Mark Burgess - Cyber security, how to reduce risks

Next Article

Get to Know Kunle

Cyber security – how to reduce risks

Over the last two years, I'm sure you'll agree that how we conduct our daily lives has changed. Not just at home, but in our working lives too. One thing that has come to light is how cyber security is becoming more and more challenging. So, what do we need to do to protect ourselves?

During this period we've seen an increase in targeted attacks on both companies and individuals. And yet, the importance of cyber security is still not filtering through - we’ve had to help several companies that were le wide open to data breaches because solid cyber security policies and processes simply weren't implemented.

One area that has become a significant threat is ‘phishing’. For those who aren't entirely up to speed on phishing, the target is usually an individual at home or at their place of work and the intent is to steal sensitive data, such as login or bank details. The initial contact will invariably look like it comes from a trusted source and unfortunately, no single piece of technology can protect you from a phishing attack.

If you’d like to find out more, take a look at the government's Cyber Security Breaches Survey conducted in 2021. The report highlights the risk phishing brings to all organisations, not least because some 83% of reported attacks and breaches were initially by way of phishing. This brings into focus just how important it is to take the appropriate steps to protect yourself and your business. So, what can you do? Like every good security plan, you need to layer up your defences. You can't just rely on a single action to protect you. You need to make use of the tools that are available and understand the risks.

Passwords Whatever system or service you use, passwords are a must. It's essential not to use anything that can be linked to you personally. Don't use family names, places of birth or pet names. Attackers, in some instances, build a picture of you and will know your place of birth, pet's name or other pertinent information from social media and the internet using a technique known as social engineering.

This enables the attacker to make a targeted attack using personal, emotive messages. The ultimate objective is to find out your login details, passwords or bank details, and in many cases, it's very realistic.

A good example of a password is three random words, a number and a symbol, making it at least 12 characters long. For example, it could be BoatSunshineIsland22@ - it's a mix of random words, upper case letters, numbers, symbols and 12 characters. And importantly, don't re-use the password across services. If you get compromised, they may be able to access other services using the same password.

Multi-factor authentication (MFA) As mentioned, passwords alone aren't enough. Should you fall for a phishing attack, the hacker has access to your account and can then reset the password, set the recovery email address to something other than your email and then it becomes tough to get things straight.

We always recommend using MFA wherever available. Most providers now let you add a secondary authentication method to verify it's you accessing the system or service. Banks have had this for a while with old-style card readers, but some larger technology companies have applications to handle this. Google Authenticator and Microso Authenticator are two well-known examples. It's relatively simple to set up, and they provide smartphone apps to make things easier for you. You can turn on the service, scan the barcode in the app and hey presto, you're all set. MFA will challenge you to authenticate once you've entered your password, and you're required to confirm it's you within the application. If it's not you, you can decline the attempt because your password has been compromised. You can then reset it straight away with no harm done.

Password managers If, like me, you've got a list of passwords as long as your arm, you may want to consider a password manager. A good example is LastPass, and it's a secure password vault where you can store your passwords for services.

You create a master password, using the guidelines suggested earlier, install the extension into your browser, and when you visit a service, it'll auto-complete the login details. The service is encrypted to protect the password information, and you can also safeguard your account using MFA. The beauty of a password manager is that you can set and forget your passwords for services. There's no need to remember them, re-use any and certainly no need to write them down.

Education One final thing to mention is educating yourself on the types of threats out there and how to spot apparent attempts to trick you. You don't need to study for a cyber security qualification to be better prepared, but you can get more of an idea of keeping yourself safe. There are loads of great free resources available, and The National Cyber Security Centre has provided a helpful free top tips for staff training course. It's aimed at businesses, but it's valuable for anyone.

It's important to understand that any business or individual could be targeted, and using the tools at hand to better protect yourself will reduce the risk of a breach or hack.

CYBER SECURITY

MARK BURGESS Director orca.co.uk