Sometimes it’s the little things that make the biggest difference
Please don’t roll your eyes at me, I know this may feel like a list that states the bl**dy obvious but it’s scary how frequently we hear about some disaster following a really basic cybersecurity faux pas.
1. Not regularly reviewing user access and permissions
It can feel like a never ending job I know, but keeping track of new joiners, leavers, job changes and the impact this has on user management really matters. Just think of the damage a disgruntled ex-employee could do if, after heading off to a competitor, they can still access the CRM and print off a handy copy of your client list.
So start by breaking down the task into 2 steps, first you look at who has access to what – “does this person really need to use this system to do their job?” — and if the answer is yes, take a look at just how much access they have — do they need view only or full admin rights?
Most applications these days come with the ability to support different levels of user access so start with the priority systems and work your way down the list from there.
2. Not taking GDPR seriously
I for one, feel like I have read those 4 little letters so much over the past year that I’m almost blind to them. Everyone’s hitching their horse to the GDPR bandwagon promising to get you “GDPR ready” in some way or another. The danger of this of course is that it all begins to feel somewhat overwhelming, the magnitude of required change too great and so paralysis sets in. So whilst I’m sympathising with your lack of GDPR enthusiasm, I’m not condoning it because come May it’s definitely happening and you definitely need to comply.
3. Not taking advantage of 2FA where you can
Two factor authentication (2FA) builds on the advice in point one. It helps to layer security to make infiltration just that little bit harder for cybercriminals and make sure someone really is who they say they are. 2FA requires not only a password and username for someone to login but for verification via another means to prove it’s definitely them, this typically done via a code or prompt on a mobile phone. Just a word of warning, advice is not to use SMS verification as it can come with its own problems.
If you’re still not convinced about robust passwords and 2FA then I have one word for you… Equifax.
4. Not doing regular pen testing
Penetration, or pen, testing is where you simulate an attack on your computer network so you can effectively evaluate just how secure it is. Pen testing doesn’t have to be all about the weaknesses, such as possible entry points for unauthorised parties, but it also highlights your network’s strengths. Doing this regularly keeps you up-to-date with what you need to be keeping an eye on and what needs to be fixed as soon as possible.
5. Not deploying DMARC
Sorry to disappoint you if you thought I’d get through an entire blog post without mentioning DMARC. I just couldn’t do it, it’s too important! This email authentication protocol not only gives you complete visibility into how your domains are being used (and abused!) to send emails, but helps you to lock it down so that only authorised senders can claim to send emails from “@yourdomain.com”. It’s an open, standard protocol, widely endorsed by email providers and government agencies alike so there’s really no excuse for not protecting yourself against email phishing attacks.
So that’s it, my top 5 things to fix this year. Let me know in the comments if there’s anything else you’d add to this list as it’s tough to prioritise!