A large number of corporate cybersecurity breaches today are caused by so-called social engineering: tricking the user into clicking on a link or opening a file that can give someone else access to his computer. From there, the hacker moves laterally to gain privileges until they get to what they are after, sensitive data. Breaches can also occur by not keeping a system properly updated, or by exposing yourself to risky situations.
Protecting against data theft – or other serious complications such as ransomware – requires companies to observe certain precautions and put policies in place to ensure that the entire organization is protected and well aware of cybersecurity threats. The larger a company is, the more entry points it may have for intruders.
Below, we list 10 important measures that can be taken to protect your company against cybersecurity attacks.
1. Limit log-in attempts
One of the ways hackers can find out a password is through “dictionary attacks”, by sheer brute force. A powerful attack in which they try out lists of words commonly used in passwords until they find the right one. The practice can be adjusted for each organization, including terms in the language in which they work or associated with a topic related to their activity. A good defense is to set the account to lock itself up after a certain number of unsuccessful login attempts. This way, even if the hackers eventually find the password, entry will be denied.
2. Do not store passwords in Internet browsers
Although browsers offer this functionality to speed up access to frequently visited websites that require credentials, it is not advisable to do so. The reason is that in most cases it is not encrypted information. If a program with bad intentions sneaks into your machine, it could access the passwords in your browser and communicate with an external party to send them a list with all of them.
The larger a company is, the more entry points it may have for intruders
The solution is to have a password manager, free or paid – available at a relatively cheap cost, offering completely random passwords, up to 200 characters in some cases, almost impossible to guess. The files where the passwords are stored are encrypted, so accessing the list of passwords is not possible, without unencrypting the password manager file. Through an add-on for your browser, the password manager can then automatically access your frequently visited sites, offering you the same functionality as a browser but in a secure way.
3. Beware of security questions
Many websites include security questions to retrieve passwords, which the user can easily know the answer to (mother’s name, pet’s name, childhood school, etc.) This information is then often posted by users themselves on their social media accounts, thus providing a means of access. To avoid compromised security, either do not use questions whose answers can be found on social media, or answer with something not associated with the question (for example, random letters and numbers.)
4. Avoid repetitive or similar passwords
The most important rule here is not to use the same password for multiple websites. If that password is compromised, the security breach will become larger. By accessing the computer’s history and viewing the pages accessed through the login, the intruder could gain access to many of these sites. It is also advisable not to use variants of the same password when changing it: if it has been compromised, finding it out will just require trying small modifications- changing a number or a symbol at the end, usually. Not recommended.
5. Use a VPN when connecting from a public network
For those who access free wi-fi networks, the risk is substantially higher. When connecting to one of these networks, we do not know who may be eavesdropping on us from within the network. Even if the credentials we use to access a website are encrypted, they can see which sites we are accessing and this knowledge can be used for a subsequent social engineering attack, making it easier for the user to fall into the trap when they see that the email comes from a familiar source.
Also, be careful when accessing Public Free Networks in your local coffee shop, especially if this network is not protected by a WIFI password. This exploit is known as an “Evil Twin” hack. Normally coffee shops will make public their WIFI Network Name and an easy-to-remember password for users to connect to it. If no WIFI password is set, it could simply be a hacker enjoying a cup of coffee trying to entice users to connect to their “Evil Twin” Public Network.
6. Two-factor authentication
The era of passwords is giving way to authentication through codes or apps. Thus, it is highly recommended to enable the two-factor practice whenever possible. Usually, via email or mobile messaging, the user receives a code with a limited time validity to unlock access when entering it. Alternatively, you can authenticate access through an app. Even if your password is guessed, the attacker will not have the code that opens the door.
7. Establish a proper internal information access system
Although this is a very broad concept that could be the subject of a whole series of posts, it is worth explaining briefly. The basis rests on a permission system that grants access to documentation and data structure only to those who should have access to it. This way we avoid giving access to personnel who are not related to the matter, or worse, those who may want to cause damage to the company due to dissatisfaction, etc.
Breaches can also occur by not keeping a system properly updated.
8. Monitor the redirection of information
In this era of hyper-connection, it is common for many professionals to forward e-mails or documents to a personal e-mail service to have them at their disposal with ease. The IT administrator should be the one to establish the parameters that allow or prevent this and restrict or password-protect the sending of a document so that it does not fall into the wrong hands in the event of theft, hacking, or loss. It is not advisable to store emails or documents on personal devices or personal cloud storage, because they may lack adequate protection. If for any reason it is done, the information must be encrypted.
9. Professionalize your cybersecurity
In many small companies, the team in charge of security, systems administration, etc., is usually limited, in quite a few cases to one person. The best practice, whenever possible, is a separation of functions, because most professionals are not experts in everything and it is essential to pay special attention to security, due to the need for continuous updating. It is necessary to keep abreast of trends in cybersecurity, new viruses or forms of attack, system updates permitting the exploit of certain vulnerabilities and the release of patches to cover them, monitoring, establishing alert systems, reviewing logs periodically… Maintaining an adequate cybersecurity policy requires a lot of effort.
10. Cybersecurity training
For cybersecurity policies to deliver the desired result, all staff must be aware of them and implement them according to their different responsibilities. They should be informed periodically of new potential risks or recent policy changes and get acquainted with the tactics used by intruders to break security barriers. It is therefore advisable not only to undergo cybersecurity training, but also to overcome resistance to change and adopt good practices, even if they require a little more effort.
Want to keep your SQL Server instances and servers safe and secure from data loss or theft? Check out Lucient Guardian, a system that provides protection and performance optimization of your data platform.