"It only affects large corporations", "I don't have any interesting data for external parties". These statements show that IT security management is not a high priority in many companies. The reasons for cyber criminals to hack an IT system are manifold. They include not only money or the theft of sensitive data, but also the proof of one's own abilities in the community and the fun of vandalism. Especially the latter shows how important it is to increase IT security.
The goal of IT security is to protect IT systems, which include networks, computers and cloud services. To ensure this protection, measures are defined in IT security concepts that should be implemented and regularly reviewed. This is because security gaps are quickly found by attackers. Consequences of an attack are, for example, system failures lasting hours or even days, theft of sensitive data or encryption of data combined with a ransom demand. This makes it clear how important it is to develop solutions and strategies to increase IT security.
The average damage per year for companies due to manual hacking is 43,700 euros, according to the German Federal Ministry for Economic Affairs and Energy. To reduce the economic damage cyber criminals can cause, I present my top ten list of tips for security experts and employees to increase IT security in companies.
Probably the simplest, but little practised measure for higher IT security is the use of secure passwords, which should be changed at regular intervals. Often there is a standard password that is used for various applications and is even written on the work document. In the event of a cyberattack, hackers both externally and internally can use it to gain access to all systems. Therefore, it makes sense to use a password safe that generates and stores complex passwords. Users then only have to remember one password and tend to choose a secure one. For a secure password, the length (at least 12 characters) and a combination of upper and lower case letters, numbers and special characters are crucial. Company-wide password guidelines are ideal to support employees in their choice.
An attack on an IT system can have many reasons. Sometimes it is the missing knowledge of employees who let the attacker into the system because they are not sufficiently informed about the dangers. Vulnerabilities arise from insecure passwords, phishing mails that steal access data or install malware, and working in public networks. The most important measure to reduce the human risk factor is to sensitise employees within the framework of regular training, guidelines and security tests. Especially in the home office, the company can influence the dangers less and the attention of the users is required. A regular security test should be lived practice, where, for example, all employees receive a phishing mail from the IT department and so it is checked who opens the attachment or link. This can be used to test the current level of knowledge and offer training specifically on topics with knowledge gaps. New employees should also be directly earmarked for IT security training. This way, threats can be significantly reduced. Achim Berg, Bitkom President, says in the context of the Bitkom Study 2020 on business protection in the networked world: "Well-trained employees are the most effective protection. In this way, unintentional damage can be prevented, attacks from outside are better repelled, and if they are successful, countermeasures can be taken quickly."
In order for employees to be able to work in secure systems, it is not necessarily necessary to have the latest applications or operating systems, but regular updates. The manufacturers usually fix bugs as well as vulnerabilities that can lead to an increased security risk. For high IT security, the operating system and applications should be updated automatically at regular intervals.
A backup strategy is a very important measure to increase IT security. After all, the loss of data can also have causes other than a hacker attack, such as fire or technical defects. Therefore, regular backups should be carried out and stored in safe places - also outside the company premises. In addition, the functionality of the backups must be checked regularly, because nothing is worse in the event of a data loss than a faulty backup.
Many people probably think of firewalls in connection with IT security. This is also confirmed by the current Bitkom study, where all companies surveyed stated that they use firewalls and virus scanners. It is important that the defence mechanisms are kept up to date, because the attackers are becoming more and more sophisticated and the manufacturers react to this with updates. Nextgeneration firewalls in particular help to reduce the attack surface for hackers by analysing data packets down to the last detail. More information on this topic can be found in the blog article "Safe is safe: How firewalls protect against network attacks"
The Bitkom study from 2020 shows that only 39% of companies encrypt their email traffic. Information from unencrypted email traffic can easily be read and even falsified. Encryption is absolutely necessary to prevent access to this data. In the case of sensitive data according to Art. 9 DSGVO, companies are even obliged to do so. In addition to emails, networks and websites should also be encrypted. Because without sufficient protection, these too offer access opportunities for hackers. Details on the topic of website encryption can be found in the article "SSL certificates: significance and differences ".
There should be at least one person in the company responsible for IT security. This person keeps track of the measures defined in the IT security concept and keeps them up to date. This includes, for example, the management of clients, notebooks, servers, emails and patches. When updating applications or operating systems, settings can sometimes be adjusted that lead to higher IT security. Because IT security is not a snapshot, but a continuous process for the protection of IT systems.
Regular training and information about current threats are the basis for a reliable IT security concept. Those responsible should constantly adapt the measures to the current danger situation and regularly provide employees with new information that affects them. Because when it comes to IT security, everyone pulls together!
How do you find a security vulnerability before a hacker does? The best way is with regular tests and monitoring systems. One way to test IT systems is with penetration tests. The entire infrastructure, individual parts or web applications can be tested internally or externally. The testers know nothing in advance or know their entire IT infrastructure or only some data. Depending on the objective, a corresponding penetration test is carried out, which reveals problems in the systems or applications that need to be fixed. In addition, monitoring tools help to monitor the systems in everyday operations so that intervention can take place in the event of special events.
Prepare yourself and your employees for an emergency. Determine how cyberattacks can be detected, which strategy applies to which type of attack and test this regularly. This ensures that everyone is informed in case of an emergency and that the processes function smoothly. In this way, the damage in the event of an attack is kept as low as possible.
Don't be afraid of cyber attacks, because fear paralyses. But be vigilant and do not underestimate the dangers even as a small and medium-sized enterprise. Because hackers find security gaps quickly and the damage can be kept as low as possible through functioning concepts. An external security service provider can support companies in designing and monitoring measures. Particularly at present, when more and more companies offer the possibility of home office, a renewed sensitisation of employees is necessary. Some companies still use the RDP protocol for mobile working, which poses some serious risks. And one last tip: Talk about it! There is no shame in being attacked, the important thing is not to let it happen a second time.
Add a comment