11 Common Cyber Security Mistakes and How to Avoid Them
Cyber security is a major concern today. With the increasing usage of cloud technologies, more data than ever are accessible to hackers. Breaching these data can cause serious reputational damage to your business.
Even Yahoo, the tech giant in the olden days, are not excluded. What makes your business different?
In this article, we will share 11 cyber security mistakes you might be making. We hope that by identifying these common mistakes, you can take steps to secure your business.
1. Having the Wrong Mindset
When are spoke to clients about cyber security, the most common reply is:
“We are a small business. Nobody will target us. They should spend their time hacking Amazon, Facebook and Google.”
The truth is:
Everyone, every business are likely to be the target.
Hackers are getting smarter. They know that companies such as Google and Amazon have invested a lot of money to secure their data. But most other small businesses do not have the budget, or they do not care. To them, small businesses’ data are like the low-hanging fruits.
Every business should start with the mindset that cyber security is important.
Your business’ cyber security is only as strong as its weakest link. It is your duty to strengthen your weakest link.
2. Not Educating Your Employees
For most businesses, employees are their greatest assets. But they can also be your greatest risks.
Your employees can be unbelievably non-tech savvy. Try asking any IT support or helpdesk. You will hear lots of funny stories.
Reddit even has an entire subreddit on Tales from Tech Support.
Do not assume that because your employees know how to use smart phones, they are tech-savvy.
You need to let your employees know the danger of cyber crime.
Who do you think is the target for most cyber crime?
The answer is you.
As the business owner / CEO, you are the favorite target of hackers. Followed by your top executives and database administrators. And finally to whoever that has the authority to make payment.
Steps in educating employees:
- Identify employees who are in high-risk of being hackers’ target;
- Prepare specific training on which part of their process may be at risk; and
- Provide a more generic cyber security awareness training for the other employees.
3. Not using a strong password
If there is one rule you must remember, this is it.
Everyone must use a strong password. Yes, everyone.
A strong password has the following characteristics:
- Contains both alphabets and numbers (alphanumeric)
- Includes special characters
- At least one character in uppercase
- At least 8 characters
- No sequences
- Avoid dictionary terms
- Should not be one of the most common passwords
Keepers Security analysed over 10 million passwords. The following are the top 10 most common passwords in 2016:
Check out their article to see the top 25 most common passwords. It is stunning that these top 25 passwords constitute over 50% of the 10 million passwords.
If you are using any of these passwords, it is time for you to change it.
How do you find a good password?
Finding a good password is easy. Google any random password generator. You will receive some gibberish that you will never remember.
Remembering a good password is difficult. One trick which I use is using phrases that are memorable. For example:
“Anthola is the best insurance agency in Singapore.”
I can use the first alphabet of this phrase: “aitbiais”. Then I only have to remember this phrase for my password.
But “aitbiais” is not enough.
Remember, we still have to include numbers, special characters and make at least one character uppercase.
This is how I include these elements:
- Have a series of special numbers in your heart. The easiest for me is to use dates. This can be your first date anniversary or the first day of work. For example, 15 February 2016 – will be 150216.
- Include your favorite special character. I love the ‘$’. Use this special character consistently across your different passwords.
- Make either your first or your last character uppercase.
The result of my password will be ‘Aitbiais150216$’. Pretty sure no one can guess my password.
Note: This password is only for illustration purpose. None of the Anthola’s system and my personal platforms use this password.
Use a Password Manager
Now you know how to come out with a good password. But there is still a problem:
You should not use the same password across all different platforms. But, it is also not practical for you to remember all the different passwords.
This is how password management system like LastPass helps you. With this software, you only have to remember one password. Make sure you use the most complicated password that you can remember.
4. Not Backing Up Your Data
There are many kinds of hackers attack. Some attacks will corrupt your existing data. They might also block your access to data through ransomware. Until you pay the ransom, they will not release the access.
But if you backup your data, you will not be afraid that of data loss if you refuse to pay the ransom.
So how should you backup your data?
Most cloud computing and hosting services provide back up services. Make sure you know the following:
- What are the charges for the backup services?
- Are there any additional charges for data recovery?
If you are using WordPress, you may use the following plugins:
5. Giving out unnecessary access control
Access control refers to the authorisation a user can access in a given system. When giving access to employees, it is tempting to give them all accesses.
Do not do that. Access should only be given on a must-give basis.
Another common practice is for employees to share the same username and password. The rationale is to save cost. If the system is non-critical, this practice is harmless.
But if the system involves sensitive information, this is a no-no.
The more employees have access; the more likely the system will be hacked. You should maintain minimal accessibility. Enough for your employees to perform their job. No more than that.
6. Not checking whether is the website encrypted with SSL
Most modern websites are dynamic. This means that users can interact with the website. Most of these interactions include sending information.
For example, when the user login to its account in a cloud platform, the user is sending his username and password. The browser will send this information to the web server.
In usual circumstances, the information sent is in plain text. This means that if an attacker can intercept the data between browser and server, they can see and use that information.
Secure Socket Layer (SSL) is a technology that encrypt these sensitive information. Even if the attacker can intercept the data, they will not see the information.
To check whether the platform has SSL, take a look at your browser. You should see a “HTTPS” that is in green if the website is encrypted with SSL.
If you do not see a HTTPS, try typing “https” before the URL. If the “https” is not highlighted in green, the site is not fully secured.
Always check for SSL/HTTPS when you are doing the following:
- Logging into any web platform where you have to submit username and password;
- Entering your credit card details; and
- Sending sensitive information.
However, if you are sending queries or comments on a blog, SSL is not required.
7. Not aware of Phishing Emails
Phishing emails lure the target to give out sensitive information, such as passwords unknowingly. Phishing targeted on weaknesses in human behaviors. You cannot secure human behaviors with any system in the world.
There are 2 ways to combat phishing:
Use a good Email Provider which detect spams
Most web servers do not have good spam filters. They will render all kinds of emails to your employees’ inbox. Among these emails might be a phishing email.
You should invest in using a good email provider, for e.g. the G-suite. The G-suite spam filter can filter out most of the spam emails.
Invest in Education
Earlier we said that you should educate your employees on cyber security. One of the topics should be phishing. Never assume that your employees know about phishing.
Your employees should know how to detect a phishing email, and what he should do when he saw one.
Most phishing emails will have the following characteristics:
- A reason for you to log into your account. This reason can be a system error or verification check;
- Provide a link so that you can access to the “platform”; and
- Asking your employees to log in.
With these characteristics, you will know what to tell your employees. For example:
- Never click on a link in emails sent by people who they do not know.
- If the email subject is something sensitive, for e.g. corporate bank account, employees should not even click on any links. It does not matter even if the email is sent by people they know. They should always access the web platform separately.
- Before logging in, make sure that the URL is correct and secure with Secure Sockets Layer (SSL).
8. Not Separating Your Administrative Account with Your Day-to-Day Work Account
Sometimes, you might need an admin account. This admin account can control everything. This includes adding other people as admin.
For the ease of usage, most business owners use their default admin account for their day-to-day work. This is not needed.
You should set up another account which does not have administrative rights for your work. Then use your admin account if needed.
You also should not publish your admin account email or use it to send any emails.
Finally, please do not name your admin account “admin”. Everyone can recognize them easily.
9. Not Updating Your Software
You should not underestimate software updates. When you are using open-sourced technology, like WordPress, updates can fix security patches.
You should always keep your software up to date.
10. Not checking when clicking links from emails
You should cross-check any links from emails. Especially when you do not expect the email from the sender.
Anyone can send an email from any address. This means that I can send an email from someone you know. The email protocol did not safeguard the sender address.
This can be misleading.
Entering unsolicited websites might expose you to virus and malware.
You should always check every link sent via email.
11. Not having a cyber liability insurance
If you follow the advice the first 10 advice, you would have to safeguard your data 80% of the time.
No matter how much you try to safeguard your data, hackers are always one step ahead of you. You can never 100% prevent cyber risks.
A good risk management practice is to prevent as much as possible and then transfer the remaining risk. A form of risk transfer is insurance.
A cyber liability insurance will indemnify your losses in the event of cyber attacks.
Anthola is a general insurance agency. We have helped our clients manage their cyber risks with cyber liability insurance.
If you are interested in knowing more, please feel free to contact us.
Technology is part of our life. Businesses collect data that are useful in making decisions.
But there are many ways that these data might land in the wrong hands.
With the tips in this article, you should be able to remove the cyber security risks by 80%. It is not fool-proof.
To enhance your cyber security, you should also consider engaging an external consultant. Also, buying a cyber liability insurance will transfer your risks to insurance companies.