Your essential guide to internet security

Abstract cyber security image of a man holding a symbol of a padlock inside a shield

The endless possibilities of the internet are both a blessing and a curse for businesses. Evolving your digital capabilities can transform your organisation from a dinosaur to a competitive 21st-century innovator, yet it often seems like there’s a potential pitfall around every corner – and the cyber criminals keep getting smarter and trickier.

Not only does the growing complexity of the digital landscape create more room for cyber crime, but the disruption of the COVID-19 pandemic has presented a big opportunity for scammers and hackers to take advantage of the chaos. According to specialist internet service provider Beaming, UK firms faced the worst year on record for cyber attacks in 2020.

However, providing you take steps to detect and protect yourself from any attempted attacks on your organisation, the growing threat landscape doesn’t necessarily mean your business needs to be more vulnerable. Here are our tips for staying one step ahead of online threats.

Install internet security software

Running internet security software on your endpoints (computers, mobile devices, tablets, etc) is the simplest place to start with a project like this.

RELATED RESOURCE

The definitive guide to IT security

Protecting your MSP and your customers

FREE DOWNLOAD

Most of the well known antivirus firms, such as Kaspersky Lab, Symantec and AVG, have dedicated internet security products for both individuals and small to medium businesses (SMBs). These products will warning if a page isn't secure, which is particularly important if you're going to be entering sensitive personal data, or if a page is trying to redirect you. They also typically offer protection against malware downloads, including ransomware. This type of software should ideally be used in conjunction with other on-device anti-malware programs.

Large enterprises will likely have dedicated security resources - either in the form of an individual or team - which should be leading internet security efforts and monitoring. For these businesses, an off-the-shelf solution is unlikely to be suitable. Instead, they should liaise with vendors and/or security-focused managed service providers to develop a system that's suitable for them.

Implement network security systems

Security appliances are a must, particularly for businesses with a large corporate network. The most fundamental of these is the firewall, which filters web traffic to try and prevent malware or malicious actors gaining access to the internal network. There are also email protection systems, and secure web gateway solutions that also offer protection for other internet-connected systems, such as instant messaging programmes.

If your organisation has IoT devices that are connected to the public internet, you should be paying particular attention to finding systems that can protect these end points as well, as their built-in security may not be as strong as those on PCs, laptops or mobile devices.

Educating your business about cyber security

Educating the rest of the business is a key component of the internet security process for businesses.

The entire business should be encouraged to take a sceptical "better safe than sorry" approach, particularly as workers are one of the most common ways malicious actors gain entry to corporate systems.

For example, genuine-looking messages can be laden with hidden traps, like documents or PDFs containing malicious payloads or links to infected websites a technique commonly known as phishing or, when someone like the CEO or CFO is targeted, whaling.

Users should be told that if they receive an email from the finance department asking to "double check this invoice", for example, they shouldn't be afraid to ask for more details about the contents before opening it. Even better, if your company uses an instant message platform, such as Skype for Business, Slack or Yammer, users should be encouraged to contact the sender directly there to double check. Similarly, the entire organisation must be trained to be receptive to this "belt and braces" approach and not become irritated with colleagues who are doing the best thing for the security of the business.

Similarly, if the email comes from a supplier or customer and includes an attachment or link, it's better for the recipient to call them up for clarification or details than to blindly click the link out of a sense of typical British "don't make a fuss" sentiment.

Users should also be aware of potential phone scams, particularly if the caller claims to be from "Microsoft Support" or similar, or the bank.

The IT department, perhaps in collaboration with HR, should be responsible keeping users up to date with the latest policies and best practices and encouraging individuals to come forward with any questions or concerns.

Be flexible and prepared

One thing every organisation learned in 2020 is that things don’t always go to plan. The widescale shift to remote working as a result of COVID-19 has favoured those organisations with the ability to be flexible with ready-to-go remote working strategies, including stellar cyber security.

Ensure you have a contingency plan for disruptions to normal working arrangements. If your employees can’t work from the office, is the endpoint security on their devices sufficient when they don’t have the added protection of the company network firewall? Are you using an OS that’s supported and regularly patched? You should ensure you’ve updated both your software and hardware so that it is compatible with the latest in security technology, and you may want to consider options such as cloud-based platforms with tight security measures that keep your staff and company data safe from any location.

Adapting staff training is key, too. By now, most people are aware that you should be cautious of an email promising big things from a strange email address, but are your employees trained to spot new threats as they emerge? Do they know that accessing information on their personal devices can be a major security risk, or that they should take steps to secure their home network? It’s vital that you keep everyone informed and prepared so that both your staff and your organisation remain safe online.

Test your defences

Everyone is confident in their own ability to create an infallible system, but there's really only one way to be sure your defences hold up under stress get someone to attack them. This will test any technical measures you've put in place, like security software, fire breaks and so on, as well as the efficacy of any training that's been put in place.

There are businesses and individuals that specialise in penetration testing who can be brought in as independent consultants. Alternatively, many security vendors also offer this service, but it may be more useful to use them before you roll out their software than after.

This kind of activity shouldn't be a one-off, however. The security landscape is ever-evolving, with new threats and methods of attack appearing all the time. This kind of drill should be carried out at least once a year to identify any areas of weakness you need to improve upon.

Have a data breach response plan in place

It’s important to remember that, regardless of everyone’s best efforts, data breaches might still happen. This is why, when bolstering their security measures, companies should also prepare their response mechanisms: after all, no one wants to be running around like a headless chicken when the organisation’s databases are being breached by hackers.

Earlier this year, at a webcast hosted by SolarWinds, former Facebook CSO Alex Stamos said that enterprises should “embrace the inevitability” that they, too, could be hacked.

“The unfortunate truth is when you go against one of these adversaries of this level, you're dealing with people that have a huge amount of time and motivation to break into your company,” he added. “People that have dedicated research teams that are looking for zero-day in the products you use, dedicated development teams who are building new tools and new command and control systems to break in, that are not going to be caught by existing antivirus, and that come in every day with their job to break into your company.”

Stamos was speaking at a virtual event hosted by a company that had to learn this the hard way. Seven weeks prior to the webcast, SolarWinds itself had fallen victim to one of the most sophisticated cyber attacks in recent history, which affected 18,000 organisations across the world, including US government departments such as Homeland Security (DHS).

However, even if your organisation isn’t a $1 billion dollar enterprise with ties to the US government, you should still ensure that you have an adequate data breach response plan. This must include the names and contact details of the people who will be involved in responding to a breach, whether it's an attack in progress or one that's over by the time it's discovered. Examples of such are members of the IT team and the CTO, who should all have defined roles, as well as the data protection officer (DPO).

In a larger business, this will also include a dedicated person (for example, the CTO's PA), who is responsible for contacting the company's legal team and, if appropriate, PR agency/crisis comms team.

Finally, make sure you keep yourself up to date with the latest security news and best practices from reliable sources.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.