IT security and cyber attack prevention is a complex issue. In this article, you’ll find three cyber security best practices that are a little unconventional, but really help reduce data security risks in your organization.
With the ever-increasing use of mobile devices and new technologies required for digital transformation, traditional boundaries and their risks are becoming blurred.
The aim of this article is not to reel off common cyber security best practices or to present auditing strategies. Neither is it intended to join the many IT security providers offering solutions to constructed problems created by exaggerated risk assessments and distracting your focus from the actual dangers.
Instead, this article aims to give you ideas on how to identify steps which can be taken today to reduce systemic IT security gaps which helps your achieve better cyber attack prevention with very little effort and cost.
3 Cyber Security Best Practices that Really Work
1. Employee-Based Data Security Risks: Try Sensitization Instead of a Heavy Hand
Remember that scene in Star Wars: A New Hope? A defiant Leia Organa builds herself up in front of the dark Grand Moff Tarkin and says, “The more you tighten your grip, Tarkin, the more star systems will slip through your fingers”. An eerily precise description of the results of heavy-handed IT security measures.
And just as the defenseless Princess Leia’s home planet fades away in a cloud of fire and debris in the sights of the Empire’s flawless superweapon, so too does employee trust, productivity and willingness to cooperate when heavy-handed IT security policies are put in place. And not without consequences – what happens with the Death Star is well known.
It’s not good when IT admins brand the threatened as a threat and then use their valuable resources against them. Phishing and social engineering are among the biggest risks facing companies. Counterfeit instructions emailed to unsuspecting employees, where cyber criminals pretend to be their superiors and request funds to be transferred to their own accounts, have already been responsible for losses running into millions.
This type of cyberattack is often far more lucrative than traditional hacking, yet inexplicably, some in IT still believe that a firewall, virus scanner, and password offer significantly more protection than discussing with employees what can be done better, together, to counter these threats.
If the end user becomes the final opponent for IT admins, then the next security measure is not the Elysium of Security, but probably the bitter realization sooner or later that overly-enslaved employees become highly imaginative when it comes to creating unsanctioned parallel structures and workarounds that nobody has any control over.
Steps to take: Before you invest any more hard-earned money in a shiny new security concept, why not set up a simple training course that shows employees how to recognize a fake email or website? No matter how sophisticated your IT system may be – as long as your workforce isn’t aware of the dangers posed by cyberattacks, the door remains open to potential attackers. It makes cyber attack prevention a joint effort. Also, take a moment to consider how a planned security measure could help an employee make his or her work processes more secure and but also less complex. Then sit down and talk with your end users who are affected by these plans.
2. Don’t Always Increase IT Complexity for Better Cyber Attack Prevention:
Constantly increasing your IT complexity actually often backfires. Administrators face the challenge of maintaining process control and avoiding performance constraints. According to a study by dynatrace, IT teams are spending 30% of their time on just fixing performance problems.
In order not to lose track, documentation is highly important. Any changes made to your IT infrastructure should be fully documented and kept in a secure place (i.e. don’t save documented server changes on that server). But documentation also has its limits. If too many infrastructure components are recorded, it can quickly become time-consuming, confusing and the structures are difficult to understand, especially for colleagues standing in for others.
Infrastructure consolidation should also be regularly assessed. Can certain services be provided with one rather than two products? Do we really need the second firewall, or can the first one be modified, (maybe some product training would be helpful) and fully reach its potential?
If you work in a small or medium-sized business that doesn’t have a dedicated IT security team, simplicity should be your primary goal. Keep your environment simple – fewer servers, shorter distances, deeper expertise and better insight into the components you use.
Get trained wisely – not just for your career or the certificates. Get trained in such a way that you feel fully fit and are able to understand and explain your security concept (both technically and conceptually).
Steps to take: Turn off a server or service today that you no longer need. For areas where you feel unsure, look for training opportunities and eliminate your knowledge gaps.
3. Legacy IT Creates Greater Data Security Risks
The last of our 3 cyber security best practices focuses on Legacy systems. Inflexible infrastructure components occur in some form or other in nearly every business. There is rarely a valid excuse for these legacy systems – they are often no longer updatable or even allowed to be renewed. You should actually feel guilty if you have been dragging these systems along with you for a longer time, but more importantly take a moment to question your reasons for doing so.
IT security is a fast-moving and dynamic area of business. Every component or system that is static and unchangeable doesn’t fit into this concept and needs to be replaced sooner or later. However, it’s inexcusable to not replace legacy devices or systems for cost reasons. Think about what could happen if the system failed tomorrow. What if the data on this system were to end up in the wrong hands by the end of the day? Can you really quantify the potential damage? You should also be thinking about the big picture – what opportunities is your business passing up on by using these old devices and systems?
Steps to take: If a legacy system or device you have in place has come into your mind, take a moment to list the reasons why you need to keep that system or device and bear in mind the questions in the previous paragraph. Are the reasons for keeping that old system or device really that important?
These three cyber security best practices will help identify security vulnerabilities that are often not highlighted in the marketing brochures of expensive IT security solutions. Fear is used far too often to gain headlines and while aggressive sensitization is in some cases justified, we’re often distracted from the fact that the most dangerous data security risks are often created by our own security concepts. The good news is that our own concepts can be easily improved.
Reducing data security risks and cyber attack prevention are not unitary goals that are completed once and for all, but belong to a continuous journey. This journey is far easier to navigate when hand-in-hand with your colleagues, with a clear timetable and without any heavy legacy baggage. And in that sense, may the force be with you.