By Sarah Adams,
Uh oh. It’s a Wednesday morning, you’ve got a big presentation due that afternoon, but the files on your PC are somehow in lockdown and you can’t get hold of any of the info and data you need.
Worse, there’s a buzz on Twitter about your client’s under-wraps new product – the one you’re preparing the launch for – and there’s a gnawing feeling in your stomach that the leak has come from you.
Data is everything in our digital world, no matter what form it’s in: a spreadsheet, a Word document, a Photoshopped image or whatever. We live and work by it, sharing it across wide-ranging networks and multiple devices.
That’s why its currency is so high, and why the results are so damaging when we can’t access it, lose it altogether, or have it stolen.
But how does that happen? How does our data become compromised? What can we do to prevent that happening? And how do we to deal with it when it does?
Good questions all. By following some straightforward IT rules and protocols, we can go some way towards stopping hackers creeping across our systems, stealing data and spreading malware.
It won’t make your systems immune, but it’s a start.
- Run up-to-date software
This is common sense stuff. You know you need to have a firewall and run antivirus software, right? But it’s important to have your firewall configured correctly to stop threats getting through, and equally vital to make sure your antivirus is up-to-date.
Antivirus software generally works by recognising threats as they arrive, then sending them packing. Updates add newly recognised threats to the database. So, if you don’t have the updates, your antivirus won’t spot the latest threat and deal with it. Simple.
Operating systems, programs and apps need to be the latest version too. Remember that the NHS WannaCry virus infected computers via a Windows operating system vulnerability. A fix had been issued, but not everyone had downloaded it.
Software publishers regularly release security patches for their products – usually after a weakness is found. That means it’s vital to set Windows to automatically update, and to download new releases for everything else you run on your computers and devices.
- Use strong passwords
Using complex passwords is a no-brainer. If you make do with your name followed by 1234 or your date of birth, you almost deserve to get hacked. That kind of info is in the public domain and is easy for hackers to guess.
It’s a must that staff follow a policy of creating passwords that include a combination of uppercase and lowercase letters, numbers and symbols. They should also change them regularly.
Another tip is to have as few people as possible with administrator status. If hackers gain access to a system via an account with administrator privileges, they can wreak all kinds of havoc.
- Beware open networks
Networks commonly have routers at their heart, giving us all the connectivity we crave. But it’s crucial to give them a strong password and to protect them with WPA or WPA2 encryption. You really don’t want people piggy-backing your network and spying on your data.
And spying on what you’re doing is exactly what can happen if you log in to an open access network at a café, airport or anywhere else. Because they’re not encrypted, any data you’re entering or handling on non-https sites (also not encrypted) is in plain sight for anyone who wants to look at it.
Say you enter your email password – anyone else on the network can steal it, go into your account and rifle through everything there. And if you don’t have your firewall properly configured and you have file sharing active, a hacker can access your hard drive, accessing confidential data or launching a virus attack. Be warned.
- Think before you click
The familiar route for most malware to get on to computers is by the operator’s own hand. That includes clicking on a malicious link in a bogus email that releases a virus, worm, Trojan horse, ransomware or worse on to your PC, and then spreads it across the network.
Known as social engineering, this devious hacker trick involves luring the victim into clicking a harmful link or opening an attachment by masquerading as a genuine email from a trusted source. That’s why it’s vital to read emails in detail, to look out for anything suspicious, and never to click on anything you’re not totally sure of.
That goes for software, too. If you’re downloading a program from a website, you really need to trust the site you’re downloading from – because there’s a chance the software will have been injected with a virus that’ll then infect your computer.
Sometimes there’s just nothing you can do though. Some malware is embedded in adverts, known as ‘malverts’, that pop up on your social media feed or on other websites. You don’t even need to click them for the code to download to your device. The same goes for some hacked websites. You just need to visit a particular page.
- Don’t plug and pray
If you find a flash drive, CD or DVD lying about, never plug it in or run it without being absolutely sure where it’s from. It’s a favourite hacker technique for sneakily activating your webcam, or infecting systems with damaging malware like keyloggers.
Then the hackers can see everything you’re doing – the passwords you’re entering and the sensitive data you’re handling. And that opens the door to the whole network, giving them free rein to steal all the data they want.
Prevention & cure
That’s the prevention bit taken care of, then. The bad news, however, is that it won’t keep your systems 100% safe. Sometimes you can usher hackers in without even realising it. Plus, with cunning criminal minds getting cleverer by the minute, there’s only so much you can do.
Most people are realistic enough to admit an attack on their systems is more a matter of ‘if’ than ‘when’. That’s why it’s vital to have a solid recovery plan up your sleeve. Getting back to business as quickly as possible must be the number one priority.
It’s not just about fixing hardware and mending software, either. What if data’s been permanently erased and there’s no back-ups? What if you can’t operate? What if sensitive personal information has been stolen and you’re facing the prospect of financial fraud and identity theft?
Sorting that lot out can take a lot of time and money. Plus, if there’s been personal data loss, the Information Commissioner’s Office is going to want to hear about it, and may order an investigation – not to mention a fine. There’s also the likelihood of claims for damages from the individuals affected.
So, it’s wise to be prepared. Helping out on the plan B side of things is cyber insurance, which takes care of IT forensics, pays for damaged kit and software to be fixed or replaced, and picks up the tab for all the legal costs and compensation payments connected with a breach.
Crucially, it also covers any lost revenue – the profit your business could have been turning if it had been running as normal. That’s important, because it’s surprising how long it can take to get on an even keel again in the wake of an attack. Especially if the Information Commissioner’s Office orders an investigation into the breach
So, it’s a two-sided coin, really. Of course, it’s wise to do everything you can to protect your systems. But even that doesn’t always work. And with an attack an ever-present threat, it’s only common sense to plan for a possible aftermath. Whichever way you look at it, it’s clear you’ll need a strategy for recovery.
Sarah Adams is cyber insurance expert at the CIPR’s insurance broker of choice, PolicyBee.
Picture credit: Igor Ovsyannykov