Our data is exposed every time we use computers, servers, mobile devices, networks, or electronic systems. The digital universe and our technology dependence are increasingly growing, which leads to a digital attack spread that rises exponentially and affects everything that can connect or communicate, including data, people, devices, applications, and even the cloud. Vulnerability to cyberattacks is a constant that we cannot ignore.
Sixteen years ago, the Council of Europe and the European Commission decided to launch a Data Protection Day (known outside Europe as Data Privacy Day) to be celebrated each year on 28 January. Two years later, the United States government officially announced Cybersecurity Awareness Month, and eight years later, Europe created European Cybersecurity Month. This celebration aims to promote a cybersecurity culture so that users, governments, organizations, and the entire community use digital tools safely and reliably. It also fosters international cooperation and encourages the government and the private sector to work together to face the challenges in this field.
The cyberattacks on various sectors like educational institutions, hospitals, telecommunications, among others, allow us to recognize the importance of taking proactive actions to improve cybersecurity. According to the Sophos Threat Report, 34% of companies worldwide were victims of malware in 2020, while 29% suffered from sensitive data exposure and 28% from ransomware. According to experts, cyberattacks have increased in the last few years as companies implemented remote work at scale without being prepared for a digital transition during the pandemic, which generated access vulnerabilities. Hence, this period will be remembered for the increased cyberattacks.
Other figures that help us to understand the frequency and impact of cyberthreats are the following:
- A cyberattack occurs every 39 seconds (University of Maryland United States, 2018).
- Three out of five companies that have installed IoT technologies have suffered cyberattacks on these devices (Internet of Things Cybersecurity Readiness – Osterman research for Trustwave).
- One out of two IT managers at Federal Agencies considers low or no cybersecurity training at vendors as their biggest cyberthreat (Federal Cybersecurity Survey, SolarWinds).
- One out of two cyberattack victims is successfully attacked again within a year (FireEye, 2018).
- One out of two technology managers identifies phishing as their main cyberthreat (Global Advanced Threat Landscape Report 2018) (Vanson Bourne for CyberArk).
Figures were taken from the LISA Institute website (LISA Institute, 2019).
We recognize this issue, and since it is International Personal Data Protection Day, we would like to highlight some of the best practices to keep your systems, company, and data safe.
1. Employee training: Employees should receive information on cybersecurity as digital intrusions in companies are mainly achieved through employees. Training schemes on cyberthreats should be created and applied to all employees on an ongoing basis. By teaching basic notions of security to workers, the company’s security can be strengthened.
2. Secure communications via email: Email is usually a weak point in cybersecurity. The main threats are phishing attacks, loss, or disclosure of sensitive data. Therefore, emails should not be opened or replied to when they come from unknown users, nor click on links or download attachments from suspicious email sources.
3. Regular software updates: Cyber attackers are constantly looking for vulnerabilities in the companies’ software. Critical software like the operating system, security applications, among others, should be updated since these updates may have security patches and bug fixes that solve vulnerabilities and protect sensitive information.
4. Have antivirus and firewall: Firewalls are designed to prevent unauthorized access to private networks. A good firewall can monitor incoming and outgoing data. On the other hand, an antivirus is an effective tool against ransomware and malware attacks that compromise device and data integrity. Both firewall and antivirus are mechanisms that prevent cyberattacks, protect information, and are a barrier against hackers.
5. Manage passwords efficiently: Using the same password for all your accounts makes it easier for hackers to access your systems. Instead, long passwords with various characters should be used. Do not reuse passwords, leave clues in public, and avoid using personal information, numeric or alphabetic patterns, among others.
6. Use multiple authentication methods: Since passwords are not entirely secure, multiple authentication methods should be implemented to confirm users, devices, or machines’ identities before granting access to a system or application.
7. Establish a secure connection when browsing the Internet: Employees generally use the company’s computer network to visit websites. Before registering information, the padlock and HTTPS protocol should be seen in the address bar. If the website is not protected, sensitive information should not be entered.
Companies should also inform their employees about phishing websites, as some use Domain-Validated SSL Certificates to make them look “real”.
8. Have an incident response strategy: It allows companies to anticipate attacks and respond quickly to prevent the security incident scope from being greater than expected. The person responsible for implementing and managing the plan should also be identified.
9. Do not leave devices unattended: An unattended device can cause a data breach, even within the company. That is why the physical security of computers, cell phones, and memories is essential. Screens should be locked or turned off before leaving the device. In addition, sessions should be logged off and even more when entering from third-party equipment to prevent sensitive data from being stolen or downloaded by third parties.
10. Perform regular backup copies: If the company receives a malware or ransomware attack, data should be deleted, and the most recent backup copy restored to repair the system. Performing regular copies and keeping them in different places to prevent hackers from accessing data is essential. Backups allow the recovery of information after a loss or theft.
11. Establish policies for devices’ use: Employees’ devices like cell phones can occasionally be an access point to the corporate network. A good policy for devices’ use raises awareness among employees about mobile technologies’ use and how to mitigate the risk of attacks.
11. Increase investment in technology: Given that attackers have the same or better resources, investment should be increased to reinforce security equipment.
12. Know the main cyberattacks to which you are exposed: Being informed increases the chances of successfully defending yourself against an attack. The most common cyberthreats should be known, including phishing, ransomware, online shopping scams, free services, fake phone calls, fake news, among others.
13. The company’s managers should lead a cybersecurity culture: Based on the premise that if leaders accept the strategies and changes applicable to the company, the rest of the members will follow.
14. The company is never fully protected: Assume that a vulnerability and access for hackers exist even if a cybersecurity strategy is implemented in your company since a network failure or a failure by a team member is possible.
Cybersecurity is an ongoing effort that must be proactively acquired. We invite you to analyze the actions taken in your company regarding cybersecurity and how your strategy can be improved.
Sobre el STOP. PENSAR. | de campaña connect.™ CISA
Prácticas recomendadas – Internet Society