Skip to main content

7 Things to protect yourself onlline

What is Cyber-security?

disclaimer: this is not legal advice

 
In essence, security is ensuring that your organisation's data, whether on-premises or in the cloud is secure. The concepts around data security have been around for a long time, yet are often ignored. But we now live in a world where hacking is an everyday occurrence and it's not a question of if but when you will be hacked.
 
Here are some tips;
 

1. Protect your front door

Your connection to the internet is your front door to the world from a cyber-security point of view, just like your front door at home, it should be bolted and shut at all times and preferably have a Crim-SafeTM security screen as well.
This is done through the use of a quality firewall (more details here). In addition to a firewall, protecting your organisation with intrusion prevention, malware detection/prevention and content filtering (preventing people from accidentally going to hacked/hacker websites), are a must have these days.
 
A home-style WiFi router – is not a firewall, while it does provide some basic protections, these are not suitable in work-based setting, I’ve personally replaced my home ‘router’ with some CrimSafeTM level security protection.
 

2. Protect your back door

If, like a lot of organisations, you operate across multiple offices or countries ensuring you’re connectivity between these offices is protected is also vitally important. In our experience, virus protection is severely lacking in a lot of developing countries, leading to infections of computers and networks, when files are shared.
 
Your remote offices should have the same level of network protection as your main office.
 
In addition, if you have centralised technology services (e.g. file storage) ensure that data transmitted, between your office and remote office or home users, is protected at all times. There are different ways to do this, but a solid virtual private network (VPN) between your offices is a good starting point.
 

3. Anti-virus/Anti-Malware protection

Protecting your desktops and laptops, in your workplace is vitally important. Ensuring your staff have a cyber-safe work environment.
 
Regardless of whether you are staff are office or home-based, travel or don't travel every computing device (laptops, phones etc) should be protected by world-class anti-virus and anti-malware software.
We’ve helped several organisations deal with malware and virus outbreaks. In nearly all cases these outbreaks have been a result of inadequate protection.
 
We’ve road-tested many different solutions over the years and can help with recommendations, but the key here is EVERY device, in your organisation, that connects to your network must be protected.
 
 

4. Bring your own device (byod) another back door!?

Many organisations allow staff to use their own devices (iPhones, Android Phones, iPads and even laptops) to access to organisational resources, such as email, file sharing etc.
 
However, there are some things to consider;
  • Do you have a BYOD policy? One that spells out what can or cannot be done
  • Do you have a technology solution, one that will ensure devices have some minimal compliance and protection standards e.g. PIN or Thumbprint enforced access, the ability to remotely wipe organisation data – if the device is lost or people leave the organisation
  •  Are the devices protected by anti-virus/anti-malware products 

5. Strong passwords

I cannot stress enough the need for strong passwords, I’ve written an article just on that subject alone.
 
Strong passwords can be enforced by most modern software applications, and if a strong password policy is not turned on, it should be.
 
Passwords should be changed regularly, every 90 days is best practice, but the reality of your organisation's needs might mean this is more or less often than this.
 
At the end of the day, your organisations cyber security is only as strong as the passwords that protect you.
 
 

6. Education

90% of cyber-security breaches occur due to social engineering. It is far easier to get someone within your organisation to take action and download something malicious or enter critical details/password on a fake site, than it is to brute force attack a firewall, or attempt to break passwords on your systems.
 
Common social engineering hacks include phishing emails and email spoofing. A phishing (fishing) email will attempt to get you to click on a link/take action e.g. open an attached ZIP file. Email spoofing is where an email appears to come from someone higher up in management and instructs other staff to take an action e.g. transfer money to an account.
 
The primary defense against such attacks is education, education, education.
 
Phishing emails were once easy to spot, they were misspelled, had bad grammar, and were clumsy, but they are getting more sophisticated all the time and constantly evolving.
 
 

7. Multi-factor authentication (MFA) / One Time Passwords (OTP)

What is MFA/OTP? It’s like having to produce multiple ID to open a bank account, except that one of your IDs constantly changes its number i.e. your passport number is constantly changing, while your driver’s license and Medicare number remain the same.
Most systems that store information will typically require you to have a username and password, to gain access to most technology solutions.
 
An MFA/OTP-enabled application is where you are required to provide a 3rd piece of information, often called a token, that is always changing and is only valid for a limited time – typically 30 to 60 seconds.
 
If an online application offers you MFA capabilities - you should implement MFA to protect yourself and your data.
 
Not all MFA's are equal - A client had a SMS/Text based MFA enabled. They were hacked, their phone number hijacked and transferred to another Provider and SIM by hackers. They then used the SMS message base OTP to gain access to their personal bank accounts and stole almost $3000. Not all MFA solutions are created equal.
 
 

Extra note: Do you do Fundraising or do online transactions, are you PCI compliant?

One final note, if like most nfp/ngo organisations you are reliant on raising funds from donors to enable the work of your organisation. Or you take online payments directly from your website and CRM - Do you store donor/customer data in your systems? Do you store or handle credit card information? If so, are you PCI compliant?
 
We have worked with many organisations to ensure they are either PCI compliant, or have removed the need to be PCI compliant, by removing the handling and storage of credit card details.
 
A breach can be significantly exacerbated if donor credit card information is stolen. Not only the damage to the donors, but the reputational damage to the organisation can be hard to recover from.
 
 

If you would like to know more or need help with aspects of your IT including topics covered above click on the contact button for a obligation free chat.