7 Things you need to know about Cyber-Security

What is Cyber-security?

 
In essence, cyber-security is ensuring that your organisation's data, whether on-premises or in the cloud is secure. The concepts around cyber-security have been around for a long time, yet have often ignored. But we now live in a world where hacking is an everyday occurrance and its not a question of if but when you will be hacked.
 
Here are some important tips;
 
 1. Protect your front door
Your connection to the internet is your front door to the world from a cyber-security point of view, just like your front door at home, it should be bolted and shut at all times and preferably have a Crim-SafeTM security screen as well.
This is done through the use of a quality firewall (more details here). In addition to a firewall, protecting your organisation with intrusion prevention, malware detection/prevention and content filtering (preventing people from accidentally going to hacked/hacker websites), are a must have these days.
 
A home-style WiFi router – is not a firewall, while it does provide some basic protections, these are not suitable in work-based setting, I’ve personally replaced my home ‘router’ with some CrimSafeTM level security protection.
 

2. Protect your back door

If, like a lot of organisations, you operate across mutiple offices or countries ensuring you’re connectivity between these offices is protected is also vitally important. In our experience, virus protection is severely lacking in a lot of developing countries, leading to infections of computers and network, when files are shared.
 
Your remote offices should have the same level of network protection as your main office.
 
In addition, if you have centralised technology services (e.g. file storage) ensuring that data transmitted, between your office and remote office or home users, is protected at all times. There are different ways to do this, but a solid virtual private network (VPN) between your offices is a good starting point.
 

3. Anti-virus/Anti-Malware protection

Protecting your desktops and laptops, your workplace is vitally important. Ensuring your staff have a cyber safe work environment.
 
Regardless of whether you are staff are office or home based, travel or dont travel every computing device (laptops, phones etc) should be protected by world-class anti-virus and anti-malware software.
We’ve helped a number of organisations deal with malware and virus outbreaks. In nearly all cases these outbreaks have been a result of inadequate protection.
 
We’ve road tested many different solutions over the years and can help with recommendations, but the key here is EVERY device, in your organisation, that connects to your network must be protected.
 
 

4. Bring your own device (byod) another back door!?

Many organisations allow staff to use their own devices (iPhones, Android Phones, iPads and even laptops) to access to organisational resources, such as email, file sharing etc.
 
However, there are some things to consider;
  • Do you have a BYOD policy? One that spells out what can or cannot be done
  • Do you have a technology solution, one that will ensure devices have some minimal compliance and protection standards e.g. PIN or Thumbprint enforced access, the ability to remotely wipe organisation data – if the device is lost or people leave the organisation
  •  Are the devices protected by anti-virus/anti-malware products 

5. Strong passwords

I cannot stress enough the need for strong passwords, I’ve written an article just on that subject alone, and could rave on about it for days.
 
Strong passwords can be enforced by most modern software applications, and if a strong password policy is not turned on, it should be.
 
Passwords should be changed regularly, every 90 days is best practice, but the reality of your organisation's needs might mean this is more or less often than this.
 
At the end of the day, your organisations cyber security is only as strong as the passwords that protect you.
 
 

6. Education

90% of cyber-security breaches occur due to social engineering. It is far easier to get someone within your organisation to take action and download something malicious or enter critical details/password on a fake site, than it is to brute force attack a firewall, or attempt to break passwords on your systems.
 
Common social engineering hacks including phishing emails and email spoofing. A phishing (fishing) email will attempt to get you to click on a link/take action e.g. open an attached ZIP file. Email spoofing is where an email appears to come from someone higher up in management and instructs other staff to take an action e.g. transfer money to an account.
 
The primary defence against such attacks is education, education, education.
 
Phishing emails were once easy to spot, they were misspelt, bad grammar and clumsy, but they are getting more sophisticated all the time and constantly evolving.
 
 

7. Multi-factor authentication (MFA) / One Time Passwords (OTP)

What is MFA/OTP? It’s like having to produce multiple ID to open a bank account, except that one of your IDs constantly changes its number i.e. your passport number is constantly changing, while your driver’s license and Medicare number remain the same.
Most systems that store information will typically require you to have a username and password, to gain access to most technology solutions.
 
An MFA/OTP enabled application, is where you are required to provide a 3rd piece of information, often called a token, that is always changing and is only valid for a limited time – typically 30 to 60 seconds.
 
Some would argue that all logon’s to all systems should require multi-factor authentication (MFA), but the reality is a little more pragmatic than that, security must fit the needs of the organisation and not impede people in their work.
 
In our experience, if you have nailed the above security areas (firewalls, antivirus, education etc), then MFA can be rolled out selectively. You would certainly want to have MFA on your bank accounts, organisationally and personally and any other areas where you store sensitive data e.g. donor records
 
Not all MFA's are equal - A client had a SMS/Text based MFA enabled. They were hacked, their phone number hijacked and transferred to another Provider and SIM by hackers. They then used the SMS message base OTP to gain access to their personal bank accounts and stole almost $3000. Not all MFA solutions are created equal.
 
 

Extra note: Do you do Fundraising or do online transactions, are you PCI compliant?

One final note, if like most nfp/ngo organisations you are reliant on raising funds from donors to enable the work of your organisation. Or you take online payments directly from your website and CRM - Do you store donor/customer data in your systems? Do you store or handle credit card information? If so, are you PCI compliant?
 
We have worked with many organisations to ensure they are either PCI compliant, or have removed the need to be PCI compliant, by removing the handling and storage of credit card details.
 
A cyber breach can be significantly exacerbated if donor credit card information is stolen. Not only the damage to the donors, but the reputational damage to the organisation can be hard to recover from.
 
 

If you would like to know more or need help with aspects of your IT including topics covered above click on the contact button for a obligation free chat.