The Internet is constantly growing and improving, thanks to which we can now freely communicate with people all over the world. With the spread of Wi-Fi, we began to create devices that also connect to the Internet, transmitting data over the network. This is great, but the other side of the coin is that every person connected to the Internet on the planet now has their own networks and their own data, which could be the victim of theft.



We believe that by raising awareness of these vulnerabilities and educating the public, we can make the Internet a slightly safer place. It will be useful for business to learn about such effective measures of information security as employment of hackers, phishing simulation for its employees and cyber insurance policies.



During October, when the cybersecurity month of the National Cyber ​​Security Awareness Month was celebrated, we tweeted one piece of advice every day. Here is a complete selection of 31 councils with additional explanations of how to protect yourself in the current environment.

Basic rules

1. Be careful about posting about yourself and others.

The way you speak about others on the Internet, in many ways reveals your own personality. In addition, you can incur legal trouble or even be vulnerable to theft or hacking. People can keep track of what you say on the Internet - so if you said you were going on vacation during the week, then the potential burglar would have a hard time finding your address. Caution should be exercised about violations of NDA, labor contracts and other agreements that you have signed. In addition, a violation of the law may be the disclosure of someone else's personal information or public accusations of a person without any evidence.

')

2. Understand what data your company collects - and make sure they are protected.

In order to keep your business data safe, you must conduct an audit and determine which of them are public information (and therefore should not be carefully guarded), which have a medium degree of importance, so that they do not have a significant impact on business in case of leakage (some security measures should be established for them) and, finally, which data is most important and confidential. The latter category of data will greatly affect the business in case of theft - and they need to be protected as reliably as possible with the strictest access rights for employees and partners.

3. Use several authentication factors.

Authentication is the act of confirming identification data (be it a user, computer, or other device) by comparing the provided credentials with an existing database of authorized users before allowing access to the system for this system or application. For example, entering a username and password to access an email account. But instead of relying only on passwords, which are becoming increasingly unreliable, we recommend using several factors for authentication. Among these factors is a certain user secret (for example, a username / password, an answer to a secret question), some of his physical property (for example, a digital certificate, a smart card) and some biometric factor (for example, a fingerprint, face recognition).

4. Enable HTTPS for your site

For HTTPS activation, an SSL / TLS certificate is installed on the server. This certificate encrypts all data between the browser and the server, whether personal or financial information that is entered on a web page, or the content of the pages. So information is protected from outsiders (for example, from intruders and government surveillance). SSL certificates can also link your brand to a website: this allows visitors to make sure that your site really belongs to your company, and not to a scammer (in the case of a phishing site). The EV SSL certificate clearly demonstrates this by coloring the browser address bar in green and showing your company name.

5. Use strong and unique passwords. Good password: 34bGUI7 & 89 @)). Bad: 12345 or Eddy1

Many “black” hackers are selling data that they managed to get after hacking. Including information about thousands, if not millions, of users and their passwords. If you use the same password on each account, then for a hacker it will be a trivial task to gain access to all your systems. Or a hacker can pick a password using brute force. It is much more difficult if the password is long, composed of various characters and does not contain words from the dictionary. Use a password manager to remember the unique passwords for each service.

6. Update all software

Hackers are always looking for new vulnerabilities in the software that your business uses. Finding them is as easy as finding a path on your Windows network. At the same time, the software companies themselves are working hard to release patches to fix these vulnerabilities, so it is very important to update the software as soon as the update is released.

7. Back up all data

Backups ensure that files can be restored in case of data loss. You should always store data in different places physically separated so that hackers cannot access everything at once. And backups need to be updated regularly.

8. Install the firewall on the Internet gateway.

Firewalls are designed to prevent unauthorized access to the private network. You can set a set of rules to determine which traffic is allowed and which is denied. A good firewall should monitor both incoming and outgoing traffic.

Safety culture at work

9. Set rules for using your own devices in the workplace.

Some companies allow employees to use personal mobile phones for work. This increases productivity and efficiency, but opens up opportunities for attack, as these smartphones can be hacked and used to access your corporate network. BYOD rules (Bring Your Own Device) will help educate employees about the use of mobile technologies and how to reduce the risk of such an attack.

10. Create an incident response strategy.

An incident response strategy helps to prepare for an attack in advance. You should never guarantee 100% security, so it’s better to have a backup plan in case you fall victim to a cyber attack. This ensures that you can react quickly enough and do not let the attackers get sensitive data. You will have time to warn the press or customers if the attack is stronger than expected. You should also make sure that there is a responsible person for the implementation of the response plan.

11. Training employees to work with passwords.

All employees need to be trained to work properly with passwords. Including:

• Do not write the password on a piece of paper (so it can be stolen).
• Do not send the password via online communication channels if they are not encrypted.
• Use strong passwords and a corporate password manager.
• Do not use the same passwords multiple times for different company applications or for personal use.

12. Make sure the staff checks for the presence of the letter S in HTTPS when searching the Internet

From time to time, employees will use the corporate IT network to visit sites and register with services for personal or corporate use. Before sending any information, they should always check for the presence of an HTTPS character in the address bar of the browser. If the site is not protected, then you can not pass there any information.



Note: It is also important to tell employees about phishing sites (see tip 15 below). There have been cases when fraudsters used Domain Validated (DV) SSL certificates to make their sites look more real and reliable.

13. Use secure e-mail communications and conduct phishing attack risks.

Mail is still a weak link in cybersecurity, and two of the most important threats are hacking / data leakage and phishing. You should look for an email protection solution that can encrypt messages on the go and in the store, with the ability to verify the origin of the messages, so that it becomes a trivial task for the employee to identify fake emails and not become a victim of phishing. Ease of use for end users is another important factor to consider.

14. Leaders must spread cybersecurity culture.

In all corporate strategies, it is the top management who must first accept these changes. If they show an example, then the whole company will follow them.

15. Simulation of phishing to keep employees in good shape - in a game form for interest

Organize phishing simulation tests to test employee readiness. Tests should be carried out before and after training on the risk of phishing attacks in order to measure the effect of these trainings.

Cybercrime counteraction

16. Establish rapid response team

Although you should always have one main person responsible for adhering to the incident response plan, you will need a team to help him. For example, PR man for the publication of press releases and communication with the press and the representative of the sales department to communicate with customers. Depending on the size of your organization and the possible size of the attack, you should make sure that the right people are in the team.

17. Analyze Insider Threats.

An insider threat analysis will uncover potential threats to your IT infrastructure that come from within your organization. Anyone can pose such a threat: from current and former employees to contractors, vendors, third-party data providers and partners.

18. Write the instructions for quick response.

Make sure that you are ready to respond quickly and effectively in the event of a cyber attack. Distribute the plan to the company's employees and assign a person responsible for its implementation.

19. Schedule a plan for external communications.

European GDPR regulations require you to inform the relevant supervisor as soon as it becomes aware of a burglary. The supervisor should be in your country and most likely is a government organization. You should also plan communications with anyone who may be affected by the incident, including customers, contractors, and employees.

20. Notify staff about the response plan.

Knowing about the plan and the possible types of attacks will help employees keep their responsibilities confidential and minimize the risk of information leaks.

21. Draw conclusions from past mistakes.

After hacking and incident response, when all the consequences have been eliminated and you can return to normal operation, an audit should be conducted. As part of this event, you can discuss the current incident response plan and decide whether to make any changes to it based on the mistakes made for the first time. You may have to contact the IT department to make changes to the procedures and communications so that the same vulnerabilities are not exploited again.

22. Always assume the presence of a vulnerability - you are never 100% protected.

The fact that a lot of money and time is invested in an information security strategy does not guarantee the protection of your systems. There will always be a new vulnerability that can be applied on your network, or a new employee through whom you can hack. You should always assume that hackers will have the opportunity to get inside.

Future information security strategies for privacy and security

23. Insurance for IT infrastructure

Conventional insurance policies usually do not cover data loss; and this is where cyber insurance policies come into play. You should also make sure that the insurance covers damage due to downtime, that is, service downtime. In addition, you may suffer damage due to storing other people's data or the cost of regulatory procedures and burglary notifications.

24. Each “thing” (devices, sensors, systems, etc.) should receive an identifier

As faster, more efficient, and more productive systems emerge, companies integrate multiple devices and sensors into common networks that share data together — this is called the Internet of Things (IoT) infrastructure. Within this infrastructure, each “thing” needs an identifier . With unique strong identifiers, they can authenticate when connected to the network and ensure secure and encrypted communication with other devices, services and users.

25. Make sure all systems are accessible only through STRONG authentication.

As you provide access to sensitive data only after “strong” authentication (see tip 3 above), access to the business infrastructure should also be limited. If you work in a bank, then to access the safe you need to be authenticated at several points at the same time - the same rules apply online. Only here you still need to consider access based on roles and providing access to critical systems only to certain privileged users.

26. Hire a hacker to work

There are a lot of hackers in the world who are not going to break the law, steal your data and sell it online. They want to help the world. These are the so-called “white” hackers, and in every organization there must be such a person to withstand the “black” hackers. As they say, the wedge knock out the wedge.

27. Immediately implement data flow control

As technology improves, our data is becoming more complex. To keep data under control and to avoid leakage, you need to know how it moves around the organization and how it moves from the source to the end point or the user.

28. Use the cloud

Cloud services are a useful tool, especially for small and medium-sized companies that want to give their data under the protection of a large company. When registering with a cloud provider, it is important to make sure that you know everything about it. Where are the data centers, where your data is specifically stored and how you can access it.

Improving the resilience of critical systems

29. Make sure your network is segmented so that access to one system will not give access to another.

Your entire corporate IT network should not be accessible from one point, even if there is “strong” authentication at this point. If you segment networks, the hacker will not be able to control them all, gaining access to only one. The systems should be segmented by importance or by how important the network is for business. Install the strongest security on the most critical networks.

30. Stay above your industry.

In most industries abroad, there is already a set of standards and best practices that should be followed for the basic implementation of cybersecurity. For the energy sector, there is the NIST Cybersecurity Framework framework , for the automotive industry, the Framework for the best automotive cybersecurity practices , for the payment card industry, PCI DSS . It is important to stay above any new standards and ensure that no penalties affect you.

31. Continue to explore new technologies and vendors.

Our final advice is to keep abreast of the latest best security practices, operators, vendors and technologies. Be prepared to upgrade software, use new tools and technologies to ensure the security of your infrastructure on the Internet.



With these tips, we hope that you realize the importance of maximizing business security. Know that the threat can and will more than likely come from within the organization, and not from the outside. Always assume that you are open to attack and are ready for what inevitably happens.



If you are interested in cloud and network PKI solutions and identity management solutions , you can contact GlobalSign , one of the world's largest certification centers, which guarantees business security and secure workflow.

---

We announce the action “More cyber defense to sports”!





GlobalSign joins the celebration of the most ambitious event of all athletes and football fans - WORLD FOOTBALL CHAMPIONSHIP 2018 and GIVEN 1 YEAR SSL PROTECTION! *



Terms of action:

* When you purchase any one - year DV-OV or EV -level SSL certificate , you get the second year as a gift.

• The promotion applies to all sites of sports.

• The promotion is valid only for new orders and does not apply to partners.

• To take advantage of the offer, send a request on the website with the promotional code: SL003HBFR .



The promotion will last until July 15, 2018.



You can get additional information on the promotion from GlobalSign Russia managers by phone: +7 (499) 678 2210.



MORE PROTECTION with GlobalSign!