don’t need superpowers!) to spend an hour or two each day checking the company network and making sure nothing suspicious is taking place. The important thing is that you keep your security measures running 24/7–because hackers aren’t typically known for their “nine to five work week”!
On the opposite end of things, you’ll also want to make sure your employees are reporting any suspicious activity taking place in their networks (which requires having great security measures in the first place, so they know what type of activity is actually considered suspicious). If you don’t have a network monitoring system in place, you can still manually look for potential threats–but it might be easier to let everyone know that anything that looks strange or “phishy” should be reported immediately.
21. Apply anti-spam policies everywhere.
While it’s true that you want to train all of your employees not to click on links within emails, there’s another level of protection necessary if you don’t want random spam email accounts sending phishing attacks via innocent third party accounts you don’t even use! How?
Spam emails not only look for regular email accounts to spread their links, but also try to access third party accounts (like Amazon and eBay) in order to send spam from those locations. In fact, spammers will even use stolen social media login information in order to do this–which is why you want everyone to be trained not to click on suspicious links, no matter where they come from! [In the same vein: Even if a link appears in a text message or Facebook message, it’s best not to click unless you know the sender well.]
22. Don’t open attachments without permission.
As long as everyone knows that anything weird or sketchy-looking should be reported immediately… well, there shouldn’t really be a need for further restrictions on opening attachments, right?
The truth is that employees don’t always realize what’s considered weird or sketchy-looking. One of the most common ways viruses spread through your company network is when an employee opens an attachment and never even realizes it contains a virus! If you want to be extra careful, though, it might make sense to institute a rule that no one can open any attachments at all (even if they’re from someone in the company) without getting permission first. This way, malicious attachments will hopefully end up in your spam inbox where they belong–and only important and necessary information will get sent along (and opened by) the intended recipient. [Note: You do still want to make sure employees know they can send important information via text message (texting) rather than email.]
23. Stay connected to your network with technology.
One of the best ways to stop cyber attacks is to always be scanning for suspicious activity! That means keeping up with the latest virus updates, which will require you to stay connected to your company’s IT staff (and bring them any problems that you notice immediately). Depending on how good their services are, they might even do some of this scanning for you–but it doesn’t hurt to have another set of eyes looking at everything too!
24. Make sure everyone has strong passwords.
Training is one thing, but if all it takes is a weak password for someone to break into your accounts… well, your employees have a lot more to worry about than just cyber attacks! If you want to make sure your side of things is completely secure, you need everyone in the company to have strong passwords that can’t be easily guessed or hacked into.
Basically, the longer and more complicated a password is , the better. Also known as “passphrases,” these may seem cumbersome at first–but they’re much stronger, which only makes them easier to remember . Instruct all of your employees to use a passphrase instead of a simple personal word or name.
25. Get to know your team’s work routines outside of work.
Having friends and loved ones in another country doesn’t mean they’ll always be safe from harm–in fact, cyber attacks can even happen to people halfway across the world! There’s a good chance that you already know this from watching or reading about things like international terrorist attacks or political refugee crises.
But it takes more than just avoiding terrorist groups and governments with questionable morals in order to stay safe from cyber attacks. Always take advantage of learning everything you need to know about cyber attacks. Just because someone is a friendly acquaintance on social media doesn’t mean they’re not plotting against you behind the scenes! To protect yourself online , it’s important to make sure everyone knows who their real friends are–both within your company walls and elsewhere .
26. Turn off all electronic devices before leaving for work.
While some people are tempted to keep their phones on while they sleep, doing so is usually fine… as long as your work isn’t done for the day and you aren’t likely to be called in for an emergency. That’s different, though, when you’re heading off to work! If possible, it’s a good idea to turn off all of your electronic devices at least thirty minutes before leaving your house each morning.
How long should this rule apply? It really depends on what kind of job you have. There are plenty of telecommuting jobs that can be worked from anywhere–but some professions require employees to check their email or phones immediately upon waking up! In either case, make sure everyone is aware of this policy and follow it faithfully yourself. [Note: Again, if the company already has a strict cell phone policy in place–at least fifteen minutes should be well-used. Otherwise, the amount of time that you leave your phone off varies by company.]
27. Use cautious cyber security practices to avoid risky links and attachments.
As an employer, you have a responsibility to keep your employees safe at all times–and one way you can do this is by leading them in the right direction when it comes to cyber attacks. That starts with caution . While many people like to joke about not reading those “Cannot open file” messages on Facebook or other social media sites (rightly assuming that they’re fake), it still doesn’t stop them from clicking on sketchy links! So make sure everyone knows how dangerous these things are and always follow any warnings given by the computer.
If you really want to make sure everyone is safeguarded against harmful links, attachments, and downloads , it helps to take things a step further–and actually teach them how dangerous they are. The more cyber attack knowledge your employees have, the better prepared they’ll be for anything that comes their way online. So set aside some time with each team member to teach them everything they need to know about cyber attacks.
28. Keep your computer up-to-date on your preferred anti-virus software.
If the only thing keeping the office computers safe from malware is its current anti-virus program… then it’s best not to skimp out when it comes to keeping computers updated. Set up automatic updates if possible so no one has an excuse not to keep their computers working at full strength.
29. Only download files from trusted sites.
While it might not be the most fun type of work, you still need to make sure that everyone is doing it! Ideally, each person should do this on a daily basis and report any problems to you immediately. But if there’s no time for reporting, make sure your employees know they can come to you instead–and try not to get too angry when it happens (it happens).
30. Another way of keeping track of everything is by checking out logs/system reports periodically.
You can also have an IT department or a professional that does this for you. This doesn’t mean you can be innocent in everything you need to know about cyber attacks though. Let’s just say, they know better.