We have discussed the increasing ransomwares attack and the growing global security and financial threat from cyber risks (Ransomware attacks doesn’t concern me – Do I need to care ? 13 August 2021). The following are four simple gold standard for cybersecurity hygiene.
- Regular Training & Awareness
The most effective and basic protection strategies begin with your people. A firm-wide cyber awareness education to ensure basic level of do’s and don’ts. Some of the very basic cyber security etiquette include do not open attachment in unknown emails, do not attached any files other than pdf, implement strong login passwords, change your password regularly, are simple but effective preventive measures. The challenge is to conduct regular awareness session and ensure all within the company actually practice simple cyber security SOP.
2. Good Backup Regime
Implement simple but regular backup runs on key data including real-time backups and full-capacity replication. Where real-time backup is too costly and not feasible for your setup, consider a weekly, monthly or even quarterly backup. The key is to ensure that you have the capability to restore at least some currency of data rather than nothing at all following any unexpected cyber-attack. The backup should also be physically removed from the network and stored in a different site from the network.
3. Create Multi-layer Security by Design
Create an environment of “security by design” with multi-layer segregation by segregated duties, data nature and data form. That way, if any of the data ecosystem/structure is breached, the rest of the data would not be compromised.
Segregation of Duty by Design:
Design different access rights and security of data by the function of the handler. Data that are automatically posted or download from transaction processing systems (eg bank statements from banks, sales data from CRM etc) should be segregated from process data eg posted by accountants and from reviewed or approved data. This ensure the integrity of the data in each function – preparation, review and approved stages.
Segregation of Data Nature by Design:
You should consider a different access rights and level of security for transactional data, accounting data, business sensitive data and IP data. These data not only requires a different matrix of rights/access handling but also a different depository physically segregated from each other.
Segregation of Data Form by Design:
The inherent vulnerability of data depends on its form factor. Real-time online data that are downloaded automatically from the web is more susceptible to ransomwares vs data that are generated internally within an organisation eg employee payroll. Therefore, it is recommended to separate the access privileges of real-time live databases from internal private databases.
4. Delete old, irrelevant data files
It is recommended that you perform simple periodic data relevancy review to delete out-dated and irrelevant records in accordance with regulatory compliance of what data (or documents) you are legally obliged to maintain eg longer than 5 years for tax compliance.
Ransomware attacks can bring your business down to a halt, damage your reputation, cost you expensive fines for data breaches and also lead to loss of potential revenue stream from your customers. Adopting some simple preventive measures go a long way to help reducing any future grief.