Cybersecurity has become an integral aspect of managed IT services. Cybercrime is expected to cost the world’s economy US$10.5 a year by 2025. This is why every business should want to know the IT security Measures IT professionals recommend.
As threat actors create more sophisticated scams, the cybersecurity landscape will continue to evolve. Cybersecurity measures are not simply a set-it-and-forget-it solution.
However, there are some cybersecurity tips recommended by IT professionals that will remain constant. With more employees working from home and accessing business networks on personal devices, there is a growing need for decision-makers to ensure cybersecurity foundations are in place.
In this article, we are going to outline the five cybersecurity measures that we feel are unavoidable. And whilst the technology will continue to evolve, the practices we have listed will not.
The five methods listed below probably fall outside standard protocols for some firms. For example, we haven’t mentioned firewalls, anti-virus protection and VPNs. We expect you already have those boxed off.
Use Strong Passwords & Use a Password Management Tool
Reports surfacing in UK newspapers recently again reiterated the warning to ensure staff passwords are secure. The UK’s National Cybersecurity Centre also works tirelessly to stress the importance of using strong passwords to build network resilience.
It’s fair to say that most people recognise the importance of creating a strong password. Online accounts force people to use a combination of upper and lower case letters together with numbers and a symbol.
This way of creating passwords is not easy for users to remember. However, it is necessary. Hackers use efficient technology that recreates character combinations to crack passwords in a “brute force” attack.
Whatsmore, bad actors have programmed these brute force tools to recognise words in the dictionary and switch letters for numbers. For example, 3 instead of E, 1 instead of I, and 5 instead of S.
Users that employ these tactics to create passwords are probably going to get found out before long. When you think about it, switching letters for numbers is a schoolboy error. Remember typing 80085 into your calculator?
You would think that by now, most users will have moved away from using passwords that are personal to them – yet easily discovered in public records and social media platforms; birthdays, anniversaries, names of children, pets and sports teams.
Spoof phishing campaigns are becoming more prevalent. This involves hackers sending emails which appear to have originated from a recognised company; i.e a bank, Amazon, government agency etc.
When unsuspecting victims click on a link, they are directed to a spoof website and enter their login details. This hands your sensitive data over to hackers who then take control of your account.
The National Institute of Standards and Technology (NIST) advises businesses to establish a password policy framework which includes:
- Using at least 8 characters and a maximum of 64 character
- The password should contain at least one lowercase letter, one uppercase letter, one number, and four symbols except for the following &%#@_
- Emojis can be included in the list of accepted characters
- Avoid using the same password twice
- Reject commonly breached passwords and number sequences like 123456
- Do not allow hints or knowledge-based authentication
- Reset your password when you forget it. But, change it once per year as a general refresh.
However, both NIST and NCSC recognise that users want to be able to use passwords that are easy to remember. NSCS remark that users need help with password overload. Their advice is to use machine-generated passwords. But we feel that if a machine can generate a password, a machine can crack a password.
The IT security measures IT professionals recommend is to adopt user-generated passwords that are inspired by machine-generated passwords. By that we mean use an assortment of characters but apply a personal and memorable catchphrase. You can also use the binary codes for emojis to make them even stronger.
For example, to access Microsoft 365, you could use a personal feeling towards the app you’re using; i.e M$36515|;‑)
M$36515|;‑) = microsoft365 (M$365) is (15) and |;‑) – the emoji face for awesome.
Biometric Multi-Factor Authentication (MFA)
Multifactor authentication is always among the IT security measures IT professionals recommend – even though we appreciate MFA is not agreeable to everyone.
Yes, it is annoying, but so is losing £10,000 to a hacker. This actually happened to one of our clients when they decided to ditch MFA despite our recommendation that they shouldn’t.
Having said that, we do have sympathy with users. MFA is frustrating – even more so given the fact it’s not the most reliable method available in the current state of play. There are several ways that hackers can intercept MFA validation codes and gain access to your accounts.
But we have no doubt that MFA is an essential tool, and will continue to be an essential tool to tighten network parameters. Verification steps should include location-based data and verifying a device that is authorised to access your business network.
However, that may not be enough if a device is lost, stolen, intercepted or bypassed. The next step for a watertight MFA strategy is to identify the individual. And that means using biometric data.
The next unilateral step for MFA will be biometric authentication. Whilst some people may find this idea somewhat draconian, it actually makes sense to use either facial recognition or retina scan technology to verify the individual trying to access an account is authorised.
Conditioning for biometric data access has been underway for several years now. First, we had fingerprint security to access smartphones and laptops and people have become accustomed to that now. Last year, tech giants including Apple and Samsung introduced Face ID which scans facial contours and eyes.
You can see how the evolution of biometric authentication will find its way into the workplace. It may feel Orwellian but it may also be a necessity in the fight to protect your business from hackers. We expect to see biometric MFA IT security measures recommended by IT professionals more often moving forward.
Identify Cybersecurity Threats
A few months ago we blogged about the hacking threats your employees should know about. When you consider that around 95% of data breaches are caused by human error, it is imperative to provide your staff with cybersecurity training.
Hackers are getting increasingly cunning and the techniques that are prevalent these days can easily outfox employees that are not aware of existing threats. Knowing how to identify cyberattacks will significantly lower the risk of falling victim to threat actors.
Employees that are not cybersecurity aware represent a risk to your business continuity. It can be easy for unsuspecting victims to click on malicious links and enter login details on a spoofed website, download a pdf or file infected by malware or reply to an email with sensitive data because they think the recipient is authentic.
Employees that are aware of cyberattacks and know how to identify potential threats could be the difference between protecting your business network and suffering a data breach. And a data breach could be catastrophic.
A data breach damages the reputation of a brand so much it could be irreparable. Under the rules of GDPR, data breaches have to be reported to all affected parties – customers, shareholders, partners, suppliers etc. Subsequently, customers lose confidence and leave for a competitor causing 60% of SMEs to go out of business within six months of a data breach.
One of the leading IT security measures recommended by IT professionals is to provide your staff with cybersecurity training as an ongoing endeavour. Whenever hackers change their tactics, your employees need to know about it.
For example, did you know that hackers are infiltrating Microsoft Teams and dropping malware-infected files into chats between colleagues? This is a highly effective way of soliciting or stealing sensitive data because a request would most likely appear authentic if your employees don’t know hackers could have infiltrated Teams.
Spearphishing and whaling attacks also use tactics that impersonate trusted contacts. IT Security software alone cannot prevent these types of attacks. Awareness can. We recommend reading our previous blog titled “Are Hackers Targeting your C-Suite with Whaling Attacks?”
Virtual Desktop
The pivot towards hybrid models and remote working is expected to cause IT professionals more headaches than usual. Home networks are typically not as secure as business networks and employees are more likely to access your network from personal devices and public Wi-Fi.
IT security measures IT professionals recommend often include virtual desktops (VDs) because they provide an ideal solution for securing your business network whilst still enabling remote workers to access the files they need to do their work. Because applications are hosted on ‘virtual machines’ the user experience is not interrupted.
VDs are built to look and feel like your business network and can be used on any endpoint computer such as a laptop, smartphone or tablet. However, the secret security application separates the virtual operating system from your actual network.
Users working inside a VD – such as Microsoft Virtual Desktop (MVD) – can access all the apps you use for normal operations to function. However, the user is only interacting with the software that is on their device. They are not actually entering the cloud database where the live version of your business network is stored.
The key benefit is that if a device is lost, stone or compromised, hackers cannot access sensitive data because it is not stored on the device. This gives your employees more flexibility but also gives you another layer of protection when working with contractors and sharing information with other third parties.
Businesses that use Microsoft enter VD portals through their Azure account. However, setup can be complex if you don’t have experience with the cloud. Cybersecurity firms cite incorrect cloud configuration as one of the leading causes of data breaches.
If your IT department does not have experience with a cloud configuration, we recommend speaking to one of our IT solution experts in London. We have many years of experience working with Microsoft cloud platforms and would be happy to help get your MVD up and running.
Keep Software Up-To-Date
Once the software is released onto the marketplace it is susceptible to vulnerabilities that can be exploited by clever hackers. This is why software companies spend millions paying “ethical hackers” to find and fix potential gateways in their software.
When a tech company releases a software update, it is the responsibility of its customers to update the latest version – especially if it comes with a security patch. Tech companies are not held accountable for a data breach if an updated piece of software is exploited.
Companies, therefore, must rely on every one of their employees to update the latest security patch that is issued on a piece of software. If you are using multiple third-party apps, software updates can be burdensome and eat into productivity.
On the one hand, you can’t afford to ignore security updates. You also have to weigh up the risk of relying on reach your employees to perform security updates at their own behest. Hackers can exploit software vulnerabilities in as little as 15 minutes.
What’s more, bad actors are given prior warning. Software companies, by law, have to announce security risks publicly. Details of the vulnerability are typically reported weeks in advance by security firms that find them as well. There’s nothing like giving bad actors a head start!
If cybercriminals exploit a software vulnerability, they could access deeper layers of information stored on your business network. A common strategy that hackers are using today is to release ransomware which shuts you out of your network until you pay a ransom to recover it.
Even if you pay a ransom, there’s no guarantee the hacker won’t sell the information they steal from you anyway.
IT security measures IT professionals recommend to lower the risk of vulnerable software is a patch management service. With more employees working remotely, ensuring security updates are performed on every device is harder to police. The longer a gateway is left open, the higher the risk of suffering a data breach.
IT Security Measures IT Professionals Recommend
The threat of cyber criminals poses a significant risk to the continuity of your business. If you haven’t already laid the foundations of your cybersecurity defences, we strongly recommend getting in touch with our IT professionals in London today.
Our specialists will offer advice about the IT security measures IT professionals recommend and put a tailored strategy in place that serves your needs in relation to your budget.