Get your exclusive copy of the book ``Hacker Tales``

The Hacker Tales was made with the support of PhishMe Inc. and Tripwire, in support of the NSPCC.

Top tips for being security serious

Every day in the run up to Security Serious week, we will be sharing top tips from leading specialists in IT security, who have kindly shared their expertise to help you get Security Serious.

Orchestrate. Through system-wide orchestration, systems share contextual data to improve security effectiveness. They also work together to automate response and security enforcement to quickly contain risks and remediate compromised endpoints. Not only does this save considerable administrative time, it dramatically reduces the attack window to protect your enterprise.

No single security tool will protect against the firestorm of threats facing networks today. Advanced threat detection systems may quickly detect indicators of compromise (IOCs) on your network and alert IT staff about this condition. But then what? Without multisystem orchestration, infected systems propagate the threat until manual IT intervention stops them. One thing is abundantly clear: manual processes simply can’t scale to meet the explosive growth of mobility and IoT.

Back up regularly: if you can afford to lose a week’s work at a time, back up every week; if you can only afford to lose an hour’s work, back up hourly. However frequently you do it, if you are backing up sensitive data, it should be encrypted.

Be unique. To make things harder for the bad guys, use unique passwords for every website as this ensures both you and your organisation remains untouched. Try putting sites into mental groups (by value or name or something else) to help remember them.

Threats are developing in ways to undermine confidence in a company, by subtly changing data rather than stealing it. Loss of control without knowing it is to be feared as much as pure data loss.

Establish effective lines of communication - This involves three sub-practices. Firstly, vendors should have a clear and reachable point of contact to deal with vulnerability reports in order to prevent reporters from spending time and resources to find right contact. Secondly, vendors should have a viable disclosure policy in place and ensure it contains information about the primary point of contact, information required from reporters, vulnerability response mechanisms and timeline of the process. Finally, regular communication with key stakeholders will make the disclosure process more transparent and manageable, as well as ensure it does not lead to unexpected outcomes.

Limit administrative complexity - the more tools your administrators have to manage, the more likely a mistake is to happen. Look for tools that provide a ‘single pane of glass’ to manage your IT estate.

Businesses grow and change. They employ new technology and innovation. But this brings new risk, whether it’s through third parties, contractors or changes in the supply chain. It’s imperative that businesses understand what impact these changes have on potential risks to their security, and adapt their cyber security strategy accordingly. Businesses ought to review and update their cyber security as their business changes to avoid being caught out by the evolution of attackers.

Reporting and disclosure should be flexible - There is no “one size fits all” rule when it comes to vulnerability disclosure. It is therefore essential to be flexible about how a problem is reported and subsequently treated. Flexibility ought to be a two-way street to ensure there is common ground for achievement of the ultimate outcome. For example, flexibility is a vital aspect of patching within a critical network infrastructure, which may require more time for vendors to develop a patch due to its complexity.

Implementing full disk encryption across your organisations significantly reduces the risks of a data breach in two ways. Data that is protected and encrypted is harder to get in the first place, and if a laptop or USB device does get left on a train, the data is unintelligible if it does fall into the wrong hands.

People are often the weakest link when it comes to security. Organisations should educate their employees about how they can better protect themselves from security risks. Employees need to understand the importance of the security measures your company has in place, and how they work in order to make them valuable. With education and compliance training in place, risk can be minimised.

Share with care on social media. Apparently innocuous details like your pet’s name or your birthday are common identity authentication questions on many sites, and thus useful to fraudsters.  Aggregation sites can collect information from multiple Internet sources, making it easy to build up a detailed picture.  According to a recent Javelin survey of identity fraud, some 54% of social media users have been the target of an identity threat, and those who are active users and share personal information are at increased risk.

You can only design and implement an effective security policy if you know what types of data are held being on your employees’ devices, and the relative impact of different types of data being lost or stolen. Make sure you understand what you’ve got and the relative value of your different types of data.

What makes the difference between a full blown crisis and a problem to be tackled is the plan you have in place to respond and repair – so be prepared!

Having the right technology at the endpoint is of limited use if you can’t easily manage the technology centrally and have visibility of what users are doing on their devices. You need to be able to roll out the technology, and make updates, apply patches etc, centrally, without needing the users to do anything. You need central monitoring and reporting, so that you can see if there is a potential problem and take remedial action immediately.

Good defence means good technology. Today’s intelligent technology does not rely on rules and signatures to identify the new and sophisticated threats that bypass border controls. It uses machine learning.

The network perimeter is now defined by the user, and more specifically, by their identity. Securing the new “Identity Perimeter” and managing users’ access to applications has become a complicated calculus, and it is IT’s responsibility to secure information regardless of the device and user’s location.

You need strong but memorable passwords on all your devices and on your online storage account. Creating a strong memorable password is not as complex as it might seem: think of a nursery rhyme, take the first letters of each word and any punctuation or capitalization and add an exclamation mark at the end. For example: “Little Jack Horner sat in a corner, eating his curds and whey” could become, LJHsiac,ehc&w!

To close the gap between breach and detection, companies need the technology that allows their networks to continuously monitor activity and analyse traffic inside networks. Security analytics products like SIEMs can surface patterns of anomaly and malicious behaviour by studying network data. For organisations to be successful here they will need a visibility fabric in place to gain broad reach and access to network data and the capability to groom traffic and feed only the right kinds of information to the SIEMs. The one two punch of a visibility fabric and a SIEM can give organisations a concrete way to surface threats faster, and by extension reduce the risk that the breach will turn to data theft and loss.

Naturally we advise customers to follow industry standard security best practices at all times while reminding them that PCI-compliance simply offers bare minimum protection. Key to protecting cardholder data are up-to-date POS systems along with continual improvement of security policies and risk assessment procedures so they far exceed the basic security criteria stipulated by PCI DSS. Any security issues highlighted by auditors must be fixed right away.

Don’t get attached: Be wary of download links on webpages or attachments in emails that you are not sure about. Well-known companies and brands rarely force send out attachments, so it’s a safe bet you should ignore one should it come through.

Implementing full disk encryption across your organisations significantly reduces the risks of a data breach in two ways. Data that is protected and encrypted is harder to get in the first place, and if a laptop or USB device does get left on a train, the data is unintelligible if it does fall into the wrong hands.

People are often the weakest link when it comes to security. Organisations should educate their employees about how they can better protect themselves from security risks. Employees need to understand the importance of the security measures your company has in place, and how they work in order to make them valuable. With education and compliance training in place, risk can be minimised.

Share with care on social media. Apparently innocuous details like your pet’s name or your birthday are common identity authentication questions on many sites, and thus useful to fraudsters. Aggregation sites can collect information from multiple Internet sources, making it easy to build up a detailed picture. According to a recent Javelin survey of identity fraud, some 54% of social media users have been the target of an identity threat, and those who are active users and share personal information are at increased risk.

You can only design and implement an effective security policy if you know what types of data are held being on your employees’ devices, and the relative impact of different types of data being lost or stolen. Make sure you understand what you’ve got and the relative value of your different types of data.

What makes the difference between a full blown crisis and a problem to be tackled is the plan you have in place to respond and repair – so be prepared!

Most legacy solutions designed before the encryption boom simply cannot detect encrypted threats. Traffic visibility has become essential to effective security. Businesses must ensure they have powerful SSL inspection tools in place to analyse all traffic passing through the network. Only then can they ensure that hidden malware is found and kept out.

Ensuring that users have the right amount of access is key to managing IT security. Organisations can manage access with single sign-on (SSO) and provisioning. As employees and contractors come and go, provisioning enables IT to make real-time updates and with automated deprovisioning tools, any corporate identity can be deactivated across all enterprise resources within seconds, so that once an employee or freelancer has left the company, crucial data cannot leave with them.

It can be tempting to download apps from unknown and unofficial market places. However, without the official certification from Apple Store, Amazon or Google Play, it is impossible to trust what you are downloading. A lot of hackers create their own app stores and apps, luring victims into downloading them by advertising paid apps for free. Never download anything from app stores that you do not recognise, or that seems to be true.

Opening phishing emails and sending documents to a personal email address, for example, can leave a business at increased risk of an attack. To combat this, organisations should offer regular training sessions to their staff at all levels on how to spot and report any suspicious activity. This training should form part of every new joiner’s induction, and all employees should be regularly updated about the latest types of cyber attack

Address vulnerabilities in a timely manner - There is a consensus among practitioners that timeliness is a vital part of vulnerability disclosure. Without such pressure certain vendors may postpone fixing vulnerabilities indefinitely. Compelling vendors to develop a solution within a short timeframe makes them act more efficiently, for example they cannot opt to just “sit” on a vulnerability for months. To further reduce risks associated with disclosure of unfixed vulnerabilities, the vendor community and reporters need to agree what constitutes a reasonable timeframe for addressing a particular problem.

Watch the road. Always be aware of where you are on the Internet and take specific note of anything and anybody that asks you to ‘login’ or provide any ‘secrets’ or personal information. Opt-in for multi-factor authentication where available. Sites like Google and PayPal offer these services. If you don’t see a little lock next to the URL, be aware that it’s not secure.

Take time to educate your users - having the right technology is important and so too is encouraging the right user behaviours. It is vital that people understand the value of the data they’re storing, sharing and using, and the implications of their actions.

Rather than relying solely on passwords to authenticate users, companies should adopt simpler and more secure methods multifactor authentication (MFA) — like SMS and push notifications for phones and watches — to ensure users are who they say they are, reducing the risk of unauthorised access. While MFA solutions were traditionally built for large enterprises, the cloud is democratising MFA for companies of all sizes, enabling SMBs to adopt and implement this simple-to-use, secure technology as well.

Today, most people use their smartphones for online banking, making purchases, sending personal information and much more. Doing all of this on a public WiFi network could have disastrous consequences. Public networks are all too easy for hackers to access, with many actively cruising around looking for unsecured networks and potential victims. Some people need to access public WiFi, for example students when working in the public library. In this case, you should download antivirus software for your smartphone. It is highly recommended that users download an anti-virus app that is updated regularly (at least once a week). This ensures that it is always able to stop the latest virus or Trojans.

Today’s attacks are silently crossing borders and blending in with everyday business activity. An immune system that learns ‘self’ and spots intruders before they attack, helps companies curb threats already on the inside.

Pick up the phone if you have to: If the webpage you’re on looks suspicious, or if you receive an email from a brand or online platform asking for sensitive information and you are not sure if it’s legitimate or not, click out of the email or the webpage and call the organisation. For example, unless you know the sender of an email, any request for personal information should be ignored.

Getting you to click on a link in an email is a very easy way to take you to a site where fraudsters have installed some form of virus that will adversely affect your computer, phone, tablet or other device. Unless you are 100% sure where the link is going to take you, the rule is NEVER click on an email link. Hovering your mouse over a link will show you where it will take you.

Our research has shown that in the UK, the average cost of remedying an enterprise mobile security breach stands at a massive £167,000. Unfortunately, for businesses today it’s less about ‘if’ a breach will occur and more about ‘when’ the hack will be discovered. When the breach has been discovered, we strongly recommend performing a post-breach forensic analysis. To truly clean up a breach, the business must understand how it occurred and exactly what was put at risk. Companies should get ahead of a hack by investing in a mobile threat defence solution that can provide data on how the breach occurred, which users were impacted and provide clues as to which data may have been compromised.

Follow existing industry guidelines - There is no need to reinvent the wheel. Official documents, such as Organization of Internet Safety document (OIS) and ISO standards, often provide a set of useful guidelines on how to carry out responsible disclosure and set up a viable vulnerability disclosure policy. It is essential that key stakeholders are familiar with these documents, especially those charged with creating a vulnerability-handling scheme. At the same time, the wider community needs to put the industry under pressure to adhere to these documents to improve disclosure practices.

Monitor your personal information. Stolen personal information can lead to financial problems, if criminals take out credit in your name; or reputational damage, if the information is used in illegal activities. The risk can be mitigated with a fraud protection service, which monitors whether your personal or financial information is being used, as well as providing recovery assistance if it is. You should also check your credit reference files regularly: if someone is making false applications for credit in your name, it will show up immediately.

Audit Continuously and establish policies accordingly - the first step any organisation should take when developing a security strategy is to assume from the outset that they will be a target and develop policies accordingly.

Ensure that usernames and passwords have been changed from the default state and are of sufficient strength to prevent immediate access.

“To deal with today’s cyber security threat, businesses need to focus on the integration of threat intelligence and other information sources to provide the context necessary to deal with advanced cyber criminals. Implementing a robust security framework will allow businesses to get on the front foot in combating attacks, in order to ensure that these threats don’t come to pass. In parallel, organisations need to ensure that consumers are educated continually on the importance of online security, giving them easier, but more secure ways to protect themselves – whether that be through mobile alerts, or biometric technology.

Approach security in the right way. Start with your most valuable data and work your way out. That way if other layers of the network are breached, fundamentally, it will have a minimal impact at that stage.

In order to keep end users computing secure, businesses need a better way to secure and control a magnitude more users, devices and applications that spans traditional company and network boundaries. For IT, this means switching focus from being device-centric, to people-centric. But to deliver this approach, organisations need seamless identity management for all applications (in the cloud or on-premises), and across all devices.

When storing data in the cloud, security is still your responsibility. You must ask the service provider to deliver the appropriate levels of information security and measure and audit the supplier yourself to ensure that the relevant security is applied. Ask who’s holding the data, where it’s held, if they can prove effective processes are in place and what security standards are in place around that data. Each organisation should check this information and manage it as they would for every corporate risk.

“Communication and information flow between the organisation and its employees is vital – the risks and potential consequences need to be understood by all employees through continued user education. User education is arguably the most cost-effective approach to improving the security posture of any organisation.

When online, it is all too easy for hackers to access your smartphone and take control of it without you even knowing. One method that is becoming increasingly popular among hackers is to operate a click fraud scheme whereby a specific pay-per-click web page is opened every time the phone is unlocked. This happens in the background, meaning that the user is completely unaware their phone is victim to an attack. This drains the phone’s data and can result in an increased phone bill, should the data run completely dry from the consumer’s monthly allowance. Most people are completely oblivious they have been victim to an attack until they receive their monthly phone bill. Anti-virus software for your mobile will stop any attempts of hacks in their tracks, protecting your smartphone and your phone bill!

Updates and patches for all types of software are issued whenever a weakness or vulnerability is found in order to enhance facilities. Therefore, it is essential that software updates and patches be installed as soon as they are issued to reduce the risk of exploitation of the weaknesses uncovered.

Inspecting encrypted traffic should be top priority for businesses. WhatsApp has led the charge to encryption, moving its traffic to the secure sockets layer (SSL) and encrypting the link between users so data can’t be stolen or changed. It’s expected that around 70 per cent of all internet traffic will be encrypted by the end of this year. However the sudden upsurge in encryption has made it far easier for criminals to hide malware from security systems.

At the absolute minimum, business executives need to understand what the most critical assets are and key areas of vulnerability. Businesses need to have the courage to make the right decision that balances security risk against commercial return and does the right thing by the business and customers in the long term. There needs to be the courage in making the difficult decisions on what systems and services are protected, and at what level.

A general rule of thumb, when data is online, you are no longer in control of how that data can be used or misused by potential cyber criminals.

Distribute Information about vulnerabilities - It is vital that regular users of products or services are encouraged to spread information about vulnerabilities. Details about the vulnerability and its solution, if available, should be disseminated to inform users of any developments and give them an opportunity to protect themselves. The decision on how much information should be made public should be agreed to by all stakeholders on a case by case basis.

Enable automatic software updates. Updates are usually issued to address vulnerabilities. Patching your system with the latest updates will reduce your exposure to malicious activity.

“Given then 67% of all security breaches occur as a result of insider misuse or abuse – make sure you have appropriate and proactive measures to ensure you know who has access to what and keep track of exactly what they are doing with their privileges… Expect what you inspect… Nothing less

“Cyber-attacks, malware and system vulnerabilities have all been mystified and media-hyped beyond any sort of reasonable analysis. The most effective IT strategies against all unknown and known threats are generally the same. Patch and update the operating system, patch and update third-party applications, restrict administrative access, and use malware defences. Ultimately, offense informs defence. IT service providers need to learn how to view their customers’ networks as targets. I’m certainly not advocating unleashing destructive cyberattacks on unwitting customers, but setting up a virtual cyberdefence lab and downloading some free tools – such as NMAP, Wireshark and Metasploit - to explore vulnerabilities will help to protect, defend and detect attacks on your customers network. Top tip – go out of your way to make it frustrating and difficult for the bad guys to get what they want by putting in detective, proactive and reactive defensive layers.

The second POS security law is to have ready access to records that show who is authorized to access POS service accounts used for maintenance and configuration changes. Administrator access should be restricted to systems their job requires and no more. Access to POS systems should be regularly checked to ensure it is limited to certain individuals. Continually monitor your POS systems for suspicious activity. Multiple failed user logons, for example, could be a sign someone is trying to gain control over your POS operating system. Sudden spikes in suspicious activity always require careful investigation.

There is no such thing as 100% security. Acknowledge that you will be breached and focus on detecting threats early enough to help mitigate risks.

“By encrypting everything and implementing appropriate access controls, organisations will no longer need to worry about what data is considered ‘sensitive’ and where that data is located. Instead, they can feel confident that no matter where data resides, when an intrusion does occur, any information accessed by cyber criminals would have been rendered illegible. This limits damage and prevents the kind of catastrophic financial and reputational impact a breach can cause. It is also worth considering that, now approved, time is ticking away until the new EU wide General Data Protection Regulation comes into play. The adoption of an ‘encrypt everything’ strategy will allow companies to not only better ward off would-be hackers, but also achieve compliance, and thus avoid additional penalties.

Know what normal is - When it comes to an attack like DDOS (Distributed Denial of Service) or an access breach, how do you know entry has been gained or an attack is ongoing? Knowing what normal looks is invaluable when trying to spot behaviours that are anomalous to your daily business. For example, when it comes to a DDOS attacks it’s unfortunate that - depending on your monitoring - users will be the first to see impact. Establishing a baseline should allow support staff to quickly differentiate between disparate user issues or an attack and enable teams to react promptly without hesitation. Operations teams should make use of monitoring tools and dashboards that display behaviours with minimal delay.

In the last month the number of ransom notes being sent has risen exponentially. At first glance they look like the real deal. But to the trained eye many of these notes are fake. They have been sent by people exploiting fear and hoping you’ll pay. So how do you spot a fake? There are five signs: 1. the amount being requested is less that 20 bitcoin, genuine hackers want more 2. your network hasn’t suffered a degradation. Fake hackers don’t bother they think you’ll pay rather than check 3. The email doesn’t link to a website. Fake hackers aren’t that sophisticated. 4. When you check on social media, companies outside of your sector are being targeted. Real hackers target a sector specifically. 5. The email has subtle differences to genuine ones - an expert will be able to tell you immediately. Final thing to note, is that nothing stays the same in cyber security and it won’t be long before we see another genuine group start running ransomware attacks for real. So to be absolutely sure, always speak to an expert before making a decision on what to do.

“Nowadays, hackers and cyber-attacks easily by-pass traditional firewalls and anti-virus software. For example, many security threats come in the form of innocuous PDF documents that deploy malware, opened by employees themselves through email. These attacks work due to the exploitation of temporary software flaws that are increased through out-of-date software on devices. Part of the issue is the many different software applications that are now used in enterprises from internet browsers, to PDF readers and Java applications. The challenge lies in keeping the patch management of each one updated regularly and efficiently. To appease this, a structured approach based on automated tools must be implemented to ensure every piece of software is fully patched up. When this issue is compounded by the ever multiplying number of devices used in businesses, the challenge of maintaining security becomes impossible without an integrated end-point management system.

Keep it long. The longer and more complex the password, the safer it will be. Ironically, writing down your long passwords on a yellow sticky note is better than using short ones. What’s more, twelve characters should be the minimum and avoid using dictionary words unless as part of a complex passphrase.

Don’t be afraid to hover: Hovering over a link on a website or over a sender’s name in an email will bring up the domain the message is sent from, so if you don’t recognise the domain, it’s a safe bet that message is not legitimate. Additionally, if there is a hyperlink on the webpage, hovering over it will bring up the full URL.

A strong password is the first rule of security. The importance of strong passwords is nothing new. The latest version of PCI DSS contains additional requirements to enforce the use of strong passwords. Such steps would be unnecessary if more businesses clamped down on weak passwords or default administrator accounts. Cracking a simple password is one of the easiest and quickest methods of a cyberattack. So it’s vital that business in the front line such as hotels enforce a strong password policy. Wherever possible, this should go hand in hand with two-factor authentication and regular password changes, especially for the administrator accounts on operating systems and POS applications.

Use two-factor authentication in email and financial accounts. Two factor authentication requires extra login credentials, in addition to your username and password, making the account more difficult for cyber criminals to access. For high value accounts, the added security is worth the extra time.

Don’t underestimate your supply chain, you are only as strong as your weakest link.

“To stay safe against today’s threats we need to follow Sun Tzu’s much overused (but relevant) advice: ‘If you know neither the enemy nor yourself, you will succumb in every battle’. In order to defeat a persistent, ingenious adversary we need to understand what they are likely to want from us, where it is, why they want it and how they are likely to try and get it - if we can answer those questions then we can scale and orient our defences in the best way possible. If we blindly try to block ‘all’ threats then we are destined to fail, as our human adversaries are becoming increasingly adept at combining tools and techniques, and leveraging weaknesses in our supply chain / staff to lose themselves in the ‘noise’ of events we all face every day in security. We need to focus more of our time an energy of stopping the threats that matter, that pose a real business risk, and that requires a shift in where and how we secure our key assets.”

“Today’s hackers are so sophisticated in their methods that we must assume they will get past our defences. Whilst still important, firewalls, anti-virus and other prevention tools are no longer sufficient on their own to protect us from today’s more complex threats, which can go unnoticed on our networks for days or months once they get in. It’s imperative that organisations have the right people, processes and security intelligence capabilities in place to ensure that they can combine prevention with fast detection and response capabilities, in order to avoid a breach before any damage is done.

Control. The ability to see devices is critically important. However, you need other advanced capabilities as well. You must also be able to control devices and automatically enforce your security and compliance policies based on rich contextual information. And what about devices that drop on and off the network? If you want nonstop security, your cybersecurity solution must continuously monitor and mitigate attacks. Best practices today call for solutions that provide identification, operational intelligence and policy-based mitigation of security issues—even in the most complex enterprise networks.

See. You have to see it to secure it. Once organisations gain enhanced visibility into their network, customers typically report they discover 20-30 percent of unknown devices on their network. That’s largely because non-traditional devices such as security cameras, smart TVs and media equipment are generally left out of the network security equation because these devices lack security management agents. Organisations must have a single point of view of their connected environment, and they must be able to see IP-addressable devices on the network.

If your database contains your crown jewels (data) what security measures are really in place for this, don’t just rely on perimeter security

Implement a data protection policy which guides employees on how to keep personal data secure

Everywhere else in the environment the use of shared, high level, accounts has been eradicated, but we still see it frequently at database level. The facilities exist to eradicate this, so put them in place.

Network visibility is essential. If security managers have a real-time view of every connected device, everyauthorised user and how secure each device is, they have a better chance of pin-pointing where are the weakest links in their armour.

Password policy – require employees to use unique passwords which are changed at pre-set times. Consider implementing multi-level access authentication to highly sensitive systems.

Secure your Wi-Fi – if you have a Wi-Fi network for your workplace, make sure it is secure, encrypted and hidden.

Put in place a device control strategy to identify and control the use of removable storage devices – not only does this prevent bad stuff getting in, with data loss prevention DLP, but it can also help stop personally identifiable information (PII) and intellectual property (IP) data from going out.

Use Application Control to keep track of, and restrict, unnecessary software that reduces security without adding any needed benefit.

Users are more mobile than before, and the range of environments that they either want or have to work in can constantly change. Having a list of IT assets that is accurate and shows status for all authorised devices and software – as well as any unauthorised ones that are joining the network – can provide IT with a better starting point to ensure security. At the same time, continuously scanning all the endpoints for possible flaws is a necessary step for the future

Protect mobile devices – make sure laptops, tablets and smartphones all have adequate safeguards and reporting procedures in place if lost or stolen.

Payment cards – if you take card payments, make sure validation and anti-fraud systems are in place. Don’t use the same computer to process payments and surf the Internet.

Train employees to be suspicious of emails, especially those that contain attachments, and to report any unusual emails or attachment behaviour to IT.

After a breach has been detected, a lot of energy is put into stopping and assessing the extent of the impact. However, without proper visibility, most companies are left wondering if they are still being breached – that is, whether the attackers left undiscovered backdoors that will allow them back into the company’s systems later, when the incident response goes down.

Choose a good password – don`t use data that other people know, such as birthdays or pets` names. Make passwords as long and complex as you can, ideally mixing up letters, digits and punctuation, so they are much harder to guess. Have a look at this video showinghelpful tips on how to choose a difficult password that`s easy to remember

Backup – check all critical data is regularly (preferably automatically) backed up to a secure off-site location.

Provide firewall security – ensure this is correctly configured. If employees work from home, ensure their home system(s) are also protected.

Ensure you have effective endpoint, network and email protection that filters out spam, malware and dangerous file types.

If you move to the cloud make sure that the ability to encrypt the data – both in the cloud and also when being transferred- is on your core requirements list.

Static passwords are not secure anymore. In no industry is this more evident than in banking. To keep safe when shopping online, consumers should look for a bank that offers them some degree of multi-factor authentication.

Restrict employee rights – staff should only be given access to systems they need for their jobs and should not be able to install new software without permission.

Consider a patch assessment tool to ensure your operating system and applications are up to date with the latest security fixes. Most exploit kits see success due to exploits in software for which a patch is already available and just has not been deployed.

vendor security patches are there for a reason, make sure you have an appropriate strategy for putting this into place. New technologies such as KSplice allow for zero down time patching.

Audit data is only any good if you’re inspecting it and alerting on events of interest. Don’t just use it as a forensic source once a problem has arisen. Look for a full blown SEIM solution or even something based on a stack like ELK

Look for evidence of fraud – if you get a credit report made (there are companies that offer this for free), then you can check it for evidence of identity theft. Look for tell-tale signs of fraud such as new credit accounts that you did not set up. Check if there has been an increase in enquiries on your credit report. If a fraudster is attempting to open up several accounts, an inquiry will be listed on your credit report for each of those attempts.They may also change your personal information such as address and phone numbers, so regularly check that this information is correct.

When buying on eBay or other marketplaces, try to avoid paying funds directly into sellers’ accounts. Paying by credit card or PayPal generally gives you better consumer protection if the goods don’t arrive.

To ensure that the same infiltration tactic never works twice, cyberdefences must evolve: intelligently, automatically and rapidly. Pragmatic, real-world defencedepends not on making a network impenetrable, but on making it so challenging to crack that most attackers will eventually move on to easier targets.

If users are to have any confidence that their private information will remain private, companies need to think very seriously about how they protect and anonymise user’s data.Customers need to be aware that any information shared, implicitly or explicitly could fall into the wrong hands. We should think very hard about which services we use, who we share with and how we express our preferences. We need to be careful about transacting with organisations that cannot prove they have the right governance, controls and systems in place.

Repairing the damage is more important than placing blame, and speedy remediation is dependent on good visibility. The faster you can see and determine the size of the rip in your safety net, the faster it can be repaired. Companies have a clear fiscal incentive to minimisedowntime, so this element is critical to running a business seamlessly

It’s human nature to want to solve the crime and capture the attacker. But in cyberspace, being able to pinpoint the identity, location and sponsor of the attack is often a waste of energy. Instead, focus on creating dynamicdefences that make hackers’ lives so difficult that they turn away in favour of an easier mark. Yes, there’ssomething satisfying about being able to say “whodunnit,” but when it comes to defending your network, attribution is merely a diversion

Implement full disk protection and encrypt sensitive data stored on servers or removable media for sharing with business partners.

A very quick route to accidentally downloading malware comes from clicking on links in emails or opening attachments. Be cautious when you open emails - if they don’t look legitimate don’t risk it.

Crooks want to capture more than just one user’s password and confidential files, they want access to your back-end databases, your PoS network, your testing network. Consider segregating your networks with next-gen firewalls that treat your internal departments as potentially hostile to each other, rather than having one big “inside” fenced off from the even bigger “outside.”

Protect your systems – install latest software updates to protect against the newest online threats.

Install endpoint protection software and/or a secure web gateway that can identify and block exploit kits before they infect your systems.

Control physical access – secure building entry points, consider CCTV installation, ensure visitors are properly managed and IT areas locked.

Train employees – establish security practices and policies for employees and create a culture which takes cybersecurity seriously.

Include everyone. For one reason or another, every person in your organization is a potential target. Make sure everyone in your organization is involved in the various exercises you conduct throughout the year to reduce overall organizational susceptibility. (Statistic to include: 50% of recipients open emails and click on phishing links within the first hour-Verizon DBIR 2015 Report)

For effective awareness, focus on current threats. According to a TrendMicro report, 91% of attacks begin with a Phishing email. Your employee security training program should be immersive, continuous, and focus on current threats your employees are most likely to encounter. Capture behavioral metrics to identify your most vulnerable users are in addition to those who are most likely to alert the security team when they see something suspicious.

Empower trained employees to report potential threats. Your employees are valuable informants and can help you identify threats on your network. Prepare employees to spot and avoid attacks with immersive training exercises and empower them to act as security sensors by providing them with a simple, quick reporting process. (Statistic to include: 205: the median number of days it takes to detect a threat on the network- )

Disposing of Mobile Devices such as smartphones and tablets are happening as often as every 18 months. Unfortunately, too many people simply dispose of their mobile devices with little thought on just how much personal data their devices have accumulated. Remember to Wipe your device with factory reset and bear in mind that SIMs & External Cards store details as well. Either use the old SIM on the new device or physically shred or destroy it to prevent someone else from getting your personal data.

Security Awareness is very much an integral part of Information Security. A recurring theme is that people in an organisation must be made aware of the security policies, procedures and control requirements that they are expected to uphold. 56% of small to medium sized businesses admitted that they have not been provided with security awareness training at all and that the most likely reason for a data breach was down to human error. Just remember that employees are the first line of defence against cyber-crime.

Maintaining good systems, and patch management organisational wide, is a critical step in maintaining a good security posture across the board. More importantly, however, is deep insights into what’s happening right across the technology stack. Businesses need to seriously consider how a services based approaches can augment or enhance security operations, and responsiveness to the latest trends across the threat landscape, especially where infrastructure and applications are deployed across diverse environments (cloud, on-premise and hybrid). Services based offering can become an extension of the overall cyber security team and provide a level of capability that would often take a great deal of time and resource to achieve alone.

Cloud security can enhance and automate security features for customers, making it easier to understand and mitigate risk. Organisations should commit people and resources to cloud services as if it were a new business unit. Those that immerse themselves into the infrastructure, design and security components of the Cloud (all types) have a deeper understanding which leads to more efficient use of the cloud and better risk mitigation strategies.

Security best practices must remain a paramount focus in overall protection strategy, as is having a clear understanding of the fact that attackers will almost always choose the “path of least resistance” when attempting to exploit their targets. Organisations need to implement effective monitoring capabilities for both pre and post compromise activity.

Be mindful of phishing emails - There are a number of clues that can help you identify phishing emails: spelling mistakes, sense of urgency/threat (‘you must unlock your bank account immediately!’), generic greeting (‘Dear Sir/madam’), request for personal information and the biggest of all - strange URLs. Always hover over a link to see which URL it is redirecting you to.

Monitor, log and report activity - Only by knowing what is happening within your network can you spot suspicious or unusual behaviour

Make sure passwords are changed regularly. Often times there is a long period between a password being discovered and access being exploited, changing a password brings the shutters down again – it’s as simple as that.

Don’t think that Cyber Security is just an IT issue, the technology can provide a wall around the kingdom but your people create and use the keys to get in and out to do what they need to do. The majority of cyber breaches leverage human mistakes or malicious intentions, everyone in an organisation needs to be made Cyber Aware to help stop intelligent people doing silly things.

Encrypt sensitive content - We all know the value of encryption; many regulatory agencies recommend its use. If any device should be lost or stolen any encrypted sensitive material cannot be read by an unauthorised user.

Limit access based on context to systems and data in accordance to the requirements of an employee’s role, and take into consideration their contextual attributes and security posture

Check who’s behind the website - Recognising a secure website is easy: look for https, the padlock and the green address bar. If you see the name of the organisation in the address bar, it has been verified, and you know who you are dealing with. If any of these clues are missing - beware!

What about old computers, servers, and hard drives? What looks like garbage to you could put dollar signs in the eyes of a hacker; always be mindful when disposing of such objects.

Ensure continuity - include your security requirements in contracts and service level agreements, keeping your users safe and data hidden.

Limit access - your interns don’t need access to all of your intellectual property, neither do many of your employees for that matter. Make sure you review access and entitlements regularly to maintain control and ensure people can only access the information they really need.

Don’t make security an afterthought - If you need to collect data, keep it for as short a time as possible and securely destroy any information you don’t need.

Multilayer defense is needed: I like to describe defense in depth by comparing it to the defense systems you might see at a castle; it could be defended by a large stone wall, followed by a deep moat, followed by a draw bridge, followed by an iron gate, etc. A single layer of defense is not sufficient for your data-it must be protected by multiple systems working in parallel. That way if one layer of defense is breached your data is not exposed.

MSOffice documents and PDFs are common attack vectors: Vulnerabilities are identified in MSOffice and Adobe Reader on a regular basis. While patches are typically released very quickly, if the patches are not applied in a timely fashion the vulnerability can still be exploited. As an everyday precaution, document sanitization ( is recommended to remove embedded threats in documents.

Data workflow audits are essential: Data can enter your organization through many different points-email, FTP, external memory device, etc. Identifying your organization’s entry points and taking steps to secure them is a critical step in avoiding data breaches. At a minimum, scanning incoming and outgoing email attachments for viruses and threats and implementing a secure file transfer solution should be considered.

Only use trusted sites. There are roughly 252 million registered domains and a large portion of those domains are malicious. Some are quite obvious while other, legitimate sites can be compromised and host malware within its pages. Stick to the well-known, established sites to increase the odds of staying safe online.

Do not use the same password across different systems. By utilizing different passwords for every account, the user is limiting the effectiveness of an attack to a single compromise. If that same password was used across multiple sites, the attacker would have immediate access to every single one of them.

Review financial accounts regularly for suspicious activity. Sometimes a victim won’t realize they have been attacked. By monitoring accounts on a regular basis, you raise your chances of catching an attack before it causes too much damage. Catching breaches early helps stop the attack, recuperate damages, and possibly even catch the attacker.

Do not open attachments from unknown people or attachments that appear suspicious. This is a very, very common method for attackers to use - delivering malware straight to your inbox, which is both convenient and highly effective. Do not click on an unsolicited link or open an attachment unless you know it is reputable.

Disable Flash. Flash exploits have been growing at an exponential rate over the past three years, and Bromium research indicates that 90 percent of information security professionals believe their organisation would be more secure if it disabled Flash. Google Chrome and Amazon have committed to blocking Flash ads, in part because of security concerns.

Be mindful of your digital foot print and what you post online. As just mentioned, don’t post anything online that you wouldn’t want everyone in the world to see. Really.

Protect your personal information. Remember; do not advertise sensitive information online. Tighten your security settings on social media, do not use your real birthdate, telephone numbers or addresses because this information can be used to fuel custom attacks or answer account security questions.

Patch vulnerable machines as soon as possible. According to the Verizon Data Breach Incident Report, 71 percent of known vulnerabilities had a patch available for more than a year, yet Bromium research has indicated that more than 20 percent of organisations take longer than a month the patch zero-day vulnerabilities.

Always use complex passwords that are not easily guessed. Easy-to-guess passwords do not present a challenge to attackers and can open the door to your accounts. Instead, make sure your password is lengthy and has a healthy mix of symbols, characters, lowercase and uppercase letters.

Make sure all devices are up to date with the latest patches. Attackers and researchers continually find vulnerabilities in software, and a patch or hotfix is designed to correct those security flaws. And if unpatched software is left on a device, it makes it easier for an attacker to leverage them. The same rule applies to all software (not just the main operating system). Old programs that are not in use should be uninstalled and removed.

Always run Anti-virus and firewalls. Firewalls are important as they typically act as the first line of defense against network attacks, while anti-virus solutions serve as a strong last line of defense and aim to protect individual hosts.