At SafeStack, we care about all businesses, from sole traders and small businesses to big corporates and government departments, spanning many industries and countries. We want to help everyone learn about cyber security, from front-of-house staff to fully remote CEOs.
Cyber attacks don’t only happen to big companies
Imagine the unpleasant scenario of discovering your company’s entire customer database has ended up for sale on the internet. What follows will be countless hours of searching, explaining, sorting, scrambling, and generally trying to recover. The impacts of data loss can be significant.
Depending on the type of data, your industry, and how mature your organization’s cyber security practices are, data loss can result in lawsuits, regulatory and press scrutiny, fines, employment termination, or loss of customers and reputation. Ouch!
Cyber attacks can happen to anyone, anywhere. Cyber criminals don’t distinguish between office-based employees, front-of-house staff using shared devices, remote workers working from home or other sites, and everyone in between.
The only way to counter this risk is to help people learn about cyber attacks, what types of things they need to be aware of, and what security threats they could introduce into the workplace. The more of us that understand our security responsibilities and how best to protect our data and devices, the better off we all are.
Getting started with cyber security best practices
In recent years we’ve seen radical changes in the way employees and businesses conduct their operations. There’s been a massive increase in remote working, cloud-based software tools, and greater device access to corporate data. All of these changes pose security challenges, and we want to help you manage them.
Before we get ahead of ourselves, it’s worth explaining why security best practices matter and analyzing a few terms. Next, we’ll cover how you can protect yourself, your organization, and your customers’ data. Alright then, let’s get started.
What’s my situation?
When getting started with data security, it can be helpful to ask yourself the following questions:
- Do I have access to data that attackers may want to steal?
- Am I responsible if company or customer data is lost or stolen?
- Who would want to steal the information I have access to?
- What can cyber criminals do with stolen data?
- How could cyber criminals access my devices and data?
- What steps can I take to improve my data protection and reduce the risk of a cyber attack?
These thought-provoking questions focus your attention on what needs the most protection. Because you know your business, you’ll also know best what’s most valuable in your organization.
Before we start thinking about how to improve data security, we need to understand what data needs to be protected and why it’s important.
What data needs to be protected in my workplace?
Bringing new security measures into the workplace can often be met with grumbles and reluctance. Change can be complicated and scary. But when companies take the time to teach people why these changes are necessary, the whole thing can seem less intimidating, which makes the transition a lot easier.
Many companies introduce cyber security bit by bit rather than putting a full suite of security measures in place at once.
To get started, ask yourself this question: “What’s the most important data to me and my organization and cyber criminals?”
Most organizations collect data that they’re legally required to protect. Data that requires special data security considerations include:
- Personal Identifiable Information (sometimes referred to as PII) includes things like customer and employee names, phone numbers, and address details. Some of this data — like medical information — is considered highly sensitive and requires additional security steps. Protection of this data is required in privacy and data legislation, which most companies need to comply with. You can read more about this here: There’s more to privacy than the law.
- Internal Information that relates to the inner workings of your company and isn’t meant to be made public. This can include anything from organizational charts and employee rosters, through to company graphics, training materials, and internal presentation slides.
- Confidential Information includes trade secrets, intellectual property, and other non-public company information. You may be surprised at the amount of confidential information relating to revenue and sales figures at the fingertips of employees who don’t need access to it!
- Highly Confidential Information can include board meeting minutes, information on mergers and acquisitions, technical IT infrastructure documents and vulnerability assessments, and information relating to upcoming IPOs.You can read more about data classification in our Security Awareness blog Protect what matters with data classification.
Who’s responsible for data security and protection against cyber attacks?
Everyone, and that includes you!
While some roles within your organization will have much more of a security focus, we’re all responsible for security.
A chain is only as strong as its weakest link, which is particularly true when it comes to cyber threats and data security in your organization.
Some specialized roles exist within companies that focus on parts of cyber security or the company’s entire strategic cyber security outlook. These roles can include CISOs, CIOs, Information Cyber Security Managers, Heads of Information Security, or Security Analysts. But this doesn’t mean that everyone else can put their feet up. We all have some responsibility for data security and dealing with cyber threats.
Depending on your company and industry, there may be specific regulations and laws to specify how you deal with customer data and your responsibilities for securing that data. While most companies must comply with privacy regulations, other companies in industries like healthcare and finance must comply with stricter regulations and guidance — for example, CPS234 or ISO210001.
Different organizations have different risks and compliance needs. Depending on these variables, companies may have staff that focus specifically on data and information security. Just remember that security forms part of everyone’s responsibilities, whether that’s through writing and implementing data policies and controls or through customer-facing staff who are trusted to keep work devices and access to company information safe.
In our SafeStack Security Awareness course on Data Classification, we cover the following topics:
- Data classification categories
- General guidelines for secure handling of Public and Internal data
- Handling Confidential and Restricted information
- Dealing with mistakes
Who’s trying to steal my data?
There are many different attack styles and targets. Sometimes, attackers aren’t always who you’d expect. Their techniques can vary based on whether they’re targeting your customer records, corporate information, or just trying to take down your IT infrastructure.
Here are a few types of cyber criminals you might come across:
- Scammers. Scammers often deploy techniques like phishing via email and SMS, where the attacker tries to impersonate a legitimate sender.
- Insider threats. Often overlooked, insider threats can range from disgruntled employees with unrestricted data access to nefarious past employees creating backdoors and secret access to your system before their departure.
- Hackers. Hackers try to gain unauthorized access to your systems, often in an attempt to steal customer records for their own use, identity theft, or to sell on the black market for other scammers to use.
- Corporate, state-based, and criminal espionage. Everyone is a target these days, but some people are more so than others. Corporate and government data is typically under constant attack from sophisticated attackers, often combining the above threats to gain access to confidential and strategically important documents.
Ask yourself: what company data do you have access to, who might benefit from gaining access to it, and how might they go about getting that access?
What data are cyber criminals trying to steal, and why?
So why do cyber criminals want this data anyway? Maybe you have access to a point-of-sale system with customer records, booking information, or your company’s intellectual property. All of these are worth varying degrees of value to scammers. Sometimes a scammer will just want to gather as much data as possible.
Did you know scammers can sell whole lists of emails and personal data to others for the purposes of spam, identity theft, or other scams potentially impersonating your company?
Maybe you work at a public company and have sensitive information at your fingertips — this is the kind of information that sneaky competitors or stock traders would pay big money to get their hands on.
As part of their security strategies, companies should make sure users of their systems can only access the data they need.
How can cyber criminals hack your data?
Now we know who’s looking to gain access to our data, we must understand how they achieve that access. Knowing this puts us in a much better spot to understand how to protect ourselves and strengthen the security of our devices as well as how we use them.
Cyber criminals spend their lives understanding how everyday users interact with their devices. They know all the common vulnerabilities and mistakes we make and are always on the lookout for someone who’s overlooked a security best practice — which is the perfect chance for them to strike.
Cyber attacks can come in a variety of forms, including:
- Phishing attacks, where an attacker attempts to imitate a legitimate service provider or customer in order to gain access to your machine. This is often done by email or SMS. If you’ve ever got a fake SMS from a dodgy-looking bank or mail provider asking you to log in, you know what we’re talking about. They might want you to download something nefarious, steal your login credentials, or something worse.
- Business email compromise, where an attacker impersonates or takes over company emails. This could be to change invoice payment details to an outside bank account.
- Ransomware attacks, where an attacker installs software onto a victim’s system through a variety of methods. Ransomware encrypts data on the victim’s systems and asks for a ransom payment in return for the decryption keys. Whoa there, cowboy! We don’t pay ransoms around these parts.
- Malware attacks are similar to ransomware, but instead of encrypting all the data once inside, the attacker gains access to this system with full access to data, hardware, and software systems. Some attackers have been known to sit quietly, undetected, collecting data for months or years until it’s time to steal it all.
- Direct attacks against business software and processes. Sophisticated and motivated attackers take advantage of issues and vulnerabilities you may have within your organization. Particularly those cyber criminals with a target in mind. They could be exploiting software your company has written or software products your business uses. In your business processes, attackers may take advantage of personal gaps or missing approval processes to interrupt invoicing or sales cycles. These could come from unexpected places. Sometimes suppliers or competitors who know how a particular business runs will take advantage of these situations.
How can you protect your and your customers’ data from attacks?
Now that we know why our data is at risk, from whom and how they may gain access, we have the scary part of the story out of the way. You made it!
It’s a lot to think about, but take heart. Cyber security starts with a few basic steps. And cyber risks can be mitigated by embedding strong security principles across your whole organization.
We’re firm believers in being the change you want to see. Here are some ways to personally defend against cyber attacks and increase your security awareness.
Implementing good security practices to defend your organization can be as simple as taking these steps:
- Setting strong passwords that you change in reasonable timeframes. You guessed it, this means no more passwords on post-it notes!
- Individual accounts on shared devices like point-of-sale machines. Most devices have access control logs so you can know who to ask about any issues.
- Accessing work networks remotely via secure means such as a VPN. Be sure to avoid leaving remote desktop instances open to the internet.
- Use two-factor authentication (2FA) or multi-factor authentication (MFA) on all work logins. This ensures passwords are not your organization’s first and last line of defense.
- Sign up for our free trial, complete our Security Awareness program, and learn more about securing your data and devices.
What are the first steps for increasing organizational data security?
You have a foundational understanding of data security now, and you’ve started your security journey. Now it’s time to think about how your organization can build its security capabilities.
Maybe you’re even ready to take on the role of security champion within your organization! If that’s a yes, here are some questions you can raise at your next meeting.
- What first steps can we take to improve our company’s data security?
- What cyber security threats exist, and how should we prioritize these risks?
- Are all our staff aware of company data security policies?
- Do we need to conduct internal or external risk assessments?
- What security or cyber training do we have access to within our organization?
It may even be a good idea to share resources with your colleagues that help introduce them to the world of cyber security.
Learn how to protect yourself, your organization, and your clients’ data.
Help your team build their cyber security superpowers
Growing and embedding cyber security culture takes time and effort. And culture change needs the active participation of your team. Learning secure behaviors and practical skills means your team becomes your greatest defense against cyber attacks and avoids data leaks.
SafeStack’s Security Awareness program helps teams learn about aspects of cyber security. We help people understand what behaviors make them less likely to become the target of a cyber attack. Simple, action-oriented learning content helps you embed good cyber security practice basics into your daily routines.
Our newest course, Security for people who don’t work in offices, is now available and is suitable for anyone in your team who accesses sensitive systems, areas, or equipment.
This course covers general security awareness pointers, including:
- The importance of shared responsibility in security awareness.
- Job aspects that require protection.
- Practical security-conscious behavior guidelines.
Try it yourself
Want to test-drive our Security Awareness training with no obligations? Sign up for a 14-day free trial to take it for a spin — no credit card required. You can also invite more team members once you’ve signed up.
We love to hear from you
We’d love to hear your feedback. Drop us a line on firstname.lastname@example.org and let us know what you think.