As companies extend their commitment to remote workforces, they must also find ways to address their increasing exposure to cyber-related risks. The speed at which organisations have made the transition to a digital business environment has given rise to new and unique challenges that they must face head on to protect vital and sensitive business information.
In an article for Business IT (BIT), Bruce Bennie, vice president and general manager of ANZ at Juniper Networks, discussed how the shift to remote work “will provide abundant opportunities for cybercriminals.” He also predicted a spike in data breaches and exposures this year as more employees require access to information “from more places, at all times.”
“The 2020 pandemic has exposed gaps in network security postures that no-one could have foreseen,” he wrote. “Unsecured home networks, use of BYOD (bring-your-own-device) and siloed operations made previously visible threats on corporate networks become invisible, hidden on home networks. Cybercriminals took advantage of this expanded attack surface to launch phishing, vishing, and ransomware attacks.”
Bennie cited data from the Australian Cyber Security Centre (ACSC), which estimates that Australian businesses lose an average of $29 billion annually from cybercrime activities.
He added that with this “sobering statistic” in mind, businesses need to rethink how they approach cybersecurity “with a focus on increased visibility and faster response,” especially with remote work expected to continue in the foreseeable future.
If organisations fail to adapt, “cybercrime will continue to evolve and take advantage of remote working as the easiest point of entry into their network,” Bennie wrote.
“Too often, businesses prioritise the need to provide data over safeguarding information and restricting data access appropriately, meaning more databases of information are available for malicious actors to potentially access and exfiltrate.”
To mitigate the risk, Bennie advised organisations to consider basic security best practice before making any access changes to business data. Standard practices – including making sure that passwords are complex and regularly updated, role-based access is implemented, and data is heavily encrypted – he added, can go a long way in protecting sensitive business information.
Business.gov.au, meanwhile, outlined several measures that businesses can take to reduce the risk of cyberattacks. Here are some of the standard practices:
Backing up data is among the most cost-effective ways of making sure information is recovered in an event of a cyber incident or computer issues. The department recommended using multiple back-up methods to help ensure data safety, including daily incremental back-ups to a portable device or cloud storage, and end-of-week, quarterly, and yearly server back-ups. Backed up data should also be checked regularly to see if it is working properly and can be restored.
As for portable devices, the department said they should not be left connected to a computer to prevent infection and should be stored separately offsite as protection from theft and other physical damage. Cloud storage, meanwhile, should use strong encryption methods and multi-factor authentication to ensure data protection.
Operating systems and security software should be updated automatically to fix security flaws, so it is important that users never disregard update prompts, according to the bureau. Firewalls should also be set up as these act as a “gatekeeper for all incoming and outgoing traffic.” It would also be helpful for companies to turn on spam filters to reduce the amount of spam and phishing emails – a common tactic hackers use to infect devices and steal confidential information – that their businesses receive.
Encryption converts data into a secret code before it is sent over the internet, so it is vital for businesses to turn on network and data encryption when storing and sharing data. This can be activated through router settings or by installing a virtual private network (VPN) software on computers and other devices.
Another standard practice to protect data is the use of multi-factor authentication (MFA). This verification process requires users to provide two or more proofs of their identities to access their accounts, adding another layer of security. One example is a system where a password and a code sent to a separate device are required before a user is granted access to an online account.
Business.gov.au also recommended using passphrases instead of passwords, especially for accounts that hold important business information. A secure passphrase should be at least 14 characters long, and consists of a combination of upper and lower case letters, numbers, and special characters. It should also be unpredictable – meaning the words are unrelated – and unique – meaning it is not used for other accounts.
A business should keep a record of all the equipment and software it uses. It should remove sensitive information from any device and software that is no longer in use and disconnect these devices from its network. The bureau said older and unused equipment or software will unlikely be updated and may serve as a “backdoor targeted by criminals to attack businesses.” Similarly, organisations should remove access from past employees and those who have changed roles and no longer require access.
Businesses should also have clear cybersecurity policies to guide employees on what is acceptable when sharing data, using computers and other devices, and accessing internet sites.
Employees can be an organisation’s first and last line of defence against cyber threats, according to Business.gov.au. This is the reason why it is crucial to educate them on how to identify, avoid, and deal with a cyber threat.
It is also vital for businesses to keep their clients’ private information safe. In line with this, they should be able to provide a secure online environment where transactions can take place.
A cyber insurance policy helps cover for the financial losses resulting from a cyberattack and, in an increasingly digital business environment, it pays for companies to have one. Coverage can also include claims made by individuals or groups that may have been harmed because of a business’s action or inaction.